Hack The Box: Sekhmet Machine Walkthrough – Insane Difficulty

In this post, I would like to share a walkthrough of the Sekhmet Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Sekhmet machine?

For the user flag, you will need to abuse the ExpressJS website which has been vulnerable to a deserialization attack. I will need to bypass the ModSecurity website application firewall to obtain an execution. By default, i will get a backup archive and break the encryption using the bkcrack tool which leads us to get a root environment on VM. I also use the proxychains to access the share and also use the LDAP enumeration which we get a mobile attribute for the user in the Active Directory environment. We also need to bypass the AMSI and Applocker to obtain a reverse shell on Windows Machine.

As for the root flag, you only need to jump a few access which it will lead to Administrator access by getting the administrator’s password in the excel file

Information Gathering on Sekhmet Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Sekhmet]
└──╼ $nmap -sC -sV 10.10.11.179 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-27 00:30 EDT
Nmap scan report for 10.10.11.179
Host is up (0.26s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 8c:71:55:df:97:27:5e:d5:37:5a:8d:e2:92:3b:f3:6e (RSA)
|   256 b2:32:f5:88:9b:fb:58:fa:35:b0:71:0c:9a:bd:3c:ef (ECDSA)
|_  256 eb:73:c0:93:6e:40:c8:f6:b0:a8:28:93:7d:18:47:4c (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.90 second

Therefore, let’s access the website interface

┌──[darknite@parrot]─[~/Document/htb/Sekhmet]
└──╼ $curl http://10.10.11.179
<html>
<head>
<script>

window.location.replace("http://www.windcorp.htb");
</script>
</head>
<body>
<h2>Nothing to see here, move along.</h2>
</body>
</html>

Aside from that, we can try to curl the IP Address and i managed to obtain the domain from there.

However, we didn’t see anything useful on the website itself

Sadly, it’s the same with the gobuster

Nothing has been found within the burpsuite at all

I did try to enumerate the subdomain by using gobuster but i didn’t manage to get anything from it.

However, i managed to retrieve a subdomain after a few days from the first enumerates being executed.

Let’s access the subdomain and it has redirected to a login page.

We managed to access the windcorp dashboard via default credentials such as admin:admin

Sadly, the website is still in the “Under construction”

Therefore, let’s analyze the packet via Burpsuite. I manage to notice there is one cookie that looks like a jwt token

I managed to sight a jwt token decoded as shown above.

Bypass the ModSecurity by using the nodejsshell on the machine

As a result, we should be using the nodejsshell.py as shown above and we managed to obtain an encoding string from the character code.

I should copy and paste the jwt token on the packet on Burpsuite

The nc connection that returns to us shows it’s a Linux server, but we all know that the creator said it’s a Windows Machine

Analyze the backup file to escalate the access on the Sekhmet machine

Therefore, let’s use pwncat-cs to retrieve a reverse shell connection back to us

As shown in the screenshot above, we managed to see one zip file which looks backup,zip which might be useful to us in analyzing the process.

Sadly, we cannot unzip the backup.zip because we don’t have a password

Cracking the hashes via bkcrack tool on Sekhmet Machine

As a result, let’s upload the bkcrack file into the victim’s machine

After a while, let’s copy the /etc/passwd on the victim’s machine and zip the password with file passwd

Let’s give execution permission to the bkcrack file so that we can work with it in the next stage.

We should be able to execute the command above to obtain the code key with reset the password for the backup.zip this way.

By default, we should be able to execute the bkcrack with the code that we found earlier.

Boom! At last, we can finally unzip the backup.zip with the password that we reset earlier.

After i have analyzed the directory and file from the backup.zip, we managed to find a location that we can investigate further.

After a while, we managed to retrieve the potential username and hashes which we can crack with hashcat later.

Aside from that, we also managed to obtain another subdomain which is hope.windcorp.htb

We managed to obtain the ray.duncan hashes

At last, we managed to obtain a password for the user

SSH to the machine via ray.duncan@windcorp.htb Access

We managed to access the machine via SSH service

Therefore, we can use the command above to change to root@webserver

From the IP address, we managed to assume that we are inside the docker environment

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on Sekhmet Machine

Let’s enumerate the port that opens to the server.

The output should look like shown in the screenshot above.

On the Attacker’s machine:

On the Victim’s machine:

If the port forwarding is a success, it should look something shown above.

Playing around with proxychains tool on Sekhmet Machine

Boom! We managed to link our attacker’s machine with the victim’s machine

By default, we can create the ticket

As a result, we can export the ticket

Therefore, we should be executing the smbclient and we cannot get the connection denied which it has been refused.

After a while, we should modify the proxychains.conf which we need to add the configuration line such as socks5 127.0.0.1 1080

Also, we are required to add the domain into the /etc/hosts file.

Finally, the command works like a charm!

There’s a file on the /temp directory called debug-users.txt

Sadly, we cannot read the file on the SMB service

Inside the file, there have a bunch of names or also clarify it as username

Another tool to play such as the LDAP package

By default, we should be getting information from the ldapsearch command

We managed to obtain a ton of information but what has caught my attention is mobile: 43235345 which i don’t have

My first thought was we should be able to use msfvenom on the machine but sadly, it doesn’t

Let’s execute the ldapmodify on the root machine but we stumble upon a character limitation.

AMSI and AppLocker bypass

This is a Windows Machine that might have some security features that might be preventing the reverse shell from running on the machine itself. We can assume that AppLocker is in use inside the machine which also leads to AMSI might be active on the machine. Therefore, it might be hard to execute a reverse shell on the machine and we should be looking for another alternative to retrieve a reverse shell on the machine.

After having done some research on the Internet, we found those two resources that we can use for this activity

1. MinatoTW/CLMBypassBlogpost: This code was used for the blogpost on secjuice. (github.com)
2. Powershell CLM Bypass Using Runspaces (secjuice.com)

For this activity purpose, i will open my Windows with Visual Studio 2022 which is shown in the screenshot above. We should modify the command which sits on LINE 49. For safety purposes, we should be using a single character with the file extension (.ps1)

By default, we can compile the program that we modify by using the command above.

The file should be the same as shown in the screenshot above.

We should start our normal nc as shown above.

Also, we should be starting the python HTTP server

LDAP enumeration with RCE on the Sekhmet machine

Firstly, we should execute some ldif files that we can use as above.

Next, we should be able to upload the file extension of exe into the victim’s machine under c:\windows\debug\wia

As a result, we can update the server by running the ldapmodify

By default, we should be getting the response of d.ps1 should be successfully uploaded into the victim’s machine

It should look something as shown above

We can start the exe file by running the command above.

As a result, we can update the server by running the ldapmodify

On the ps1 file, we should insert the reverse shell on the top of the file

When we see a response like the screenshot above, we should be getting the reverse shell on the machine

Privileges Escalation as scriptrunner

Boom! We have finally accessed the machine via a reverse shell connection

Let’s run the smbserver on the root machine which is something like above

On the windows access, we just need to execute the command “net use \\webserver.windcorp.htb\share“

We should be getting the result as shown in the screenshot above. Therefore, we should be cracking the hashes but i will not share them.

Finally, we got a password for scriptrunner

Let’s execute the command above to escalate to another user on a different reverse shell connection

Privileges Escalation via Bob.Wood

At last, we should be getting a shell on Bob.Wood access

We can analyze the directory and found a file called Login Data

After i investigate the login data file, i notice that there was a username as “bob.woodADM“

I managed to do some research and found an exe file that might be useful for this activity. Therefore, let’s upload the file that can be found here

Let’s move the file into the c:\windows\debug\wia directory

Once the file is already inside the actual directory, let’s execute the file as shown above.

Inside the results/microsoft_edge_default_password.csv file, we manage to retrieve a password for bob.woodADM

As we execute previously, we should be executing a similar command as username and password

Privileges Escalation via bob.woodadm access

Finally, we are accessing the machine as bob.woodadm privileges access

Sadly, there are no root flags on the bob.woodadm’s Desktop location

At last, we managed to find the root flag on Administrator’s Desktop

We can read the root flag by typing the “type root.txt” command