Return to forum
HTB Perspective - Admin part
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 36
Threads: 0
Joined: N/A
Reputation: 0

#1
May 4, 2022 at 2:15 PM
Does anyone solved the root part? I'm still struggling with it and searching for escalation paths.
we basically have 3 users:
Mode                LastWriteTime        Length Name    
----                -------------        ------ ----  
d-----        8/2/2021  1:16 PM                .NET v4.5
d-----        8/2/2021  1:16 PM                .NET v4.5 Classic
d-----        8/2/2021  2:28 PM                Administrator
d-r---        9/28/2021  11:18 AM                Public
d-----        8/16/2021  9:28 PM                sqladmin
d-----        3/23/2022  7:00 PM                webuser


and some custom executable in:

Directory: C:\Users\webuser
 userswebuserdesktop


as well as Webapps:
Directory: C:\WEBAPPS


Mode                LastWriteTime        Length Name
----                -------------        ------ ----
d-----        9/1/2021  11:49 PM                AdminPanel
d-----        2/10/2022  7:15 PM                PartImages_Prod
d-----        2/10/2022  7:24 PM                PartImages_Staging


any glimpsy ? anyone solved it?

enumeration scripts and meterpreter session didn't gave me too much.
some reversing stuff maybe?
Reply
Elite User
Elite
Posts: 129
Threads: 0
Joined: N/A
Reputation: 0

#2
May 5, 2022 at 10:19 AM
anyone pwned shell or user please help :at: :at:
Reply
Member
Member
Posts: 36
Threads: 0
Joined: N/A
Reputation: 0

#3
May 5, 2022 at 8:45 PM
(May 5, 2022, 02:05 PM)Internetdreams Wrote: grab the password reset token, ignore the rest except of the first 32bytes in hex
Your first key is gonna be email+=padding and the second key gonna be the command injection on the register panel, also there is seImpersonate so you can roguePotato to privesc


Thanks. You're right about RCE part, but RoguePotato exploit was fixed.. it probably requires to own sqladmin first.

PS C:\Users\webuser> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege      Bypass traverse checking      Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Machine was patched to be much harder.


14TH APRIL, 2022
[+]UPDATEWindows Updates
Applied Windows Updates to block exploitation of multiple Windows exploits

25TH MARCH, 2022
[+]UPDATEPatched Unintended Vectors
Added additional defenses to prevent RoguePotato exploits. Patched web application to present attack involving RCE from password reset.
Reply
Member
Member
Posts: 37
Threads: 0
Joined: N/A
Reputation: 0

#4
May 7, 2022 at 5:09 PM
can anyone post admins ntlm hash ?
Reply
Member
Member
Posts: 28
Threads: 0
Joined: N/A
Reputation: 0

#5
May 11, 2022 at 3:11 AM
Please, someone provide NTLM hash
Reply
Member
Member
Posts: 30
Threads: 0
Joined: N/A
Reputation: 0

#6
May 26, 2022 at 4:32 AM
(May 24, 2022, 08:15 PM)jon01 Wrote:
(May 11, 2022, 03:11 AM)luapig69 Wrote: Please, someone provide NTLM hash


3ebc094377ee665f31a78f536ba4f1af

https://fdlucifer.github.io/2022/04/10/Perspective/


This write-up is not clear in getting the root shell.I can't figure out how he got the shell via a token , and this path:

"https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'_'%7D,'/',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'-'%7D,'%2B',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true)To_Hex('None',0)&input=eHhBWWZDaTlnTHBCU2ZxQS0tYnBESVppYXdXeTJWblpkSXhteHYzTTV4MTN6NFpydkFSeTVFYy10Ym5yMmdPVw"

-->where did he get this input ? (eHhBWWZDaTlnTHBCU2ZxQS0tYnBESVppYXdXeTJWblpkSXhteHYzTTV4MTN6NFpydkFSeTVFYy10Ym5yMmdPVw)

--> how can e.exe be executed as admin , i don't see e.exe being executed in his write-up

Can anyone explain it to me ?, thanks for reading.
Reply
malware dev
MVP
Posts: 59
Threads: 0
Joined: N/A
Reputation: 8

