HackTheBox | Freelancer

In this walkthrough, I demonstrate how I obtained complete ownership of Freelancer on HackTheBox
HackTheBox | Freelancer
Just a note that my experience getting a foothold on this box was terrible due to the number of people competing for access at the same time.

Frequent resets, and the lengthy startup of the web server on tcp/80 made this a frustrating box.

Initial Foothold Hint

  • You can tell by looking at the port signature that this is an Active Directory Domain Controller, so your enumeration steps should follow the typical AD playbook

  • On the web application on tcp/80, you'll note the application is split into two user types, be sure to explore the application from both perspectives
    • If you're having trouble logging in as one of the user types, think about something you could do to reset your account
    • You should explore the application's full feature set. One user type has a particularly interesting feature enabled
    • Look at the URL this feature points to and think about how you might be able to manipulate the URL to gain unintended access

  • Once you've gained privileged access to the system, you should see a debug tool that should interest you
    • Do some Googling about how you might abuse features and privileges of the system running in this debug tool
    • If you research carefully, you should find a way to give yourself elevated access by way of impersonation

Privilege Escalation Hint

  • Again, with this being an Active Directory Domain Controller, you'll need to focus on users with different access levels
    • So, multiple lateral pivots before you can reach Domain Admin
    • Again, you'll want to leverage your Active Directory playbook here, hunt for credentials and spray them around, see where you can get to next

  • At one point, you'll also be looking at a memory dump analysis
    • I'm going to be extra generous with this hint, because this was massive point of suffering for me. I simply could not get volatility3 running on Kali, perhaps due to some Python conflicts.
      • You have some options:
        • Look at the MemProcFS tool to mount the .dmp file to a directory on Kali and use impacket-secretsdump to dump locally from registry hives. This was the easiest path for me, as it allowed me to accomplish the mission without leaving Kali.
        • Transfer the dump file to a Windows VM and use windbg and mimilib.dll to extract the information from lsass.exe process in memory, but this ultimately didn't get me the information I needed. You could try loading a different windbg extension to extract strings from the memory dump.

  • You should consider using Bloodhound to get an idea of any interesting permissions your next user has
    • Googling the user's inherited permissions should bring up some interesting results
    • If you're still struggling, see how you might be able to Delegate yourself some permissions and impersonate a privileged user
    • From there, it should be simple enough to become domain admin by passing something around

Nmap Results

# Nmap 7.94SVN scan initiated Tue Jun  4 01:43:54 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt
Nmap scan report for
Host is up (0.011s latency).
Not shown: 65515 filtered tcp ports (no-response)
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-04 10:45:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
57551/tcp open  msrpc         Microsoft Windows RPC
57555/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4h59m58s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-06-04T10:45:54
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun  4 01:46:34 2024 -- 1 IP address (1 host up) scanned in 160.12 seconds

Looking at the ports running on the machine, this is looking like a Windows Domain Controller, so we'll also be employing the typical Active Directory enumeration playbook.

We can see the redirect to http://freelancer.htb in the tcp/80 output, so let's go ahead and get that added to our /etc/hosts file.

echo -e '\tfreelancer.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Already have an account? Sign in
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.