Enumeration

Nmap

Nmap scan revealed that target is probably DC. Moreover, it showed that target had HTTP, HTTPs ports were open.

00 - nmap

Web Enumeration

The website had ‘Buy Now’ button, which when clicked opens a pop-up tab where you can select a file.

01 - Buy Now Button

02 - File Upload

When we select a file, it sends a POST request to Ticket.php endpoint.

03 - POST

Then we can access it by visiting uploads directory.

04 - uploads no control

However, we can not upload any php, phar or phtml files.

05 - php not allowed

Exploitation

Bypassing File Upload via .htaccess

So at first I tried some known methods such as null byte (%00) and double extension but none of them worked. Then I found this medium post which explain we can ues .htaccess file to upload a file with different extension but make it interpreted like php file. So I uploaded a .htaccess file and made .cybersec extension my new .php extension.

06 - htaccess

Then uploaded a php reverse shell with that extension.

07 - cybersec

Then got the reverse shell by simply visiting.

08 - initial foothold

Lateral Movement

Kerberoasting

I then ran winpeas.exe and found nothing, then searched some config files and found nothing again. Then ran SharpHound and found no direct path. However, I found that svc_mssql user is kerberoastable.

09 - kerberoastable

So I used rubeus to simply kerberoast the svc_mssql user.

10 - kerberoasted

Then using rockyou.txt as a wordlist, I brute forced and cracked it.

11 - cracked

Getting Shell As svc_mssql

This was the hardest part. WinRM was not allowed for svc_mssql and I did not know what to do. Then while trying runas, I remembered RunAsCs which can be used to get a reverse shell using newly found credentials. So I ran it and got the reverse shell as svc_mssql.

12 - run runascs

User Flag

Then simply read user flag.

13 - revshell and user flag

Privilege Escalation

Enable All Privilege Tokens

The svc_mssql user had SeManageVolume privilege but, it was disabled. However, enabling it was easy Lee Holmes shared a post with powershell script to enable one by one. Morover, This guy updated the script to enable all privileges, so I simply used this script.

14 - enabled all privileges

SeManageVolumeExploit and Root Flag

Then I googled SeManageVolume privilege escalation and found this repo. It was simple, we run an executable file and get full access to the C:\ volume. So I ran it and read the Administrator flag.

15 - root

<
Previous Post
P.O.O. - HackTheBox Mini Pro Lab
>
Next Post
Exfiltrated - Proving Grounds Practice