Remote - Write up - Konstantinovitz

## Summary ## Recon ### FTP - 21 - anonymous login permitted - cannot PUT files - no files appear in the file system - `mkdir` ### Website - 80 HTTP - version? - default credentials - [x] `admin:admin` - [x] `admin:admin123` - [x] `admin:test` - made with Umbraco CMS - has Umbraco forms plugin installed - list of peoples there (possible user list) - some kind of `/intranet` site - login page at: http://10.10.10.180/umbraco#/login/false?returnPath=%252Fumbraco ![[Pasted image 20250216185639.png]] - the blog posts written on the site are dated ![[Pasted image 20250216191521.png]] - a blog post from the [umbraco website](https://umbraco.com/blog/product-update-august-27th-2020/) ![[Pasted image 20250216191927.png]] suggests 2 versions: - 7.15.6 - 8.6.4 There's a lot of authenticated RCE CVE's listed on the [exploitdb](https://www.exploit-db.com/) ![[Pasted image 20250216192045.png]] | Date | Title | | | | | ---------- | ------------------------------------------------------------------------------------------------------- | --------------------------------------- | ------------------------------------ | ---------------------------------------------------- | | 2021-08-31 | [Umbraco CMS 8.9.1 - Directory Traversal](https://www.exploit-db.com/exploits/50241) | [WebApps](https://www.exploit-db.com/#) | [ASPX](https://www.exploit-db.com/#) | [BitTheByte](https://www.exploit-db.com/#) | | 2021-01-28 | [Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)](https://www.exploit-db.com/exploits/49488) | [WebApps](https://www.exploit-db.com/#) | [ASPX](https://www.exploit-db.com/#) | [Alexandre ZANNI](https://www.exploit-db.com/#) | | 2019-01-14 | [Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution](https://www.exploit-db.com/exploits/46153) | [WebApps](https://www.exploit-db.com/#) | [ASPX](https://www.exploit-db.com/#) | [Gregory Draperi](https://www.exploit-db.com/#) | | 2018-07-09 | [Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting](https://www.exploit-db.com/exploits/44988) | [WebApps](https://www.exploit-db.com/#) | [PHP](https://www.exploit-db.com/#) | [Ahmed Elhady Mohamed](https://www.exploit-db.com/#) | | 2012-07-09 | [Umbraco CMS - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/19671) | | | | | | | | | | This strongly suggests that we should be attempting to hunt down some credentials... ### NFS - 2049 TCP ``` showmount -e $RHOST # /site_backup # mounted to local host ``` ### SMB - 445 - null sessions - denied - guest session - denied ## Initial Access - we sift through `Web.config` in `/mnt/site_backup` - we note that the `Web.config` files connection string references a "SQL Server Compact Edition" which is similar to sqlite - in that it's a static file, in this case an `.sdf` file - We locate the `.sdf` file `find /mnt/site_backup -name "*.sdf"` - `strings Umbraco.sdf` reveals a - Username: `[email protected]` - SHA1 hash which is reversed to plain text password: `baconandcheese` - We leverage the credentials to authenticate at: http://10.10.10.180/umbraco#/umbraco - Finally we'll utilize the following [exploit](https://www.exploit-db.com/exploits/49488) to gain RCE. ## Privesc Some quick n dirty enumeration reveals that `SeImpersonate` privilege is present for the current user meaning that we just go ahead use [[God Potato]] aaaaand we're r000t. ## Lessons Learned - [[NFS - 2049]] - Some Umbraco experience - Had no idea what a `.sdf` file was, had to take a hint for that part...