Remote 10.10.10.180
It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down. <Roy T. Bennett0 May 2020>
Last updated
Was this helpful?
It doesn’t matter how many times you get knocked down. All that matters is you get up one more time than you were knocked down. <Roy T. Bennett0 May 2020>
Last updated
Was this helpful?
According to the nmap result, a website is found that installed a vulnerable version of Umbraco CMS and an mountd
nfs service is enabled. It can be exploited after we find the credentials from an exposed NFS share. A login credential is found at a file that saves in this NFS share, the credential can be used to log into the Umbraco CMS. An authenticated Umbraco CMS exploitation is found to gain initial access.
130n@calvinlai.com
Target Machine: 10.10.10.180
Attacker Machine: 10.10.14.8
According to the nmap result, the following interesting ports are found for further investigation
FTP (21)
Website (80)
NFS (2049)
Using the credentials anonymous/anonymous to log in to the FTP service successful, but nothing can be found or download from this account.
Going to the website and nothing interesting items can be found. Using the gobuster to check any hidden folder/subdirectory, a list of interesting
An administrative page is found, we cannot log into the system using some default accounts such as admin/admin. Move to next for further checking.
Using showmount
tool to check which NFS share is accessible by who
The site_backups
is available to mount and is accessible to everyone, let’s mount it and further enumerate.
Check the folder one by one and found that a file named mbraco.sdf
inside the folder/App_Data
which contains credentials at the top of the file.
Let login to Umbraco CMS with the credentials found admin@htb.local / baconandcheese.
Just checked the version is Umbraco 7.12.4, google any vulunerability found at the exploit DB.
In order to get the reversed TCP shell, the payload is changed to download a netcat 64 bits Windows version.
Next, stand up a listener on port 80 and run the exploit.
Change the payload again to start the reversed TCP shell to my Kali machine
Start the listening port at my Kali machine, the reverse shell is returned.
The user flag can be found in the C:\Users\Public folder.
Start from gathering the system information
Because of the full access to UsoSvc
service, we can modify the binpath
of the service and pop us a reverse shell.
Several known vulnerability is found on this box that makes us can finish the game easily. It is told us that system patching is the most important preventive action to defect cyber attack.
Remote is a Windows machine from , that is focusing on the CVE exploitation technique, for training your ethical hacking skills and penetration testing skills.
Based on the result of the , there is a possible local privilege escalation vector on a full access service named UsoSvc. Modifying the binpath of the service return the reverse shell with administrator privilege.
gobuster dir --url= -- wordlist=/usr/share/wordlists/dirb/common.txt
Crack the password which SHA1 hash b8be16afba8c314ad33d812f22a04991b90e2aaa
using an online hash service. Finally, get the credentials user id: admin@htb.local and password baconandcheese
This version suffers from an authenticated remote code execution vulnerability. Download the and modify the login details as below.
Result of the , discover possible local privilege escalation vectors, shows the full access of a service named as UsoSvC