HackTheBox Writeup — RE

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Running NMAP full port scan on it , we get

We get only 2 Open Ports, running service scans against them

We see Microsoft IIS version 10 running on Port 80 and Microsoft-ds on Port 445 which is usually SMB

We run smbclient to check the default shares

We get only one open share named malware_dropbox so we try to connect to it

We got connected successfully and also can put some files into it as I did above

Now moving to the web part

We try to access reblog.htb which we saw in the NMAP results after adding it to our hosts file

We see multiple blogs in webpage, so we read the 3rd article from the first

From the article we see that it has Yara installed in the machine

So we now move on creating malicious ods file using metasploit

We used openoffice_document_macro from msfconsole and then set our options

Running the modules creates an odt file and we copy it to our local directory

Since Yara will trigger out anything creating from metasploit, so we will now unzip the odt file and do some changes

We have to edit the Module1.xml file, but before that we have to use the hta_server method from MSF to get meterpreter

All options set and then we run the exploit command

Now we copy the URL part and then use it on the editing of the Module1.xml file

Now we save it and then rename the file to an ods extension after zipping it back and then upload the ods file into the malware_dropbox smb share

We uploaded the file and now move onto checking the msf listener

We got meterpreter connection successfully and we spawned shell through it, now moving to get the user flag

Time for Privilege Escalation

Checking the contents of the Documents folder of user Luke

We see a powershell script named process_samples.ps1, checking the code inside it

We see that it processes RAR file which is uploaded in the ods folder in the Documents section

We use evilWinRAR so that it puts our webshell in the web directory through RAR file traversal technique

We created the RAR file and now time to upload

We uploaded the RAR file and now trying to access the web shell

We are good to go as we try to run any command

This time we are iis apppool\re

Now we move onto getting reverse shell through this

Checking back the netcat listener

We got reverse shell successfully and now we run PowerUP’s Invoke-AllChecks

We see that the current user has service permissions over UsoSvc and we can abuse that

Here we change the config which will get us reverse shell through netcat and then start the service

Checking back the netcat listener on our local machine

We got reverse shell successfully , but we had unstable shell so we get reverse shell once again through nc

Here we have the root flag , trying to read it

We get access denied on the files, checking the owner of the file

We see that root.txt is owned by user Coby

Since we are nt authority\system so we can just change the password of the user Coby and then read the flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover