Enumeration

Nmap

Initial Nmap scan revealed HTTP, RDP, SMB and Port 3000 were open.

00 - nmap

Web Enumeration

Website was a static website. There were 3 usernames, I noted them. Then applied directory brute forcing but nothing revealed.

01 - website

Then visited the port 3000 which was a gitea server. The version was not vulnerable to anything. At first I checked the users and noted them.

02 - gitea users

Exploitation

While searching the ellen.freeman’s repositories, I found a repo that includes a python script which gets all repositories using API. There were 2 commits. I checked the first commit and found an Authorization token.

03 - api key

Then downloaded the script and tried to enumerate repositories myself. There was another private repository named website.

04 - updated script

Then at first I searched for Gitea API Documentation and found a comprehensive documentation. Then I opened the burp suite and using tis documentation I found the git clone link of the website repository.

05 - git url

Then cloned it using the token and the username.

06 - cloned it

The repository was HTTP website’s repository. I tested to push some dummy file “mytest.txt” and visited the HTTP website. It showed my file. So it was directly pushing to the production. With this knowledge, I knew that I could directly push a reverse shell.

07 - git push

Then visiting the reverse shell page while listening with netcat got me the reverse shell.

08 - revshell

Then while searching through ellen.freeman’s directories I found a config.xml file which included an encrypted RDP password.

09 - config

Searching through the internet, I found Decrypt mRemoteNG configuration files post which explains how to decrypt that password. The post was forwarding us to mRemoteNG_password_decrypt repository. I used this tool and got the username and password.

10 - decrypted

Then simply logged in using RDP.

11 - rdp command

And got the user flag.

12 - user flag ez

Privilege Escalation

On the desktop there was an uncommon executable named PDF24. At first I opened it and checked the version.

13 - version of pdf

Then searching the version I found out it was vulnerable to CVE-2023-49147. I found this post which explains PoC in detail.

Step by Step CVE-2023-49147

So first step was to find an msi installer for pdf24. I used search bar and found the location for installer file. Then the post said run SetOpLock.exe file before starting installation. So I download it from the symboliclink-testing-tools and started listener. Then I ran the msi installer while listening which got me an empty shell.

14 - oplock triggered

Then the post mentions these steps:

  • right click on the top bar of the cmd window
  • click on properties
  • under options click on the “Legacyconsolemode” link
  • open the link with a browser other than internet explorer or edge (both don’t open as SYSTEM when on Win11)
  • in the opened browser window press the key combination CTRL+o
  • type cmd.exe in the top bar and press Enter

So I right clicked, then clicked the legacy console mode link and used the key combination CTRL + O to download cmd.exe

15 - cmd exe

After downloading, I opened it and it was a SYSTEM shell. I simply got the root flag.

16 - gg

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Forgotten - Hack The Box
>
Next Post
Networked - Hack The Box