HackTheBox | Compiled

In this walkthrough, I demonstrate how I obtained complete ownership of Compiled on HackTheBox

Initial Foothold Hints

  • Consider carefully the theme of this box, the open ports, and the concept of the web page
  • Review the source code carefully, there are hints to a recent CVE in both the source code and the HTTP user-agent string if you have the server try and clone a remote repo on your HTTP server
  • If you're still struggling, pay attention to the Git version on the server
  • Everything you need to execute the proof-of-concept is available for you on the target
ℹ️
Be patient with the payload triggering. It took nearly a minute (or more) before I saw the payload trigger.

Privilege Escalation Hints

  • Due to the environment on the box, you might have to specify the full path to some Windows binaries that share the same name as Linux binaries
  • I like evil-winrm for some simple tasks, but more often than not, I have found that it performs poorly for more sophisticated post-exploit enumeration. So, I'd recommend using RunasCs.exe for the privilege escalation tasks

Spoiler Content

I'm not sure if it was intentional or not, but you'll find the PowerShell console history file has not been cleared out, which will yield some interesting information to help you find the CVE to achieve SYSTEM on the target

If you've worked out the CVE to become SYSTEM on the box, then please do yourself a favor and resign any hope of compiling the exploit on your attack box.

Clone the repository on a Windows VM / Windows host and compile using Visual Studio with the C++ extension pack installed.

Again, don't use evil-winrm and pay careful attention to file paths that may be different in the exploit author's environment versus the target's environment.

ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Owned Compiled from Hack The Box!
I have just owned machine Compiled from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Sun Jul 28 00:18:52 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.81.108
Nmap scan report for 10.129.81.108
Host is up (0.085s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=5aa1e8e3a30deb7d; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=8PIAizCxnCj_xw_UauE73yVjFq46MTcyMjE0MDQwNDYwMzkyNzEwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 28 Jul 2024 04:20:04 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=4e14d592bfd0d01f; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=84u8_E9MJnP4YqKHj_FZwCtjZGQ6MTcyMjE0MDQxMDA5MDE2NzYwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 28 Jul 2024 04:20:10 GMT
|_    Content-Length: 0
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Sun, 28 Jul 2024 04:20:04 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5234
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Compiled - Code Compiling Services</title>
|     <!-- Bootstrap CSS -->
|     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
|     <!-- Custom CSS -->
|     <style>
|     your custom CSS here */
|     body {
|     font-family: 'Ubuntu Mono', monospace;
|     background-color: #272822;
|     color: #ddd;
|     .jumbotron {
|     background-color: #1e1e1e;
|     color: #fff;
|     padding: 100px 20px;
|     margin-bottom: 0;
|     .services {
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  pando-pub?

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.