search
Read BlogpostsLet's Connect

SecNotes

hashtag
Summary

  • Only three ports were open: 80 (web), 445 (SMB), and 8808 (IIS default page).

  • The main site (/login.php) hosted a note-taking app vulnerable to SQL injection and CSRF.

  • Exploited SQLi via the registration form to gain access as admin by using 'OR 1 OR' as the username.

  • Retrieved SMB credentials for user tyler from the admin dashboard.

  • With SMB access, uploaded a reverse shell using nc.exe to the writable new-site share.

  • Got initial shell via browser-based trigger of the uploaded PHP payload.

  • Privilege escalation was achieved using WSL abuse — the bash.exe binary was found, and we obtained a root shell through reverse shell from WSL.

  • bash_history revealed Administrator credentials.

  • Used psexec with Administrator creds to get SYSTEM access.

hashtag
Enumeration

nmap -p- -T5 10.10.10.97 -vv
sudo nmap -sC -sN -A -oN full.nmap -p80,135,139,445,8808 10.10.10.97

Discovered:

  • Port 80: Secure Notes login panel (login.php)

  • Port 8808: Default IIS page

  • Port 445: SMB with new-site share (eventually writable)

hashtag
Initial Foothold

hashtag
Web App (Port 80)

SQL Injection on Sign-Up page:

Logged in as admin and saw notes containing the following credentials:

hashtag
SMB Enumeration

Uploaded reverse shell via SMB:

  • nc.exe

  • PHP shell to execute nc.exe -e cmd.exe

Then triggered it from browser:

Listener:

Shell obtained!

hashtag
Privilege Escalation

hashtag
WSL Abuse

Located WSL:

Checked current WSL user:

Spawned root shell via reverse connection from WSL:

Escaped limited shell:

Looted .bash_history → Revealed Administrator SMB credentials:

hashtag
SYSTEM Shell via psexec

Boom! Got SYSTEM access and root flag.

PreviousActiveNextAccess

Last updated