Craft Walkthrough

Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)

Scanning

└─$ rustscan -a $IP -- -sV -sC -Pn -oN scan_tcp.txt

PORT   STATE SERVICE REASON          VERSION
80/tcp open  http    syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Craft

Enumeartion

Since we only have one port open we will start our enumeartion by browsing the webpage.

This looks like an entry point. we need to create a malicious document that we can upload. alt text

Directory Enumeartion

└─$ feroxbuster --url $URL --wordlist /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k 

used feroxbuster to see some quick hits. found upload.php

alt text

Pretty clear that this is using xampp to host this webserver.

Tried uploading a random file got error ! alt text

So what's an ODT file ?

On a little search I found that ODT is an OpenDocument Text file, an open-source and widely compatible word processing document format that uses Extensible Markup Language (XML) to store text, images, and other document elements.

And there are tools to generate malicious ODT file.

Generate Malicious ODT

Uloaded the Malicious Resume.odt alt text

Scanning​

Enumeartion​

So what's an ODT file ?​

Generate Malicious ODT​

Scanning

Enumeartion

So what's an ODT file ?

Generate Malicious ODT