backfire (HTB)

Does C2 even secure ??

Introduction.

Hello everyone today we are back on new machine Backfire season machine on HTB let's get right into it.

Enumeration.

Port scanning

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJuxaL9aCVxiQGLRxQPezW3dkgouskvb/BcBJR16VYjHElq7F8C2ByzUTNr0OMeiwft8X5vJaD9GBqoEul4D1QE=
|   256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2oT7Hn4aUiSdg4vO9rJIbVSVKcOVKozd838ZStpwj8
443/tcp  open  ssl/http syn-ack ttl 63 nginx 1.22.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=SYNERGY/stateOrProvinceName=California/countryName=US/streetAddress=/localityName=Los Angeles/postalCode=7072
| Subject Alternative Name: IP Address:127.0.0.1
| Issuer: commonName=127.0.0.1/organizationName=SYNERGY/stateOrProvinceName=California/countryName=US/streetAddress=/localityName=Los Angeles/postalCode=7072
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-04T02:56:35
| Not valid after:  2027-06-04T02:56:35
| MD5:   825e:069a:f26f:23b8:581e:b758:e183:45b0
| SHA-1: 0584:d0ed:4d19:5049:9c58:b892:2a8b:b89a:62c3:07f2
| -----BEGIN CERTIFICATE-----
| MIID7DCCAtSgAwIBAgIQejL515JPEfZZ+s+iRljFBzANBgkqhkiG9w0BAQsFADB4
| MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9z
| IEFuZ2VsZXMxCTAHBgNVBAkTADENMAsGA1UEERMENzA3MjEQMA4GA1UEChMHU1lO
| RVJHWTESMBAGA1UEAxMJMTI3LjAuMC4xMB4XDTI0MDYwNDAyNTYzNVoXDTI3MDYw
| NDAyNTYzNVoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDAS
| BgNVBAcTC0xvcyBBbmdlbGVzMQkwBwYDVQQJEwAxDTALBgNVBBETBDcwNzIxEDAO
| BgNVBAoTB1NZTkVSR1kxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAJRUr26zDQeev0P3+gdZu2TEd7LgDjtJNS03jpBD
| ANBHb2Qcrg3m1n/e/SZUHULBNfyZaMcJPGXnHGLCEAo9c0L0oONZkKBukEZnXy25
| Du+oURjxAYDfOpz7P5hsbvYC3J4SYj++0ROM83pkeTumR7lll4b81Bb+33009cio
| aas4XM1r0xC3S4opQy3WG5XBMUBSl8SvJtl+tZIznHkhfgNdyY22gkkj99+bSo7k
| 3uSWMgZhyIYtwtA7nmL+wbiExqBPG+uePnf0a3eGSJxoZGYN5zEmxQnrIMvsLf/9
| Gl6Buo+a8N9gAcpfI+iTEkolnESP78E28JwCcrJlF+XqsysCAwEAAaNyMHAwDgYD
| VR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNV
| HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ0j0foTTfXanFPUaxabyepSJpG3DAPBgNV
| HREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQA0LdgMcA2F9Z9oMaARdDrB
| eiRKkF8jr4CHyPzqAZ9EokVPc+Ua+kWykGp/grEP8WIIO4RIJxjO7aZ0xRVL2Mb9
| 8e6QckMFEeakTsTmHhttIPT+e6p0r8zObCDSGJg6VyjIKx3Q9NOIffgj95SPYls8
| sk4WpfiMywLvvsoqAsdxpddglXabOLGzCWhIdPBNRK3Niz6SHgzQwAWlemZA/2Lc
| lcfHdcskVtbO5PlO+SflduSTKDKr7reCxYINwkJB04cZ+fms6F2gH1g/WUiO60Al
| C06zO0T8SYUd+CH44KfFD/QyXtNseFjrNY88cIUO5CL4SS6A7GEb+PBlkHZmjn7u
|_-----END CERTIFICATE-----
| tls-alpn:
|   http/1.1
|   http/1.0
|_  http/0.9
|_http-server-header: nginx/1.22.1
8000/tcp open  http     syn-ack ttl 63 nginx 1.22.1
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Index of /
|_http-server-header: nginx/1.22.1
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_

So as we can see we have HTTP[s] and SSH let's start with HTTP as it shows some files there.

Hmmm so we have Havoc.yaotl file and disable_tls.patch let's see what they contain.

