Hack The Box — Remote Write-up
Step 1: Scanning
I directly went to mountd (port 2049) since Ftp was a dead end.
Step 2: Enumerating
When I checked port 80, I found Umbraco login in the contact page.
After that i enumerated the 2049 port (mountd)
First i checked what is mounted.
I found /site_backups was there, so I mounted it on a temporary folder mnt.
mount -t nfs 10.10.10.180:/site_backups ./mnt/
I knew that I will be able to find password of umbraco in App_Data/Umbraco.sdf
so I copied it on my local machine.
When I cat the file it was garbage so i used strings and grep admin.
I found hash and decoded it, got baconandcheese as password.
Step 3: User
I also found Umbraco RCE on github (https://github.com/noraj/Umbraco-RCE).
logged in using the credentials I found and got user.
Step 4: Root
After that I logged in the Umbraco and uploaded an aspx reverse shell with .txt as extension because it was not acccepting .aspx which got saved in /media/1033/ directory.
Now I had to change the extension to .aspx, so I changed it. but I couldn’t access my reverse shell if my file was in media, so I moved it to Umbraco.
Now I could access it and got a reverse meterpreter shell.
Then I uploaded powerup onto the machine and ran it.
I found that it had a teamviewer on it. In metasploit there is a post module for teamviewer which can get password for it. Which got me the password.
And then I used that password to connect it to administrator using evil-winrm.
and I got root.