HackTheBox - Arkham

krC5j1Ab44I/default.jpg

00:55 - Begin of Recon
02:20 - Checking the WebPages
03:50 - Examining /userSubscribe.faces, to discover potential deserialization
05:00 - Exploring javax.faces.ViewState
05:50 - Googling around to see what an unencrypted serialized object should look like
07:15 - Checking out SMB to discover an openshare
09:00 - Downloading appserver.zip from batshare via smbclient
11:00 - Cracking a luks encrypted file with dd and hashcat
14:00 - Luks cracked, mounting the disk with luksOpen
16:20 - Discovery of the secret used to encrypt the java object
18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings
23:10 - Script completed, lets test the decryption!
24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 - Creating a python script to exploit the deserialization vuln
31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work)
33:00 - Modifying the script to run commands other than what ySoSerial provided
41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work)
42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)
45:00 - Downloading netcat to upload to the box
46:00 - Netcat returned a powershell reverse shell
47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file
50:00 - Using evolution to view mbox file and find Batman's password
52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC
58:10 - Unintended: Using net use to mount c$ and view the flag
59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member
01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter
01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell
01:06:00 - copying the DLL into c:\users\batman\appdata\local\microsoft\windowsapps
01:08:30 - Using GreatSCT to generate payloads
01:11:50 - Getting a Meterpreter Session then migrating into an interactive process
01:17:45 - Running SystemPropertiesAdvanced.exe, which elevates and executes our dll

krC5j1Ab44I/default.jpg
HackTheBox - Arkham HackTheBox - Arkham Reviewed by Anonymous on August 10, 2019 Rating: 5