Disable.tls.patch

Disable TLS for Websocket management port 40056, so I can prove that
sergej is not doing any work
Management port only allows local connections (we use ssh forwarding) so 
this will not compromize our teamserver

diff --git a/client/src/Havoc/Connector.cc b/client/src/Havoc/Connector.cc
index abdf1b5..6be76fb 100644
--- a/client/src/Havoc/Connector.cc
+++ b/client/src/Havoc/Connector.cc
@@ -8,12 +8,11 @@ Connector::Connector( Util::ConnectionInfo* ConnectionInfo )
 {
     Teamserver   = ConnectionInfo;
     Socket       = new QWebSocket();
-    auto Server  = "wss://" + Teamserver->Host + ":" + this->Teamserver->Port + "/havoc/";
+    auto Server  = "ws://" + Teamserver->Host + ":" + this->Teamserver->Port + "/havoc/";
     auto SslConf = Socket->sslConfiguration();
 
     /* ignore annoying SSL errors */
     SslConf.setPeerVerifyMode( QSslSocket::VerifyNone );
-    Socket->setSslConfiguration( SslConf );
     Socket->ignoreSslErrors();
 
     QObject::connect( Socket, &QWebSocket::binaryMessageReceived, this, [&]( const QByteArray& Message )
diff --git a/teamserver/cmd/server/teamserver.go b/teamserver/cmd/server/teamserver.go
index 9d1c21f..59d350d 100644
--- a/teamserver/cmd/server/teamserver.go
+++ b/teamserver/cmd/server/teamserver.go
@@ -151,7 +151,7 @@ func (t *Teamserver) Start() {
 		}
 
 		// start the teamserver
-		if err = t.Server.Engine.RunTLS(Host+":"+Port, certPath, keyPath); err != nil {
+		if err = t.Server.Engine.Run(Host+":"+Port); err != nil {
 			logger.Error("Failed to start websocket: " + err.Error())
 		}
 

From this message we can understand that whom ever did this patch trying to set MR. sergej up by disabling the secure web socket in the internal network hmm.

havoc.yaotl

Teamserver {
    Host = "127.0.0.1"
    Port = 40056

    Build {
        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "ilya" {
        Password = "CobaltStr1keSuckz!"
    }

    user "sergej" {
        Password = "1w4nt2sw1tch2h4rdh4tc2"
    }
}

Demon {
    Sleep = 2
    Jitter = 15

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Listeners {
    Http {
        Name = "Demon Listener"
        Hosts = [
            "backfire.htb"
        ]
        HostBind = "127.0.0.1" 
        PortBind = 8443
        PortConn = 8443
        HostRotation = "round-robin"
        Secure = true
    }
}

And this is havoc file what is havoc ???

Havoc is a modern and malleable post-exploitation command and control framework

Havochavocframework.com

Havoc is a C2 server which used in the post-exploitation phase to remain persistence on network.

Looking at HTTPs.

Https Seems to does not have anything let's try to figure more into the first files we found first.

finds

after a bit of searching the HTTP does not seem to have anything other than the files and there is probably Hovac end point accessible according to what i have red about havoc frame work

while am searching i found this repo

GitHub - chebuya/Havoc-C2-SSRF-poc: CVE-2024-41570: Havoc C2 0.7 Teamserver SSRF exploitGitHub

Which explain SSRF exploit in the havoc framework so i decide to test it and it works.

So as we can see here the exploit is a bit complicated but the border line is that it create a socket through the facing interface and using proxy (I think) it redirect our traffic from to the internal machine and there fore we can access internal machine thing that's how we get connection from the target machine. To better explanation and correct info refer to the blog below from the exploit created and one of the machine creators.

Unauthenticated SSRF on Havoc C2 teamserver via spoofed demon agent (CVE-2024-4157)blog.chebuya.com

But getting just SSRF would not help so much we maybe able to find another one which i have came across while am reading about this.

c2-vulnerabilities/havoc_auth_rce at main · IncludeSecurity/c2-vulnerabilitiesGitHub

This exploit using some crafted request is able to execute commands on the server but there is an issue when i try to exploit it i got "Connection Refused".

So i think there is a way to combing the SSRF and this exploit the get command execution on the server. Because that SSRF exploit allow us to connect socket though the server what if we can instead of write anything into the socket we write this exploit at least this what i think.

