Slort
PG Practice Slort Writeup
Nmap
Both port 8080 and 4443 contain the same web directory redirecting both to the /dashboard/ directory for XAMPP.
Running dirsearch.py against the target reveals the /site page.
The /site/index.php page:
Paying close attention to the full address of the index.php page we can see the following:
Looking at the part index.php?page=<Value> we can test for RFI to see if vulnerable. I created a test.txt file on my attacking machine and then hosted the directory with a Python SimpleHTTPServer. Then browsed to the following:
This confirms RFI:
As we know we are running PHP we can generate a PHP reverse shell with msfvenom in order to catch a reverse shell using the RFI.
Host this in the same directory as the Python SimpleHTTPServer and ensure the listening port is set to 21. Then in the browser browse to the shell we just generated.
Once we are connected we are running as the user rupert. Looking through the C:\ root directory we have a folder called backup. Looking at the contents within and reading info.txt we see that the note mentions TFTP.EXE is executed every 5 minutes.
I was able to delete TFTP.EXE which means we can replace it with a malicious shell. Knowing this we can generate a reverse shell with msfvenom and call it TFTP.EXE.
The shell was then uploaded with certutil.exe.
A netcat listener was set up on port 21 and after 5 minutes the TFTP.EXE was executed as part of the scheduled task and we receive an administrator shell.
As we are administrator we can then escalate to SYSTEM by fist changing the administrator password:
Then using Psexec.py to gain shell as SYSTEM.
Last updated
