Remote
https://www.hackthebox.eu/home/machines/profile/234
Scanning and Enumeration
Nmap
After this we can attempt to discover the OS version with the SMB discocvery script and the -O switch enabled. We have a best guest of Windows 10 1709.
Port 21 FTP
As port 21 is open we can check for anonymous login with the Nmap script --script=ftp-anon.nse
I logged in with the anonymous user and tried to look for files or any hidden files. With nothing at all found I tested for file upload and was given access denied.
Port 80
We have a web server running on port 80. Navigating to the root page brings us to the following:
Before proceeding lets run a directory brute force on the webpage. I will be using feroxbuster for this.
Scrolling down from the root page and we see some recent posts mentioning Umbraco.
The Wappalyzer extension for Firefox also confirms the website is running Umbraco.
At this point I have manually looked through the website more and was unable to find anything else interesting. Going back to our nmap scan earlier we do have Port 2049 open.
Port 2049 mountd
mountd is a mount deamon for the Network File System (NFS). We can use the showmount -e command to view shareable directories on a remote system.
In preparation for mounting the share create a directory in which we can mount the share inside of. I created the following share /tmp/remotemount.
Run the following command to mount the share.
We can then use the df -k command to list mounted shares and confirm if working.
We can now move into the directory.
At this point I have spent some time going around the remote directory and could not find anything interesting. Since we are dealing with quite a large amount of folders we need to find a way to go through each file and identify potential interesting information.
As App_Data usually contains interesting information I will begin by recursively running cat and grep to look for keywords contained in files.
The output is quite large so I have only taken a snippet but we have gained the following information from this:
| Usernames | Passwords |
|---|---|
Admin@htb.local | Umbracoadmin123!! |
ssmith@htb.local |
Before we attempt to look where to use these found credentials lets use them in our command above to see if these accounts are contained elsewhere.
We have a similar results this time and we also have the line at the bottom stating that "Binary file Umbraco.sdf matches".
We can specify the strings command on this file since its is a binary file.
Lets check if we can find anything for the admin account in this file.
The output suggest SHA1 hash. We can double confirm this using hash-identifier.
I put the hash in a text file and run John the Ripper against it.
We have obtained the credentials "admin@htb.local:baconandcheese"
Going back to feroxbuster we find that one of the directories that has been discovered is /install. When we head over to this URL we are presented with the following login page which accepts the credentials we have found.
Clicking help in the bottom left allows us to view the current running version of Umbraco.
At this point I went to Google and searched for "Umbraco 7.12.4 Windows exploit" and come across this:
I downloaded the python script and done a test command to check if working.
Now that we have command execution we need to think about getting a proper reverse shell as this would be preferable to our current one. I created a payload with msfvenom as below:
After this was created I hosted a python server in the directory where the payload is stored.
After this we can run the following command on the exploit to download the file and place it in a global writeable directory. The server the exploit command is run from is not writeable to the account we are running as.
After this has been completed we can confirm if the file has been downloaded by checking our python server logs.
After this we need to setup a netcat listener on our attacking machine.
Once this is setup we can run the exploit again this time calling the msfvenom payload we put in C:\users\Public earlier on.
Once this is run we should get a call back on our listener.
As per standard practice I transferred over winPEAS.exe using certuil.exe and then run it. I found TeamViewer7 as being an installed application. Knowing that 7 is an old version of Teamviewer I went to Google to research exploits.
After searching for exploits with the current version we come across this which has a CVE score of 7.0.
We also find a brilliant blog post covering this exploit.
If we search for the CVE number on Github we come across multiple PoC scripts. In this case I will be using the Powershell "WatchTV" by zaphoxx.
I downloaded the script onto the victim machine and loaded it into Powershell. I then run the command Get-TeamViewPasswords.
We retrieve the password: !R3m0te!
With this we are hoping for password reuse somewhere. We should now see where we can use this with known credentials.
For access I have gone over using Impacket's psexec.py before so this time I will instead use the metasploit module exploit/windows/smb/psexec . Load the module and set the required options.
We now have access as system and can grab bother user and root flags.
Last updated
