Remote is a now retired Windows machine and an easy one
As usual I started with a series of NMap sweeps, initially a quick scan with attempt to verify the service running on the given port:
Poking the machine a little harder, scanning all TCP ports.
Poking even harder, this time, I’m letting NMap run and attempt to interrogate the services.
Before jumping down a potential rabbit hole, we carry on with checking the remaining surface area
Finally, we’ll open the page in a browser to see what we have
GoBuster is way better than Dirbuster (IMO) but the below is Dirbuster mapping out the site
At this point I decided to head back and poke the NFS service a little more, TCP:111 was happy to talk so there’s likely a mount point, rather than blindly try to mount it, I went for MSF to find the mount point name.
Next up, mount the share
And see what’s there for us
Digging around the web.config uncovers some more items of interest:
Further digging into the filesystem we find the data files sat underneath Umbraco
We now have two accounts, the SHA1 is easy to reverse, John failed but online tools managed it quickly
Testing the credentials on the Umbraco web app:
A vulnerability search for Umbraco uncovered an authenticated Remote Code Execution (RCE) vulnerability.
Testing with a simple “Whoami”
Digging around the server, I found our beloved TeamViewer, running as SYSTEM, plenty of vulnerabilities to choose from here:
At this point I generated a payload with MSFVENOM to start a reverse shell and uploaded to the victim
The initial shell was very unstable, so I generated a second shell and started a listener in MSF, this time it was far more stable
MSF has the exploit already baked so moving to MSF saved some time
Given how prevalent password reuse is, I went straight for WinRM (Evil-WinRM) and authenticated as local administrator
We now own it 😉
You must be logged in to post a comment.