Atom | HackTheBox writeup


Atom is a medium based windows machine in HackTheBox by MrR3boot

User Part

Start with Nmap scan found 6 open ports and domain name.

checking smb found a uncommon folder which is “Software_Updates”.

In that directory there are 3 folder and a PDF.

so I downloaded the PDF.

In that PDF, it tells about what is Heed and its Process.

From that, it tells that file should be placed in one of the client folders.

I search for electron-builder exploit and got an article.

From that article, I got how to exploit that.

For the exploitation part,

  1. The Filename should be in “latest.yml”
  2. The Filename in the “latest.yml” should have a single quote.
  3. calculate hash 

Example of “latest.yml” also given in this article.

I created a reverse shell payload with msfvenom and calculated the hash.

As you can see I created the file name with a single quote.

The next step is that to edit “latest.yml”.

I changed URL, SHA512, PATH values.

I started Metasploit for reverse connection and a python server for the “.exe” file transfer.

I uploaded the “latest.yml” in SMB’s client folder and got shell back in Metasploit.

I changed meterpreter to shell and now I am Jason.

I got the user flag.

Root Part

For the privilege escalation i uploaded winPEAS.

I got an interesting service and its config file.

Also got a PDF.

From the config file, I got the pass of Redis.

I also downloaded the PDF which I got from winPEAS, it’s about portable kanban.

Using redis-dump, using the password I got now from the config file, I got an EncryptedPassword.

The PDF shows about portablekanban, So I searched for its exploit.

I got an exploit.

It was about encrypted password retrieval.

This is the python code, which decrypts the Encrypted code.

I edited the code as shown below. Because I am not using some parts of the exploit code. 

By running the python file, I got the password.

With the password, I log in to the administrator and got the root flag.

Share on facebook
Share on twitter
Share on linkedin