Craft 🔸

Enumeration

We have a template page at port 80.

There is an uploader that only accepts .odt files.

CMS is made with umbraco.

If we upload an .odt file, the file disappears in seconds. This is a phishing lab, it seems.

Using this malicious ODT generator, we can craft an .odt with a macro to connect back on open.

Start a listener and wait.

Now we can put the PHP reverse shell manually in the uploads folder to pivot to the apache user.

Start a listener, click it, and we have a shell as apache.

We can impersonate, so transfer printspoofer and get a root shell.

Get the flag.