BlogTwitterLinkedIn

🦸AVenger (Windows)

You’ve been asked to exploit all the vulnerabilities present.

Enumeración de Red

Script AutoScan

autoscan 10.10.141.171

Resultado nmap

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Index of /
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| tls-alpn: 
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
|_http-title: Index of /
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql         MariaDB 5.5.5-10.4.28
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.28-MariaDB
|   Thread ID: 9
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsCompression, SupportsTransactions, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, IgnoreSigpipes, ODBCClient, FoundRows, ConnectWithDatabase, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: GO6^Z'RHQ>$8+on]d_2y
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: GIFT
|   NetBIOS_Domain_Name: GIFT
|   NetBIOS_Computer_Name: GIFT
|   DNS_Domain_Name: gift
|   DNS_Computer_Name: gift
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-05T10:18:18+00:00
|_ssl-date: 2025-08-05T10:18:26+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=gift
| Not valid before: 2025-08-04T10:00:35
|_Not valid after:  2026-02-03T10:00:35
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Sistema Windows

Enumeración SMB/RPC (Null Session)

session setup failed: NT_STATUS_ACCESS_DENIED

session setup failed: NT_STATUS_ACCESS_DENIED

Enumeración de Servicio Web -p80

Resultado nmap

  • /gift == NetBIOS_Computer_Name: GIFT

  • http://10.10.141.171/gift → Redirect: avenger.tryhackme/gift

  • avenger.tryhackme → /etc/hosts

avenger.tryhackme/gift/

  • Wordpress 6.2.2

  • Formulario de Subida de Archivos

  • DevTools Sources → Plugin: Forminator

avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt

Forminator - Version 1.24.1

LogoForminator < 1.25.0 - Unauthenticated Arbitrary File UploadWPScan

Explotando: CVE-2023-4596 - Unauthenticated Arbitrary File Upload a RCE

Community PoC Exploit

LogoGitHub - E1A/CVE-2023-4596: PoC Script for CVE-2023-4596, unauthenticated Remote Command Execution through arbitrary file uploads.GitHub

Error durante la explotación: Archivo PHP malicioso frenado por Antivirus.

Explotación Manual

Powercat

Logopowercat | Kali Linux ToolsKali Linux

Intrusión en el Sistema

Shell: gift\hugo

Enumeración Post-Intrusión

  • Ningún permiso útil para escalada

Medium Mandatory Level refers to the integrity level assigned to standard user accounts and processes. It’s a security feature that helps protect the system by limiting the access rights of processes running at this level. This means that even if a user has administrator privileges, their standard user processes will run with a medium integrity level, preventing them from easily modifying system files or other high-integrity resources. UAC utilizes integrity levels to manage user privileges.

  • Pertenecemos al grupo de administradores pero tenemos restringido el acceso a directorios como los del administrador local.

UAC bypass?

Extracción de Credenciales

Credenciales: hugo:SurpriseMF123!

Escalada de Privilegios: Reverse Shell con UAC Bypass

RunasCs

LogoGitHub - antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exeGitHub

Nueva reverse shell sin restricción del UAC

Compromiso del Sistema

Shell: Administrator Account

Última actualización