In this post, I would like to share a walkthrough of the Napper Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Napper machine?
For the user flag, you will need to initiate the process by locating a username and password mentioned in a blog post, and leveraging this information to gain entry to an internal blog platform. This platform discusses a legitimate IIS backdoor known as Naplistener, specifying local execution. Utilizing Napper, I will locate Naplistener and develop a tailored .NET binary. This binary will execute upon interaction with the backdoor, facilitating access to a shell.
As for the root flag, you need to locate a preliminary blog post detailing an in-house solution aimed at replacing LAPS, which stores passwords within a local Elastic Search database. I will develop a Go program tasked with retrieving both the seed and the encrypted blob. Subsequently, I will generate the key from the seed and employ it to decrypt the blob, ultimately revealing the password for an admin-level user. Additionally, I will utilize RunasCs.exe to circumvent UAC and secure a shell with administrator privileges.
Information Gathering on Napper Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/napper]
└──╼ $ nmap -sC -sV 10.10.11.240 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-13 23:09 EST
Nmap scan report for 10.10.11.240
Host is up (0.47s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://app.napper.htb
443/tcp open ssl/https?
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=app.napper.htb/organizationName=MLopsHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:app.napper.htb
| Not valid before: 2023-06-07T14:58:55
|_Not valid after: 2033-06-04T14:58:55
|_ssl-date: 2023-11-14T04:10:15+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.52 seconds
┌─[darknite@parrot]─[~/Documents/htb/napper]
└──╼ $
Let’s access the website interface
However, it doesn’t look as organized as a proper website page
When trying to access the subdomain of app.napper.htb, it looks much better interface
I did notice that the website is been powered by Hugo
Therefore, let’s enumerate the directory on the website but mostly all the output has been directed to app.napper.htb
As a result, let’s enumerate the vhost by using the gobuster but nothing appears on the output
I did notice that port 443 is open so let’s enumerate the subdomain with the HTTPS wildcard
Let’s access the subdomain of internal.napper.htb but it requests a credential to be input
There should be some credentials on the app.napper.htb website interface. Let’s explore the website to find any useful information
Nothing looks interesting on this post.
I noticed some posts on the last page containing PowerShell commands that provide potential credentials.
As a result, let’s enter the credentials that we found earlier.
At last, we have successfully accessed the internal.napper.htb website interface
Naplistener vulnerability
While we analyze the post shown above, I notice there are some web requests which we can investigate further.
Let’s access the page and try to inspect the packet via BurpSuite
Let’s change the request from GET to POST add the sdafwe3ree23= and see the response of the packet. It responds with Found which shows the website is a valid connection
We should compile the cs file into the exe file format
Once we have successfully compiled the file, let’s encode it with the base64 command
We can copy-paste the base64 command and we also need to URL decode which it should trigger the reverse shell connection
The file should be transferred to the Python server
Boom! Finally, we have retrieved the reverse shell connection back to us.
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
Let’s explore more on the file stored within the C:\TEMP\www\Internal\content\posts directory
There is an Elastic URI which uses port 9200
Other information can be found inside the no-more-laps.md file which provides some details on Elastic
We can execute the Port Forwarding on our attacker’s machine
As a result, let’s start our chisel client on the victim’s machine
I managed to find the elasticsearch-8.8.0 within the Program Files
From the information above, I notice there’s an extension of seed and user-00001
Let’s access the localhost that uses port 9200 on the browser
I managed to find some information on the elastic page that is shown in the screenshot above
The screenshot above shows how to decrypt the data stored in the ES to retrieve the most recent password of the backup user.
Let’s upload the. RunasCs.exe file into the victim’s machine
We will be using the RunasCs.exe command which will trigger the listener to our machine
After a while, the reverse shell connection back to us
We can read the root flag by typing the “type root.txt” command
No responses yet