HackTheBox-Appsanity Writeup

11 min readMar 16, 2024

Appsanity is a hard-difficulty Windows machine focused on application misconfigurations both on the web and locally. The web applications showcase several vulnerabilities, including an Access Control issue during sign-up, enabling unauthorized access to a higher-privileged account. Additionally, flawed session management permits attackers to use a `JWT token` from one domain to access a subdomain. This secondary domain has a file upload vulnerability, which, coupled with Server-Side Request Forgery (SSRF), allows the uploading and execution of an `.aspx` file to establish a reverse shell. Locally, two attack vectors are present: one involves decompiling a `C#` binary to uncover a registry key holding a user password, and the other entails analyzing a `C++` binary to spot a DLL Hijacking opportunity, granting the attacker administrative code execution.

Machine Info

Enumeration

Rustscan

rustscan --accessible -a 10.129.182.251 -r1-65535 -u 65535 -b 10000     
Automatically increasing ulimit value to 65535.
Open 10.129.182.251:80
Open 10.129.182.251:443
Open 10.129.182.251:5985
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 21:14 +06
Initiating Ping Scan at 21:14
Scanning 10.129.182.251 [2 ports]
Completed Ping Scan at 21:14, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:14
Completed Parallel DNS resolution of 1 host. at 21:14, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:14
Scanning 10.129.182.251 [3 ports]
Discovered open port 80/tcp on 10.129.182.251
Discovered open port 5985/tcp on 10.129.182.251
Discovered open port 443/tcp on 10.129.182.251
Completed Connect Scan at 21:14, 1.20s elapsed (3 total ports)
Nmap scan report for 10.129.182.251
Host is up, received syn-ack (0.047s latency).
Scanned at 2024-03-16 21:14:13 +06 for 1s

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack
443/tcp  open  https   syn-ack
5985/tcp open  wsman   syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds

Nmap

sudo nmap -sV -A -T4 -p- -vvv 10.129.182.251 -oN appsanity.nmap                          
[sudo] password for jarvis: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 21:14 +06
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
Initiating Ping Scan at 21:14
Scanning 10.129.182.251 [4 ports]
Completed Ping Scan at 21:14, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:14
Completed Parallel DNS resolution of 1 host. at 21:14, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:14
Scanning 10.129.182.251 [65535 ports]
Discovered open port 80/tcp on 10.129.182.251
Discovered open port 443/tcp on 10.129.182.251
SYN Stealth Scan Timing: About 16.76% done; ETC: 21:17 (0:02:34 remaining)
SYN Stealth Scan Timing: About 44.00% done; ETC: 21:16 (0:01:18 remaining)
Discovered open port 5985/tcp on 10.129.182.251
SYN Stealth Scan Timing: About 71.33% done; ETC: 21:16 (0:00:37 remaining)
Completed SYN Stealth Scan at 21:16, 153.86s elapsed (65535 total ports)
Initiating Service scan at 21:16
Scanning 3 services on 10.129.182.251
Completed Service scan at 21:17, 31.89s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.129.182.251
Retrying OS detection (try #2) against 10.129.182.251
Initiating Traceroute at 21:17
Completed Traceroute at 21:17, 1.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:17
Completed Parallel DNS resolution of 2 hosts. at 21:17, 0.03s elapsed
DNS resolution of 2 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.129.182.251.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:17
Completed NSE at 21:17, 9.76s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:17
NSE Timing: About 95.83% done; ETC: 21:18 (0:00:01 remaining)
Completed NSE at 21:18, 31.56s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
Nmap scan report for 10.129.182.251
Host is up, received echo-reply ttl 127 (0.052s latency).
Scanned at 2024-03-16 21:14:21 +06 for 233s
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON          VERSION
80/tcp   open  http    syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to https://meddigi.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
443/tcp  open  https?  syn-ack ttl 127
5985/tcp open  http    syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=3/16%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=65F5B836%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=U)
SEQ(SP=103%GCD=1%ISR=10A%TI=RD%II=I%TS=U)
OPS(O1=M53CNW8NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   46.95 ms 10.10.14.1
2   47.71 ms 10.129.182.251

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.62 seconds
           Raw packets sent: 131277 (5.780MB) | Rcvd: 137 (6.624KB)

Adding machine IP in our host file as usual:

echo "10.129.182.251  appsanity.htb" | sudo tee -a /etc/hosts

Starting with Website: port 80

Some doctor website we can see here. Let’s sign up for this page and login. We will get our profile

After going around the website, we can’t find any useful things. Then I go for check the Cookie value of this page.

Now there are some interesting things found here. First of all we can see that the application is written in ASP DotNet Core technology. Second, there is a cookie value named as ‘access_token’, which seems useful to us. I took out the value of ‘access_token’ and check for the plaintext inside it.

