Hack The Box — Remote Write-up

Step 1: Scanning

nmap -sC -sV 10.10.10.180

I directly went to mountd (port 2049) since Ftp was a dead end.

Step 2: Enumerating

When I checked port 80, I found Umbraco login in the contact page.

After that i enumerated the 2049 port (mountd)

First i checked what is mounted.

showmount -e 10.10.10.180

I found /site_backups was there, so I mounted it on a temporary folder mnt.

mount -t nfs 10.10.10.180:/site_backups ./mnt/

I knew that I will be able to find password of umbraco in App_Data/Umbraco.sdf

so I copied it on my local machine.

When I cat the file it was garbage so i used strings and grep admin.

strings Umbraco.sdf | grep admin

I found hash and decoded it, got baconandcheese as password.

Step 3: User

I also found Umbraco RCE on github (https://github.com/noraj/Umbraco-RCE).

logged in using the credentials I found and got user.

Step 4: Root

After that I logged in the Umbraco and uploaded an aspx reverse shell with .txt as extension because it was not acccepting .aspx which got saved in /media/1033/ directory.

Now I had to change the extension to .aspx, so I changed it. but I couldn’t access my reverse shell if my file was in media, so I moved it to Umbraco.

Now I could access it and got a reverse meterpreter shell.

Then I uploaded powerup onto the machine and ran it.

I found that it had a teamviewer on it. In metasploit there is a post module for teamviewer which can get password for it. Which got me the password.

And then I used that password to connect it to administrator using evil-winrm.

and I got root.