Craft 🔸

Enumeration

We have a template page at port 80

There is an uploader that only accepts .odt files.

CMS is made with umbraco

If we upload a odt file, the file dissapears in seconds. This is a phishing lab it seems.

Using this malicious odt generator we can craft a odt with a macro to connect back on open.

https://github.com/0bfxgh0st/MMG-LO

Start a listener and wait

Now we can put the php reverse shell manually in uploads folder to pivot to apache user

Start a listener, click it and we have shell as apache

We can impersonate, so transfer printspoofer and get a root shell

Get the flag