Exploiting DNN

We have the ability to run SQL scripts

Enabling xp_cmdshell

EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

Runnig commands:

i ran commands line whoami /groups and /priv. I see SeImpersonate privilege is enabled. Before we proceed we need to get a shell on the machine. I tried using PS one-liner but cant get a reverse shell

So the next step was to see if I can find a file upload function to upload a shell. We can do that on http://172.16.8.20/admin/file-management

I tried uploading the ASP web shell but got an error

We have a fix for that. Once done we can upload our ASP web shell.

Now first thing I wanna do is download the PrintSpoofer.exe with certutil so we can escalate privilege. We have to do it through our pivot host and then let it download from the pivot host.

After that we listen on our dmz host to get a shell:

Dumping hives

I made sure to run these on this folder (c:\DotNetNuke\Portals\0) so it is accessible from the web file management portal

Had to modify the accepted extensions page for the .SAVE files to show so I can download them.

secretdump.py

That's a way for us to connect back to DEV01 host (172.16.8.20) should we lose our access.

Here we also see a cleartext password, but not sure about the username. But now that we have the admin hash we can use crackmapexec to dump the SAM again.

Now we got a pair of credentials to access the DEV01 host as well as the Active Directory for user to start enumerating.

PreviousInternal EnumerationNextActive Directory

Last updated