Hacker
#7
May 26, 2022 at 5:50 PM
yeah, it is very similar to oracle padding attack. if you know that all of these means. reverse staging webapp with dnspy. you'll see it as clear text.
Reply
Member
Member
Posts: 30
Threads: 0
Joined: N/A
Reputation: 0

#8
May 27, 2022 at 3:46 AM
(May 26, 2022, 02:42 PM)jon01 Wrote:
(May 26, 2022, 04:32 AM)z3r0Day Wrote:
(May 24, 2022, 08:15 PM)jon01 Wrote:
(May 11, 2022, 03:11 AM)luapig69 Wrote: Please, someone provide NTLM hash


3ebc094377ee665f31a78f536ba4f1af

https://fdlucifer.github.io/2022/04/10/Perspective/


This write-up is not clear in getting the root shell.I can't figure out how he got the shell via a token , and this path:

"https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'_'%7D,'/',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'-'%7D,'%2B',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true)To_Hex('None',0)&input=eHhBWWZDaTlnTHBCU2ZxQS0tYnBESVppYXdXeTJWblpkSXhteHYzTTV4MTN6NFpydkFSeTVFYy10Ym5yMmdPVw"

-->where did he get this input ? (eHhBWWZDaTlnTHBCU2ZxQS0tYnBESVppYXdXeTJWblpkSXhteHYzTTV4MTN6NFpydkFSeTVFYy10Ym5yMmdPVw)

--> how can e.exe be executed as admin , i don't see e.exe being executed in his write-up

Can anyone explain it to me ?, thanks for reading.

when u get a shell tere is perespective.dll && decomplie dnspy  && # forgot token CBC --------> U will seee that AES_ENCRYPT   && ALSO U CAN USE pyoracle to get a rev shell


OMG , Thank you hackers, it was easier than I thought , I am very bad at working with tokens and bitwise , sorry for the silly question , ;)))
Reply
malware dev
MVP
Posts: 59
Threads: 0
Joined: N/A
Reputation: 8

Hacker
#9
May 28, 2022 at 8:12 AM
(May 27, 2022, 06:19 PM)0xZer0 Wrote:
(May 24, 2022, 08:15 PM)jon01 Wrote:
(May 11, 2022, 03:11 AM)luapig69 Wrote: Please, someone provide NTLM hash


3ebc094377ee665f31a78f536ba4f1af

https://fdlucifer.github.io/2022/04/10/Perspective/

Is there a way to opatin Administrator acc using the hash? Tried a lot but didn't find one


nope. it was specifically prevented and there's no stright ssh to the box as admin nor as sqladmin user. they doesn't have ssh private keys.
after pwning you'll see that this machine is rated as #76 on HTB. so u have to be really good for it...
Reply
Banned
Posts: 26
Threads: 0
Joined: N/A
Reputation: 0

#10
June 8, 2022 at 6:01 PM
OK  - downloaded perspective.dll, ran dnpy on it, found aes_encrypt
-----
// Token: 0x06000010 RID: 16 RVA: 0x000023EC File Offset: 0x000005EC
public static byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] ivBytes, byte[] passwordBytes)
    byte[] result = null;
    byte[] salt = new byte[]
    {
        1,
        2,
        3,
        4,
        5,
        6,
        7,
        8
    };
    using (MemoryStream memoryStream = new MemoryStream())
    {
        using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
        {
            rijndaelManaged.KeySize = 256;
            rijndaelManaged.BlockSize = 128;
            Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);
            rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);
            rijndaelManaged.IV = ivBytes;
            rijndaelManaged.Mode = CipherMode.CBC;
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(), CryptoStreamMode.Write))
            {
                cryptoStream.Write(bytesToBeEncrypted, 0, bytesToBeEncrypted.Length);
                cryptoStream.Close();
            }
            result = memoryStream.ToArray();
        }
    }
    return result;
}

---
Any tips on how to use this to get privesc?
Reply


 Users viewing this thread: HTB Perspective - Admin part: No users currently viewing.