Offensive Security Proving Grounds Walk Through “Medjed”

Initial Foothold:

Even though it’s time taking, this is a good intermediate level windows machine to practice.

Beginning the initial nmap enumeration.

Running the default nmap scripts.

We have a lot going on in the box.

• There is a SMB service running.
• There is a mysql server on port 3306, which doesn’t accept connections from a remote host.
• FileZilla ftp server 8.9.41 is running on port 30021 which permits anonymous logins.
• There are http web services running on port 8000, 33033,44330, 45332, 45443.
• And Microsoft RPC on port 49665 and so on.

Let’s start by reading the contents in the shared FTP drive.

I transferred them to my local machine but don’t find anything super interesting. Maybe we can use this later to upload files.

Moving on to checkout the web service running on port 8000.

I set up a new administrator account and after logging in we can see a web file server utility.

It provides link to a file server utility.

We can use this to fetch the local.txt flag.

We can also upload files onto certain directories. Let’s upload a reverse shell and a web console to trigger that shell.

Using msfvenom to create a reverse shell. Also getting the default aspx web shell ready in the current folder to upload.

Uploading both files.

I uploaded the files but any kind of aspx or php reverse shell won’t compile and run on this file share environment. Enumerating the web service on port 33033.

We can find a lot of information on this page. We have the ability to update any user’s password from the forgot password page, if you have access to the reminder text.

I liked the user Jerren Valon because of his picture and he’s reminder is guessable from the text on his profile. I changed his password to ‘admin’ using username: ‘jerren.devops’, Reminder:’paranoid’.

After logging in, we see a link to the profile slug page.

There is a scope to do SQL injection here. We can see the source code with supplying a poorly constructed input.

I tried several things, but it doesn’t return anything exciting. Moving on to enumerating other services. The web service running on port 44330 is no good. The web service on port 45332 looks interesting though.

We can see the phpinfo page on this service which indicates a Xampp server running on the host machine.

Since we have the capability of uploading a file through the file service running on port 8000, I’ll upload a php script which executes the reverse shell we had uploaded earlier.

We receive a reverse shell on executing this script.

Privilege Escalation:

Transferring winpeas using the same file service and running it to enumerate further. We can see that we have write access to an important file C:\bd\bd.exe. It’s same as this privilege escalation exploit. Refer: https://www.exploit-db.com/exploits/48789.

We will replace this executable with our reverse shell and restart the system to receive an administrator shell.

copy /Y C:\Users\Jerren\Desktop\reverse.exe C:\bd\bd.exe

shutdown -r

And wait a minute for the system to restart. When it restarts, we get a reverse shell with system privileges on our listener.