This machine had a similar flavor to BOB utilizing a combination of a Umbraco exploit and abuse of service permissions. I did this box over the course of two days (late-night attempts are not a good idea) so apologies if my screenshots are wonky.
I began by running AutoRecon (a great tool I found well studying for my OSCP).
An Umbraco website running on Port 80
I navigated over to Port 80 and used Wappalyzer (recommended as a tool by TheCyberMentor) to see the site was running Umbraco:
I noticed that Port 111 was running and site_backups came back as a share. This leads me to believe it was a backup of the Umbraco website.
After confirming I created a temporary folder in my tmp and mapped the share.
I come from a CMS solution background so I grabbed the Umbraco.SDF file and opened it with Notepad++ on my computer (not the best method but when in Rome…). Around halfway down the file I noticed:
I could see that the password was encrypted with SHA1 so I headed over to MD5Decrypt.
I logged into Umbraco with the password found above and clicked Help.
The Umbraco version lead me to noraj/Umbraco-RCE –
I then spun up a local HTTP Server and tested the exploit:
After confirming the exploit was working as intended I initiated a nc reverse shell using PowerShellTCP.ps1
Once connected to the box I ran PowerUP by pulling it from my local HTTP server –
PowerUp showing the UsoSvc could be exploited.
This showed me I could abuse the UsoSvc. I downloaded NC to the temp directory on the machine using certutil.
I then used the ServiceAbuse command in conjunction with the nc64.exe previously downloaded to execute a privileged shell:
This allowed me to get root: