HackTheBox Writeup — Remote

Hello Guys , I am Faisal Husaini. My username on HTB is “ferllen” . Also join me on discord.

The IP of this box is

Running NMAP full port scan on it , we get

We see a whole loads of Open Ports , but one of the interesting one looks Port 2049 which is running NFS mountd service, so we just move onto it first and see any mounts accessible to us

We see /site_backups which is accessible to everyone, so we just mount it to our tmp folder

We see there are a lot of stuffs here , but before that we just move onto the web and see what we have there

We have a cool page, running Gobuster against it

We get a big result out of which we see /Install , moving towards it

We get redirected to a login page and if we see clearly, it is running Umbraco CMS, looking for potential exploits on searchsploit

We see we have an exploit which will help us getting RCE but it requires authentication, so we now move towards the mounted NFS we did before

Now looking at Umbraco.sdf file using strings

We see usernames and encrypted password, so I take the hash for admin@htb.local username and will crack as the algorithm used here is SHA1

We cracked the password “baconandcheese”

We got successfully logged in with the cracked password for that username, now moving towards the exploit where we have to do some modifications

We here first try to get pinged back first

We got pinged and so we are ready to get reverse shell

Looking onto the netcat listener

We got shell and now moving towards getting the user flag

Time for Privilege Escalation

Running PowerUp.ps1 powershell priv esc script, we get

We see we have a vulnerable service named UsoSvc which we can use to abuse and get root

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store