HTB - Remote
Scope
IP Address 10.10.10.180
Enumeration
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5985/tcp open wsman
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ nmap -p21,80,111,139,445,2049,5985 $ip -sCV -oA Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4s
| smb2-time:
| date: 2024-07-06T02:24:29
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredService Enumeration
FTP
I noticed from Nmap that anonymous login is allowed but It didn't lead for anything
SMB
SMB Enumeration didn't lead for anything, too
RPC
The Same as SMB :(
NFS
I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders
I Found an interesting folder, So I'll mount it to my host and see its content
I tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:
The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials
So the file says that the hash is SHA1, let's fire up hashcat and crack it after getting the hashcat mode
Initial Access
At http://10.10.10.180/umbraco/ there is a login form.
I logged in with the credentials found before, then looked for the webapp version
I decided to search for public CVE with searchsploit
I searched for poc on GitHub this match the version of the webapp and found this one:
I clone it locally and run the exploit
Privilege Escalation
When I typed whoami command and saw the output, I knew it's an easy win cause user iis apppool\defaultapppool often has SeImpersonatePrivilege which can be used to escalate to system using RoguePotato or PrintSpoofer
Let's verify
I downloaded PrintSpoofer.exe & nc.exe from my attack host
Easy win :)
Last updated