Embrace Rabbit Holes
A Windows string escaping nightmare.
You will go down many rabbit holes when pentesting or doing HackTheBox / CTF style challenges. A lot of people complain about getting stuck in rabbit holes, especially when a box contains a few red herrings.
I’m a ‘nix guy — the last Windows I tried was Vista, and after a few days of complaining about it to a co-worker I switched to Feisty Fawn on his recommendation.
As such I haven’t had much exposure to PowerShell, so I’ve made sure to pwn Windows machines on HTB in an effort to sharpen those skills, and the Access box (now retired) taught me tons about PowerShell.
Initial foothold was easy, gaining restricted user account was fine, I dropped the firewall with runas and provided myself with a system level account using eternalblue. Success! I navigated to the flag filled with anticipation.
PS:> type root.txt
This made no sense to me. How could I be “root” and not read the file?
What followed was around 12 straight hours of alternating “WTF” and “Really? Wow…” moments which gave me a crash course in Windows ACL and eventually lead to victory.
The weirdest WTF of them all was how Windows escapes quotes depending on context.
PowerShell and cmd.exe escape things completely differently. If you want to pass a command into PowerShell the escaping works differently to a regular command. Runas has its own independent escaping syntax, the find command has its own irregularities, and for loops take things to the next level of insanity, especially when you try to add piping to the mix.
Some of the different escaping methods I found on my journey:
# PowerShell Command (powershell -nop -c "...")
# For Loop
Double Quote: ""
Double Percent: %%
# At Sign
Here double: @" <string with unescaped "double quotes"> "@
Here single: @' <string with unescaped 'single quotes'> '@
# When Piping Commands
Double the escapes... i.e. ^& becomes ^^^&
# Nested Double Quotes
"I was told to ""Just Keep """Adding""" the """"""" Character""!"
Oh. My. God.
I was trying to inject a super complicated and completely unnecessary command that required deeply nested escaping along the lines of:
Runas Command < cmd.exe Command < PowerShell < PowerShell Command < Code with Loops, Variables, Strings etc
I’m sure you can imagine the nightmare that followed trying to pipe and nest several different escaping techniques… The fact that it all had to get urlencoded before being submitted via HTTP cranked the pain up to 11.
I didn’t end up needing to do any of that whatsoever, but I’m very glad I went deep into that hole for a few hours because I got to learn about how crazy string escaping is in the Windows world.
The moral of the story? Don’t fear rabbit holes or feel frustrated when you’ve been stuck in one for a while. Embrace and learn from them.
That being said, it’s important to know when to call it quits. You don’t want to get stuck down one forever.