Initial Foothold Hints
- Consider carefully the theme of this box, the open ports, and the concept of the web page
- Review the source code carefully, there are hints to a recent CVE in both the source code and the HTTP
user-agent
string if you have the server try and clone a remote repo on your HTTP server - If you're still struggling, pay attention to the Git version on the server
- Everything you need to execute the proof-of-concept is available for you on the target
ℹ️
Be patient with the payload triggering. It took nearly a minute (or more) before I saw the payload trigger.
Privilege Escalation Hints
- Due to the environment on the box, you might have to specify the full path to some Windows binaries that share the same name as Linux binaries
- I like
evil-winrm
for some simple tasks, but more often than not, I have found that it performs poorly for more sophisticated post-exploit enumeration. So, I'd recommend usingRunasCs.exe
for the privilege escalation tasks
Spoiler Content
I'm not sure if it was intentional or not, but you'll find the PowerShell console history file has not been cleared out, which will yield some interesting information to help you find the CVE to achieve SYSTEM on the target
If you've worked out the CVE to become SYSTEM
on the box, then please do yourself a favor and resign any hope of compiling the exploit on your attack box.
Clone the repository on a Windows VM / Windows host and compile using Visual Studio with the C++ extension pack installed.
Again, don't use evil-winrm
and pay careful attention to file paths that may be different in the exploit author's environment versus the target's environment.
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Nmap Results
# Nmap 7.94SVN scan initiated Sun Jul 28 00:18:52 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.81.108
Nmap scan report for 10.129.81.108
Host is up (0.085s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=5aa1e8e3a30deb7d; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=8PIAizCxnCj_xw_UauE73yVjFq46MTcyMjE0MDQwNDYwMzkyNzEwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sun, 28 Jul 2024 04:20:04 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-arc-green">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Git</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=4e14d592bfd0d01f; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=84u8_E9MJnP4YqKHj_FZwCtjZGQ6MTcyMjE0MDQxMDA5MDE2NzYwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sun, 28 Jul 2024 04:20:10 GMT
|_ Content-Length: 0
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.3 Python/3.12.3
| Date: Sun, 28 Jul 2024 04:20:04 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 5234
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Compiled - Code Compiling Services</title>
| <!-- Bootstrap CSS -->
| <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
| <!-- Custom CSS -->
| <style>
| your custom CSS here */
| body {
| font-family: 'Ubuntu Mono', monospace;
| background-color: #272822;
| color: #ddd;
| .jumbotron {
| background-color: #1e1e1e;
| color: #fff;
| padding: 100px 20px;
| margin-bottom: 0;
| .services {
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.