JWT token

It seems like JWT token to me. I went to https://jwt.io/ and check the values.

Nothing Useful, but we will get back to it later

Going back to the website, I went for checking the request of ‘signup’ page with burp. Well, it shows us something useful that we can take use of.

Acctype **(access type most probably)** is set to 1

We can manipulate it like set to 2 and check for the response. And something interesting has happened when we refreshed the webpage. It shows some another account that we have got accessed and there is an extra thing that we got. Interesting!!

I didn’t have any option left so I went for enumerating the subdomains from this site. Here, I got ‘portal’.

Going to this site, revels a login page for ‘meddigi’ application.

We don’t have default credentials and there isn’t any sign up functionality here. So either we can get SQL injection or Cookie tampering here and that’s what I thought before. Here, SQL injection didn’t worked, but while making an approach for cookie tampering, I got success. Remember, we got ‘access_token’, we will use it here. I used ‘Edit this Cookie’ extension for this. You can user your own. First we will named the cookie as ‘access_token’ and then set the value that we got earlier.

While going around with the navigators, ‘Issue prescriptions’ can be useful here. There is total 2 sections email address & prescription link where we can do something.

The prescription link only takes ‘http’ or ‘https’.

To check for that if it is providing any response to our server and yes it does and we successfully got SSRF vulnerability here.

If we take the localhost here with port 8080 instead of our attacker ip, we got to see some files hosted on the server.

To check the response, we can use the burp and got a handy thing that can useful for exploiting and get shell on the machine.

If we try to upload some other files with different extensions, we are pooped with the message that it only allows PDF files.

Now what if we can bypass this, we can upload a .aspx shell in the website with PDF magic header with it. Then it will be bypassed right!, problem is to identify which PDF signature will be taken here to work. I tried multiple signatures and finally “%PDF-1.7" worked.

https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx

After that we will upload the file and check if it is hosted in the server.

And then we will send the below request to get shell in our machine:

We can upgrade the shell in meterpreter like below steps. First we will run power shell on the shell and get a shell back in the meterpreter.

User Flag

We can got the ‘inetpub’ directory as the application is already written in ASP dotnet core and web files are generally stored in the inetpub. So, it is easy to enumerate it first. We can see a dll file which is useful.

After downloading the file, I will then check its source code. To view the source code we can get help from DnsPy tool.

GitHub - dnSpy/dnSpy: .NET debugger and assembly editor

NET debugger and assembly editor. Contribute to dnSpy/dnSpy development by creating an account on GitHub.

github.com

From “RetrieveEncryptionKeyFromRegistry()” fuction, we get the location and a key. So we can retrieve the key from the target machine. To do that we will come to the meterpreter and run the below command:

We get a password here. Great! now we can run evil-winrm with this creds. The user will be ‘devdoc’.

Privilege Escalation

Going to Program Files, there is a exe file named ‘ReportManagement.exe”. The reason I take this file is because the server have something like ‘view report’, so I thought that privEsc path will be from this one. I first download this file in my local machine.

And the upload this file in this website to de-compile the binary.

Decompiler Explorer

Decompiler Explorer is an interactive online decompiler which shows equivalent C-like output of decompiled programs…

dogbolt.org

We can see in the Libraries directory something is there with is a dll file, that is shown below:

So here comes to the dll hijacking concept, if we manipulate this file into a reverse shell then we can get a shell as administrator in the machine. So first we need to see if this file has necessary permissions to modify or change.

We can see that we have write permission on this file. So we can change this file into another file. I will make a msfvenom payload and name it exactly the same as ‘externalupload.dll’.

After that we will upload the file in the Libraries directory.

This will give us shell as administrator. But this isn’t easy as it looks like. We need to run that service locally. To do that first we need to view the ports that are open internally by using the netstat command in meterpreter.

We can see 100 port is using the ‘ReportManagement.exe’ file. To port forward, we can use Metasploit default command, ‘portfwd’ like below:

There is a correction here the port will be 4949 for next step, I took screenshot before so I forget take the updated one. However, Port number can be anything here as your choice.

After that will we connect back with port 4949 with ‘nc’ command. Like below and run the following command. After some seconds we will get shell as administrator.

And boom!!! We are administrator :)

Conclusion

I really enjoyed this machine, the concept from manipulating an aspx file into PDF to DLL hijacking. I want to give thanks to the machine creator for making this wonderful machine. However, most Intriguing part is that I am totally a fan of Windows machine to solve, as they are mostly real life based machines. Lastly, thank you for reading and keep me in your prayer and follow me in medium. I will get back into another machine write up. Till then, bye bye!!!

Follow me on my GitHub profile here