HTB - Remote | HTB Writeups

Last updated 6 months ago

Scope

IP Address 10.10.10.180

Enumeration

Nmap Scan

Service Enumeration

FTP

I noticed from Nmap that anonymous login is allowed but It didn't lead for anything

SMB

SMB Enumeration didn't lead for anything, too

RPC

The Same as SMB :(

NFS

I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders

I Found an interesting folder, So I'll mount it to my host and see its content

I tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:

The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials

So the file says that the hash is SHA1, let's fire up hashcat and crack it after getting the hashcat mode

Initial Access

At http://10.10.10.180/umbraco/ there is a login form.

I logged in with the credentials found before, then looked for the webapp version

I decided to search for public CVE with searchsploit

I searched for poc on GitHub this match the version of the webapp and found this one:

I clone it locally and run the exploit

User flag 442f18b8accdec694dxxxxxxxxxxx

Privilege Escalation

When I typed whoami command and saw the output, I knew it's an easy win cause user iis apppool\defaultapppool often has SeImpersonatePrivilege which can be used to escalate to system using RoguePotato or PrintSpoofer

Let's verify

I downloaded PrintSpoofer.exe & nc.exe from my attack host

Easy win :)

root flag 60ea8c532b06a17faxxxxxxxxxxxxxxx

Last updated 6 months ago

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote] └─$ nmap -F $ip -Pn PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs 5985/tcp open wsman ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote] └─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open nlockmgr 1-4 (RPC #100021) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 4s | smb2-time: | date: 2024-07-06T02:24:29 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required