HackTheBox Writeup —Control

Hello Guys , I am Faisal Husaini. My username on HTB is “ferlle” . Also join me on discord.

The IP of this box is

Running nmap full port scan on it , we get

Running service scans against the open ports

We see HTTP , msrpc and mysql services running on the open ports , moving to the web part

Running the IP in the browser

The webpage looks very good, running Gobuster against it

We get alot of results, before checking them , we check the source code of the main webpage

We see something interesting in the comment section which has some to do tasks which includes certificate location to \\\myfiles

From the Gobuster scan, we saw admin.php page so we try to access the page

We get access denied error message, also it tells us to go through the proxy to access the page

We intercept the request in Burp Suite and then send the request to Repeater

Here we now add a X-Forwarded-For header with the value of the IP address which we got from the source code comments back before

We sent the request and saw that this time we got accessed to the admin.php page, so we just go the proxy settings

We add the required header so that whenever we request the admin.php or any other page, it redirects it through the proxy automatically

So now we access the page

We see something related to products, also there is a Search field which we use

We see that it queries something, so we just copy the request to a file and then run sqlmap against it

We see that page is vulnerable to SQL Injection, down below we can confirm the database version and the databases

We now move onto dumping users and passwords

Now we crack these encrypted passwords using sqlmap’s password cracker

We cracked the password successfully, but we didnt found anyway of getting in as WinRM and SSH both were closed

We uploaded a php webshell through sqlmap and then try to access it

We got shell successfully and now we upload netcat through sqlmap too and then try to get reverse shell to work more properly

Checking back the netcat listener

We got reverse shell and now we escalate to hector user

We got shell as hector but we have a limited shell where we cant get any response of any command , so we use netcat again to get reverse shell through this escalated user shell we got

Checking the netcat listener

We got proper shell as hector user, moving further to get the user flag which is usually stored under the Desktop folder of the user

Now time for privilege escalation to root

Checking for powershell history commands

We see that two powershell commands were used for registries so we use the below command to get the services which user Hector has FullControl with

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "hector Users Path Everyone"

Since we see alot of services, we use wuauserv service which is Windows Updater service

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover