I am solving Atom machine on HackTheBox this time
After running Nmap scan I saw these results
Found 4 open ports
After that I checked the webpage to see what is there
Nothing special there too let’s check smbclient
smbclient --list //atom.htb/ -u
There is a file called Software_Updates let’s see what’s inside
smbclient -N //atom.htb/Software_Updates -u
We got 3 directories for 3 clients and a pdf file
The 3 directories were completely empty so I downloaded the pdf file to read it
get UAT_Testing_Procedures.pdfAfter viewing the pdf file I found this part interesting
So that means that by just editing one of the 3 client files we found before the server will run the files and execute what’s in them….
By using google to find something interesting about “electron-builder” I found a lot of blogs talking about what “electron-builder” is vulnerable to
And that we need to remake our fake latest.yml to bypass the payload security check and execute it directly
latest.yml files are responsible for auto updates to electron-builder projects so when we edit them we convince the system to auto update and run the file we give to him which is in our case the payload we want to run to get a REV-Shell.And this blog was very useful to our situation
This should make the web app execute our payload to allow us get a REV-Shell let’s go ahead and try it
I created this bash script you can download from “HERE”
git clone https://github.com/Far1s-404/electron-destructor.gitAfter downloading the script let’s run it and it will create the needed files automatically
NOTE : It may need more than being a normal user to run the script
Now let’s run the listener, upload latest.yml , and wait
Finally I got the user’s flag now it’s time for escalation to get the root flag
Didn’t take too long to find the application called PortableKanban in jason’s downloads
A quick search on google I didn’t find many useful information about this application but I found a tool on exploit-db that decrypts PortableKanban passwords this means that maybe there is a password stored there somewhere
Time to dig deep and find it
After some little search about portablekanban I found this beautiful README file which says that portablekanban uses a kind of database called redis and by default we can login by the username administrator and a blank password
apt install redis-tools
redis-cli -h atom.htb --user administratorHmm…. unfortunately I failed to login it looks like the default credentials are changed we need to find another way
But look what did redis said on their website
That’s what I’m talking about now we know what we want to find
Let’s use the shell we have to find this redis.conf file
After a lot of searching I finally found the config file
C:\Program Files\Redis\redis.windows.conf
And here is what we was looking for
Now let’s try to login in redis again and hope it works this time
Tried with username… didn’t work but it worked without it
By the help of this commands page or this cheat-sheet I found the encrypted admin’s password
Time to decrypt it
After a lot of searching it was hard to figure how to decrypt it
I tried to use the exploit I found on exploit-db before but it wasn’t as useful as I thought but there was another way available and it’s to use cyber chef and create our recipe with the help of exploit-db
kidvscat_admin_@123Since port 22 is closed and there is no ssh to connect with we are going to use evil-winrm
evil-winrm -u administrator -i atom.htb
Bingo… We rooted the machine successfully
Wish it was an easy simple writeup.
