HackTheBox Writeup — DropZone

Hello Guys , I am Faisal Husaini. My username on HTB is “smoke” .

This was a pretty tricky box and I learn about many stuffs after solving this box.

The IP for this machine is 10.10.10.90 and also this is a Windows box

NMAP Scan Results

We get all ports to be said as filtered. Also I tried every method on TCP , but no luck , so now lets scan for UDP Ports

After scanning for UDP ports , we come to know that only 1 port is open and that is Port 69 running tftp service, lets scan it for versions and all

Nothing much interesting

TFTP Enumeration

Now lets run the TFTP brute module from msfconsole and see the results

scanner/tftp/tftpbrute

We set the RHOSTS to 10.10.10.90 and the RPORT was default to 69 , but we see that we don't get anything from here

Connecting To TFTP

We try to connect to the TFTP by the command “tftp 10.10.10.90”

TFTP Connection

So we can see that get and put our files in the tftp server , so we can create our exe backdoor from msfvenom , but we cant execute it.

After asking for hint from my friend , I came to know that I can upload mof files , so that it will automatically let my .exe backdoor execute.

So I create a mof file so that it can automatically execute my .exe backdoor

MOF Code

Creating test.exe Backdoor

I will use msfvenom to create my test.exe backdoor in the as usual way

msfvenom

Uploading our files using through TFTP

Now we will upload our created files , i.e , mof file and the backdoor .exe file through through the TFTP server

From the link which I referred before , I came to know that I have to upload the mof file in “%SystemRoot%\System32\wbem\mof\” directory and the backdoor file in “%SystemRoot%\System32\” directory , so lets do it

Uploading Files Through TFTP

We uploaded the .exe backdoor using binary mode

Also set up the listener in msfconsole , and wait for response back

Meterpreter

We got meterpreter , now lets dig into it

Meterpreter Shell

Now lets run the “sysinfo” and “getuid” commands and see the results

sysinfo/getuid

We see that the machine is Windows XP and also we have the NT AUTHORITY\SYSTEM , so we can directly get both the flags without any privilege escalation. So lets get it

Now lets get the flags

Getting The Flags

We now move on to get the user and root flags

2 for the price 1!.txt

We see that a hint is given like ADS , which maybe Alternative Data Streams , so we will download stream.exe and upload in our meterpreter to run it and fetch the file

Here we encounter another challenge

So we upload it the streams.exe file through our meterpreter and run it through the command “streams.exe -s -d flags” , here the flags is the folder name in which the user and root flags were

The Flags

Here in the pic , we can see that we got both user flag and root flag

User Flag → a6a4830ddd27a1bddd59d2aaa80f7940
Root Flag → 3316ffe05fada8f8e651931a5c45edab

This box was hard for me , also this was totally new thing which I saw

Vulnerabilities Used To Solve This Box :-

References

I didn't had any idea about mof files and all , so I referred to this link → http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover