Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for a HTB Atom machine which was a medium box , the foothold was a little vague as there was an windows executable on the web server also there was a pdf document having instructions on the QA of the note taking application (which was that executable) that mentioned about application being built on Electron Builder, by doing a simple google search we were presented with a signature by pass remote code execution in electron builder ,so by reading the article and following how it calculated a hash we crafted a yaml file and when uploading it to smb share we can get a reverse shell on either netcat or meterpreter depending on what payload we have used. After that getting the Administrator was just the enumeration game seeing different folders ,programs and what’s the relation two programs.
Rustscan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
445/tcp open microsoft-ds syn-ack ttl 127 Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open redis syn-ack ttl 127 Redis key-value store
7680/tcp open pando-pub? syn-ack ttl 127PORT 135/445 (SMB)
We can see which shares are there
Now to see which we can read as anonymous
It seems we can read and write Software_Updates share
There’s a document available too so let’s download it
So the document tells about a note taking application named Heed and it's a client based application there's no interaction with the server but it does get's an update though client's folder and we have seen three client's folder i.e client1,client2,client3, so let's just visit port 80
PORT 80 (HTTP)
Scrolling a bit down we can see a download option and an email MrR3boot@atom.htb
So first let’s add the domain atom.htb to /etc/hosts file and fuzz for subdomains and also to fuzz for files and directories using gobuster
Running gobuster to fuzz for files
Fuzzing for subdomains
Didn’t find one so we would just have to download the heed note taking application
So I had to switch to my windows machine as this was a windows application
This tells us that this is an electron application
So knowing that it’s an electron app I searched on goolge for getting a RCE through it
It says here that it will update from latest.yml
Exploit
So first we generate our payload with name having a single quote
Now we need to generate a sha512 sum hash and encode it to hex and then further encode it to base64
093RMZA6MwaxL21rB2eTb14NNIH8+bfGjldpX5bFLvlALJJpKvi8Gm+TGXmqW/ROJsy+TEcGyDQk
djSS7Avnow==Host this payload on your local machine using python3
Create a latest.yml file
Upload the yml file in smb share
Run the meterpeter listener
So for escalating privileges I first ran getprivs to show privileges for the current user
Going into Program Files
Further going into Redis folder
We see redis.windows-service.conf and there's a password for redis cli
Run info command
Redis stores data in database and we can there is only on database , we can access it by the command SELECT 0
Now to access the KEY we need to first know it’s data type, in redis there are 5 data types
- String
- Hash
- List
- Sets
- Sorted Sets
Going to jason’s Download directory we can find PortableKanban which is a tak managment tool for windows
Reading the User Guide.pdf portable kanban we can only user available is Administartor but we can't get the password as the guide says if the data is lost there is not way in retrieving it
We can see that we are on the last version of portable kanban
So this is the encrypted password which we can’t retrieve
But there’s an exploit for it
Now we extracted the encrypted portable kanban passowrd from redis key and we need to save the contents in a file PortableKanban.pk3 but on running the exploit it showed errors so we may need to edit the exploit
After editing it will decrypt the password
Now since port 5985 was open which is for winrm we will use evilwinrm to login
Evil-winrm was acting weird so I downloaded the windows payload I used earlier to get foothold and ran the payload with cmd while listening at meterpreter for connections
