PwnDrive Academy PwntillDawn
IP Address = 10.150.150.11
Difficulty = Easy
Nmap Scan:
From the scan we can tell its a windows box. So there are quite some attack vectors on this box but I’ll be dealing with port 80
On heading to the web page we can see its some sort of web service that allows user save things in the cloud
And we can see a sign in function lets try signing in
So one thing we should try when dealing with login page is default credential or sql injection
As I’ve done it before both works and its obvious sqli worked cause we had a mysql service running when we did port scan i guess 🤔
But in this case i used default credential which is admin:admin
We are logged in, on looking at the function we can see it allows adding of file
But before we proceed lets check the web server technology because if we want to abuse it we need to upload a file that the web server will be able to understand which can lead to remote code execution
So I used wappalzer and we can see the web server programming language is php
So now i will try uploading a php code exection payload
Now i’ll upload it to the web server. And as we can see the file uploaded successfully
Fuzz for where the file uploaded to. I used gobuster and from the result we get a valid directory
Now lets check it out. And yeah the file we uploaded is in there. Now lets execute command on the target using that payload
As we can see we are admin (highest privileged user on the windows host) on the server
I can get a reverse shell with this code execution
I’ll be using revshell.com payload to pick my reverse shell. And I’ll also have to urlencode the payload
Now on sending the payload to the web server we get our shell
And we’re done