GitHub - sebr-dev/Havoc-C2-SSRF-to-RCE: This is a modified version of the CVE-2024-41570 SSRF PoC from @chebuya chained with the auth RCE exploit from @hyperreality. This exploit executes code remotely to a target due to multiple vulnerabilities in Havoc C2 Framework. (https://github.com/HavocFramework/Havoc)GitHub

Then i found this repo who implemented combining both exploits.

So after going through the exploits one by one we are able to get RCE on the server.

As you can see in the image above we are able to get shell access on the machine amazing foothold.

After that i created SSH key because it keep disconnecting for some reason.

First we run the following command.
ssh-keygen -f ilya 

Then in ilya home directory will be 2 keys
ilya -> private key
ilya.pub -> public key

then we move the public key into the authorized_keys file in .ssh folder
cat ilya.pub -> .ssh/authorized_keys

and we just copy and paste the private key into our machine change it premissions to 
600

and use the following command to connect to ssh.

ssh -i <keyName> ilya@backfire

Shell as sergej.

so when we get access with ilya we can see a note and a script.

The python script basically create new user using the default key for JWT using the admin user and then create new user for us.

but i when we attempt to run the script it give us error.

so i decide to move the file into my machine and then using SSH i create port forwarding to port 5000 which runs the hardhat server.

here a picture for the other port which use for the web interface for hardhat C2. so i forward both.

after i did so i install the pyjwt from pip to run the script. After running the script it will generate JWT token and will generate new user we can use that user to login via the web interface both username and password uses the same thing.

From here we click on interact will take us to this page.

we choose terminal and we can run any command as the user sergej so we can use reverse shell and get shell as the user sergej.

Online - Reverse Shell Generatorwww.revshells.com

from here you can generate reverse shell.

and same steps set up listener and i created ssh connection same steps as before you can stick with the netcat connection if you want.

Shell as Root.

So once i got access to the sergej user i tried to check around few things i notice.

First i attempt to change the iptables roles allowing the C2 Hardhat server to be publicly accessible but i notice something after a while the configurations has changed to the default configurations so i used pspy64 to check the process that being executed.

Initially, I modified the iptables rules to allow the C2 Hardhat server to be publicly accessible. However, I noticed that after some time, the configurations reverted to their default settings. To investigate further, I used pspy64 to monitor the processes being executed.

To view ip tables entries

iptables -L -v -n

to change one of the entries.

sudo iptables -D INPUT -p tcp --dport 5000 -j REJECT

and here we are we can see few noticeable things such the replacement of the passwd file and the cron jobs also we can see why the iptables precest and does not change by using the iptables-restore. the first thing i think about was to modifies the passwd.bak file which as you may guess is not possible as it only allow reading.

So after a bit of search i found this blog.

Shielder - A Journey From `sudo iptables` To Local Privilege EscalationShielder

Which explain a way to override files using iptables-save which we have sudo permission on it.

So from the blog we can see that using iptables-save -f [some file] will write everything in the iptables-save into the file what exist on there is the same as the preiouse iptables command to check the entries.

iptables -L -v -n

with that there are to things in mind first i tryed to add entry to the passwd file as follow

But this actually does not work as we do not have permission to write to the passwd file. even via iptables-save

But wait we have another entry to the passwd file via the passwd.bak file. so i tried to add it to the passwd.bak file hoping it would copy it to the passwd file therefor i will get root access.

But unfortunately no luck i believe this is the correct way but i maybe doing something wrong so is this the only why ???.

Of course not another thing that i think about when i know we can have write access to any file is to change the permission of the sudo command for the user sergej. But how can we do that

The user sergej now have root execution on iptables and iptables-save with no password. And how it that basically configure via file called sudoers file.

here we can specify what access for each user using the sudo command so can we allow our user sergej to have access to everything as root with no password YES !.

using this command we can allow that username ALL=(ALL) NOPASSWD:ALL

First thing i added my command to the iptables-save entry

Keep in mind to prefix with '\n' and end it with '\n' to put our command in new line so it can

be parsable even if the others gives errors this still will take effect.

Then i added that and as you can see below i do not have permissions to even read the file.

using the command sudo -l we can see our permissions.

we will have multiple errors but this is fine our command has take an effect.

with that we can do what ever we want.

using the command sudo su will give you shell as root.

conclusion.

In the end this machine was a great experience it has a good ideas too specially the rooting part was so much fun.

That's all for me thank you for reading 🫶