Atom | HackTheBox writeup
Start with Nmap scan found 6 open ports and domain name.
checking smb found a uncommon folder which is “Software_Updates”.
In that directory there are 3 folder and a PDF.
so I downloaded the PDF.
In that PDF, it tells about what is Heed and its Process.
From that, it tells that file should be placed in one of the client folders.
I search for electron-builder exploit and got an article.
From that article, I got how to exploit that.
For the exploitation part,
- The Filename should be in “latest.yml”
- The Filename in the “latest.yml” should have a single quote.
- calculate hash
Example of “latest.yml” also given in this article.
I created a reverse shell payload with msfvenom and calculated the hash.
As you can see I created the file name with a single quote.
The next step is that to edit “latest.yml”.
I changed URL, SHA512, PATH values.
I started Metasploit for reverse connection and a python server for the “.exe” file transfer.
I uploaded the “latest.yml” in SMB’s client folder and got shell back in Metasploit.
I changed meterpreter to shell and now I am Jason.
I got the user flag.
For the privilege escalation i uploaded winPEAS.
I got an interesting service and its config file.
Also got a PDF.
From the config file, I got the pass of Redis.
I also downloaded the PDF which I got from winPEAS, it’s about portable kanban.
Using redis-dump, using the password I got now from the config file, I got an EncryptedPassword.
The PDF shows about portablekanban, So I searched for its exploit.
I got an exploit.
It was about encrypted password retrieval.
This is the python code, which decrypts the Encrypted code.
I edited the code as shown below. Because I am not using some parts of the exploit code.
By running the python file, I got the password.
With the password, I log in to the administrator and got the root flag.