First, we discover an open NFS share. The share contains .sdf files which contains the password hahses. We can crack on of them and log into the Umbraco webssite. This version of Umbraco is vulnerable to an authenticated RCE, which we leverage to get a shell. Once in, we can use Print Spoofer to escalate privileges to SYSTEM.
We leverage CVE-2022-0739 to retrieve password hashes from the database. Once in the admin panel, we utilize CVE-2021-29447 to do a local file disclosure. We disclose the configuration file of WordPress and retrieve the password for the FTP service. From the FTP service, we are able to receive creds to log into the machine.There is a passpie binary whose master password we crack. Finally, we retrieve credentials for the root user.
First, retrieve files in the FTP server. From these files, we retrieve valid credentials to access telnet. On the machine, we realise that there are stored credentials. We execute a reverse shell from these credentials and achive a SYSTEM shell.
In this box, we use RPC and LDAP to collect valid AD usernames. This allows us to perform ASREPRoasting, which yields a TGS that can be cracked. With these credentials, we can winRM into the machine. From the output of BloodHound, we learn that we can run ourselves into Exchange Windows Permissions, which has WriteDACL over the domain object. We grant ourselves full control over the domain and perform DCSync on the machine. Like this, we get an admin shell.
The OSTicket web application will provide an email account in its domain when a support ticket is raised. We can use this email address to log into Mattermost. In Mattermost, we find an exposed credentials, which can be used to SSH into the server. In the server, we can use credential hunting to get the password of root in the database or brute force with sucrack.
