root💀haxor:~#

Try Harder!.

View on GitHub

Django PwntillDawn

IP Address = 10.150.150.212

Difficulty = Easy

Nmap Scan: image image

From the scan we can see its a windows box which has various services running on it

Lets start our enumeration on port 21 which is ftp image

Now lets view the content of all the files we got from the ftp server

The first file which was xampp log had so many content in it 599 lines image

Instead of me reading the file line by line i decided to use grep on common things like password, users, etc. image

It shows that the xampp service is writting password in the c:\xampp directory

Now lets view the content of zen.txt, but it seems to be some sort of poem image

Also I decided to check if the host is vulnerable to eternal blue since its a windows 7 host. But it wasn’t vulnerable image

But if we remember the log file we got from ftp, it disclosed the directory where password are stored. Lets check if we can get that from the ftp server image

It removed the \ lets add one more \ image

And it worked lets now view the content on our machine image

From the result it shows the passwords for various service

Lets check out the mysql so its either we use the standart port on 3306 and login via it or we use phpmyadmin

But in this case I’ll be using mysql. So when I tried connecting to mysql I get an error that user is not allowed to connect to the mysql server image

Instead lets go with the other alternative which is phpmyadmin image

To get shell via exploiting phpmyadmin is possible so I used this article to help me get shell with it https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

So what basically happens is just the same as exploiting using the cli way but rather this is in gui

Firsly create a new database, then put the malicious php file inside the webroot directory then access the shell on the web page image image

Lets get our reverse shell. I used powershell reverse shell from revshells.com image

So since chuck.norris also has admin right on the machine there’s no need to pivot unless we want to do post exploitation :( image

Write-ups have been authorized for this machine by the PwnTillDawn Crew! Here’s the link to access it Wizlynx and PwntillDawn

Flags:
Flag11: 7a763d39f68ece1edd1037074ff8d129451af0b1
Flag18: ad1357d394eba91febe5a6d33dd3ec6dd0abc056
Flag19: a393b6fb540379e942b0010afa3058985fb8cec3
Flag20: a9435c140b6667cf2f24fcf6a9a1ea6b8574c3e7

And we’re done



Back To Home