Remote is a windows box that supposedly has a hard user and easy root. It has one official way to get root shell and one unofficial way. We came across both ways but were only proceeded with the official way
Run Nmap
Jesus that’s a messy port setup. Port 111 seems focused on NFS, lets try there.
Connect to nsf
Seems we have a full site backup including, we will probably find default credentials or stored credentials somewhere– its an easy box remember! 😊 It seems to be a CMS hosting multiple sites so lets learn about the app and see what can help us get in.
Checking for credentials.
We google the CMS software Umbraco and its version. Using the Q&A in the above link we can find that all credentials are stored in the App_Data folder in a database. When we go there we see a db file with a SDF extension. We use strings on this and send the output to a file to review.
Going through the file we see;
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d3We can see in the strings we have the usernames and password hashes we just need to crack.
"admin" <admin@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/sign-in/loginlogin success
User "ssmith" <smith@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/sign-in/logoutlogout successGoing to the application logs in the smb share we can also see ssmith logging into the umbraco CMS and making db changes, guessing this is a web user rather than OS user.
Further searches show a FileUploads directory, which together with the user credentials we have found should be our way in – is it possible we need to upload a reverse shell and execute it through the site? The BodyPart file there looks to confirm this as it is not a default file from the HTB creator, instead it is another participants Webshell. This seems to confirm our way in, but is a disappointing spoiler.
Crack the hash
We will feed the hashes we found into https://crackstation.net
.. and we get the password for admin but unless we can figure out the encoding for ssmith, we wont know it. Lets see where the admin control panel is on the website so we can login.
Run DIRB
That’s lot of website in this website. Man.. look at all that website. It appears several sites run off this CMS. Navigating through our findings we see a login link in the contact us page that helps us ; http://10.10.10.180/umbraco#/login/false?returnPath=%252Fumbraco
The webapp
We are able to login
Let enumerate through the site.
There is very little to play with but we do get confirmation of the version of Umbraco.
Checking the CMS with get an authenticated RCE for this version! 😀
Exploiting to User
It says there is one MSF RCE and one auth RCE, I wonder if these are the same, lets try it.
The MSF vuln is for a different version so lets run our exploit 46153.py.
We cant run the script because it has some windows based formatting. We could run dos2unix but we don’t have it installed so lets just remove the formatting options with vim. The script still doesnt work for us.We get an error – lesson stands we always need to read through our scripts when using them to understand what they are doing – It seems this is because we need to edit the variables in the script. The comments in the script give a good description of whats happening in the exploit.
We update the target, user name and password and review the commands it give. Lets try dir, to see if we get a return.
We see it executing with no errors but we don’t see the output. Reviewing the payload we put print(x) for each variable and walk ourselves through the code and by changing the payload to execute a command (or argument) with the FileName “Powershell.exe” parameter and by including a print(r4.contents) command we can both execute commands and view their results.
It works! It should be noted this is a horrible way to hack. As its an RCE and not a shell for every new command we want to run we must edit the script.Painful. So first lets enumerate abit and see what user we are and if we have userflag.
Exploring the user directories we get a nice, if random, suprise when we find the user flag in the C:/Users/Public directory.
Privilege Escalation
We have the user flag which means we have the expected user and we just need to escalate it to root now. Testing what we can do with this command we see we can ping kali vm, maybe we need to execute some command on the server that will connect to us remotely and download the webshell. Maybe we should setup ftp or a webserver for this. We found an instance of antak webshell earlier on during enumeration and it is a good contender over what we would normally use as it has full PS functionality; https://github.com/samratashok/nishang/tree/master/Antak-WebShell
Reading up on this webshell doesnt give us many answers so we grab a handy privesc guide and start enuming using https://www.fuzzysecurity.com/tutorials/16.html and https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
Enumerating by RCE is painful, so painful, and we arnt finding much to work with. We can see TeamViewer is installed and there are several interesting services running. USOSVC specifically is mentioned in the PrivEsc guide i linked to above.
We setup a quick python webserver and put a nc.exe file there. We need a way to pull the nc onto our victim, and USOSVC may be the way.
After reading up on what commands we can feed into USOSVC using sc.exe we create 3 python RCE scripts, to stop USOSVC, to set the cmd to pull down our hosted NC file and execute powershell and finally to start USOSVC.
Running these commands and using Public as our write location we see it is successful but for some reason it is not working for us, our nc listens in vain. Trying a different route we find a blog that shows teamviewer 7 stores a password in the registry that can be decrypted; https://whynotsecurity.com/blog/teamviewer/ it even gives us a decrypt python script 🙂
Manually going through the registry keys until we find TeamViewer we can see the credentials as described in the blog;
SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5BReading through the python script in the link we can see, using the hard coded IV and key we can decrypt it using pythons AES Cipher library.
We have our password .. so simple but the enumeration to get this far took days! 😮 Lets use PSexec.py to login
And we have root! 🙂 Key is in Administrators Desktop as expected.
Adams In-Security 