12/2020
Target IP: 10.10.10.151
The target machine is a Windows box that hosts an e-Commerce PHP web application. Its blog’s page is vulnerable to LFI and RFI, providing initial access as iusr. Plain text password of dbuser exposed in the authenticate function in db.php file. User Chris uses the same password, user access acquired by using Chris credential to invoke command in powershell and got a reverse shell under Chris privilege.
Tips for PE - a note intended for Chris mentions a document he must prepare for a new web application. The tip points to a file named *instructions.chm* in Chris directory which is a Compiled HTML Help file. This is the file that must be submitted. A malicious payload is prepared with the same name to trick the admin to click on it and connect to the attacker’s SMB service , exposing administrator’s NTLMv2 hash. Invoking admin credential to get a reverse shell connection under root privilege.
The box simulates a phishing attack by scanning for new file in C:\Docs folder and follow the payload included in it.
mediumUser: 1f4d0f29fc4dd867500c1ad716cf56e
Root: 5624caf363e2750e994f6be0b7436c15
Nmap port scan result.
Nmap service scan result.
! Discover services: HTTP (80), RPC (139), SMBv2 (445) and unknown service (49667)
Trying SMB service using anonymous and guest account.
! Unable to enumerate SMB share content as guest
Examining the website hosted on the target.
! Most of the clickable items point back to the home page.
! Found 2 usable links: a login page (/user/login.php), and a blog (/blog)
Login form.