Introduction

This machine had a similar flavor to BOB utilizing a combination of a Umbraco exploit and abuse of service permissions. I did this box over the course of two days (late-night attempts are not a good idea) so apologies if my screenshots are wonky.

I began by running AutoRecon (a great tool I found well studying for my OSCP).

Copy
An Umbraco website running on Port 80

An Umbraco website running on Port 80

I navigated over to Port 80 and used Wappalyzer (recommended as a tool by TheCyberMentor) to see the site was running Umbraco:

An Umbraco website running on Port 80

I noticed that Port 111 was running and site_backups came back as a share. This leads me to believe it was a backup of the Umbraco website.

Copy

After confirming I created a temporary folder in my tmp and mapped the share.

Copy

I come from a CMS solution background so I grabbed the Umbraco.SDF file and opened it with Notepad++ on my computer (not the best method but when in Rome…). Around halfway down the file I noticed:

Copy

I could see that the password was encrypted with SHA1 so I headed over to MD5Decrypt.

I logged into Umbraco with the password found above and clicked Help.

The Umbraco version lead me to noraj/Umbraco-RCE –

https://github.com/noraj/Umbraco-RCE

I then spun up a local HTTP Server and tested the exploit:

Copy

After confirming the exploit was working as intended I initiated a nc reverse shell using PowerShellTCP.ps1

https://github.com/samratashok/nishang/tree/master/Shells

Copy

Once connected to the box I ran PowerUP by pulling it from my local HTTP server –

Copy

After I ran all checks:

Copy
PowerUp showing the UsoSvc could be exploited.

PowerUp showing the UsoSvc could be exploited.

This showed me I could abuse the UsoSvc. I downloaded NC to the temp directory on the machine using certutil.

Copy

I then used the ServiceAbuse command in conjunction with the nc64.exe previously downloaded to execute a privileged shell:

Copy

This allowed me to get root:

PowerUp showing the UsoSvc could be exploited.

Rooted

[/ppwp]

Published On: August 7th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment