Hi everyone
Today we are going to look for a Box called Medjed which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Difficulty – Intermediate
Operating System – Windows
Focus Areas
- Windows Enumeration
- Barracuda Web File Server Enumeration
- Default Credential Discovery
- File Upload Abuse
- Remote Code Execution (RCE)
- Reverse Shell Handling
- Windows Privilege Escalation
- Insecure Service Binary Replacement
- Weak File Permissions Exploitation
- Service Abuse for SYSTEM Privileges
In this writeup, I leverage weak authentication to access the Barracuda Web File Server Manager and abuse its file upload feature to execute a reverse shell, gaining an initial foothold on the target. During privilege escalation, I identify a writable service binary used by an automatically starting Windows service. Replacing the legitimate executable with a malicious payload and triggering the service on reboot grants me a reverse shell running with NT AUTHORITY\SYSTEM privileges.
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.180.127
┌──(root㉿Mr-KaaLi)-[~/Desktop/PG_Practice/Windows_Boxes/Medjed]
└─# nmap -sC -sV -O -oA nmap/initial 192.168.180.127
Starting Nmap 7.95 ( https://nmap.org ) at 2026-07-06 20:00 IST
Stats: 0:02:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.15% done; ETC: 20:03 (0:00:00 remaining)
Nmap scan report for 192.168.180.127
Host is up (0.043s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
8000/tcp open http-alt BarracudaServer.com (Windows)
| http-webdav-scan:
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Type: BarracudaServer.com (Windows)
|_ Server Date: Mon, 06 Jul 2026 14:33:09 GMT
|_http-title: Home
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: BarracudaServer.com (Windows)
| http-methods:
|_ Potentially risky methods: PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
| fingerprint-strings:
| FourOhFourRequest, Socks5:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:30:57 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| GenericLines:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:30:51 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:30:52 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:31:02 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Date: Mon, 06 Jul 2026 14:32:06 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| Content-Type: text/html
| Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|_ <html><body><h1>400 Bad Request</h1>Can't parse request<p>BarracudaServer.com (Windows)</p></body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.95%I=7%D=7/6%Time=6A4BBC1B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202
SF:026\x2014:30:51\x20GMT\r\nServer:\x20BarracudaServer\.com\x20\(Windows\
SF:)\r\nConnection:\x20Close\r\n\r\n")%r(GetRequest,72,"HTTP/1\.1\x20200\x
SF:20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:30:52\x20GMT\r\nServer
SF::\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\
SF:n")%r(FourOhFourRequest,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x20
SF:06\x20Jul\x202026\x2014:30:57\x20GMT\r\nServer:\x20BarracudaServer\.com
SF:\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\n")%r(Socks5,72,"HTTP/1\.
SF:1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:30:57\x20GMT
SF:\r\nServer:\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Cl
SF:ose\r\n\r\n")%r(HTTPOptions,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,
SF:\x2006\x20Jul\x202026\x2014:31:02\x20GMT\r\nServer:\x20BarracudaServer\
SF:.com\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\n")%r(RTSPRequest,72,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:31:
SF:02\x20GMT\r\nServer:\x20BarracudaServer\.com\x20\(Windows\)\r\nConnecti
SF:on:\x20Close\r\n\r\n")%r(SIPOptions,13C,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:32:06\x20GMT\r\nServer
SF::\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Close\r\nCon
SF:tent-Type:\x20text/html\r\nCache-Control:\x20no-store,\x20no-cache,\x20
SF:must-revalidate,\x20max-age=0\r\n\r\n<html><body><h1>400\x20Bad\x20Requ
SF:est</h1>Can't\x20parse\x20request<p>BarracudaServer\.com\x20\(Windows\)
SF:</p></body></html>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=7/6%OT=135%CT=1%CU=41716%PV=Y%DS=4%DC=I%G=Y%TM=6A4BBCB
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(SP=1
OS:05%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=I%TS=U)
OS:SEQ(SP=107%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(SP=FE%GCD=1%ISR=109%TI=I%CI=
OS:I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M578NW8%O4=M578NW8NNS%O5=M578N
OS:W8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN
OS:(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=N)
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-07-06T14:33:11
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.84 seconds
nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.180.127
┌──(root㉿Mr-KaaLi)-[~/Desktop/PG_Practice/Windows_Boxes/Medjed]
└─# nmap -sC -sV -O -p- -oA nmap/full 192.168.180.127 -T4
Starting Nmap 7.95 ( https://nmap.org ) at 2026-07-06 20:03 IST
Nmap scan report for 192.168.180.127
Host is up (0.043s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
5040/tcp open unknown
8000/tcp open http-alt BarracudaServer.com (Windows)
| http-methods:
|_ Potentially risky methods: PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
| http-webdav-scan:
| Server Type: BarracudaServer.com (Windows)
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
| Server Date: Mon, 06 Jul 2026 14:37:29 GMT
|_ WebDAV type: Unknown
|_http-title: Home
| fingerprint-strings:
| FourOhFourRequest, Socks5:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:34:50 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| GenericLines, GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:34:45 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Date: Mon, 06 Jul 2026 14:34:55 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Date: Mon, 06 Jul 2026 14:35:58 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| Content-Type: text/html
| Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|_ <html><body><h1>400 Bad Request</h1>Can't parse request<p>BarracudaServer.com (Windows)</p></body></html>
|_http-server-header: BarracudaServer.com (Windows)
|_http-open-proxy: Proxy might be redirecting requests
30021/tcp open ftp FileZilla ftpd 0.9.41 beta
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 536 Nov 03 2020 .gitignore
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 app
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 bin
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 config
| -r--r--r-- 1 ftp ftp 130 Nov 03 2020 config.ru
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 db
| -r--r--r-- 1 ftp ftp 1750 Nov 03 2020 Gemfile
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 lib
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 log
| -r--r--r-- 1 ftp ftp 66 Nov 03 2020 package.json
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 public
| -r--r--r-- 1 ftp ftp 227 Nov 03 2020 Rakefile
| -r--r--r-- 1 ftp ftp 374 Nov 03 2020 README.md
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 test
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 tmp
|_drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 vendor
33033/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| GetRequest, HTTPOptions:
| HTTP/1.0 403 Forbidden
| Content-Type: text/html; charset=UTF-8
| Content-Length: 3102
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <title>Action Controller: Exception caught</title>
| <style>
| body {
| background-color: #FAFAFA;
| color: #333;
| margin: 0px;
| body, p, ol, ul, td {
| font-family: helvetica, verdana, arial, sans-serif;
| font-size: 13px;
| line-height: 18px;
| font-size: 11px;
| white-space: pre-wrap;
| pre.box {
| border: 1px solid #EEE;
| padding: 10px;
| margin: 0px;
| width: 958px;
| header {
| color: #F0F0F0;
| background: #C52F24;
| padding: 0.5em 1.5em;
| margin: 0.2em 0;
| line-height: 1.1em;
| font-size: 2em;
| color: #C52F24;
| line-height: 25px;
| .details {
|_ bord
44330/tcp open ssl/unknown
|_ssl-date: 2026-07-06T14:37:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=server demo 1024 bits/organizationName=Real Time Logic/stateOrProvinceName=CA/countryName=US
| Not valid before: 2009-08-27T14:40:47
|_Not valid after: 2019-08-25T14:40:47
45332/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-title: Quiz App
45443/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: Quiz App
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.95%I=7%D=7/6%Time=6A4BBD04%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202
SF:026\x2014:34:45\x20GMT\r\nServer:\x20BarracudaServer\.com\x20\(Windows\
SF:)\r\nConnection:\x20Close\r\n\r\n")%r(GetRequest,72,"HTTP/1\.1\x20200\x
SF:20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:34:45\x20GMT\r\nServer
SF::\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\
SF:n")%r(FourOhFourRequest,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x20
SF:06\x20Jul\x202026\x2014:34:50\x20GMT\r\nServer:\x20BarracudaServer\.com
SF:\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\n")%r(Socks5,72,"HTTP/1\.
SF:1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:34:50\x20GMT
SF:\r\nServer:\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Cl
SF:ose\r\n\r\n")%r(HTTPOptions,72,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,
SF:\x2006\x20Jul\x202026\x2014:34:55\x20GMT\r\nServer:\x20BarracudaServer\
SF:.com\x20\(Windows\)\r\nConnection:\x20Close\r\n\r\n")%r(RTSPRequest,72,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:34:
SF:55\x20GMT\r\nServer:\x20BarracudaServer\.com\x20\(Windows\)\r\nConnecti
SF:on:\x20Close\r\n\r\n")%r(SIPOptions,13C,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nDate:\x20Mon,\x2006\x20Jul\x202026\x2014:35:58\x20GMT\r\nServer
SF::\x20BarracudaServer\.com\x20\(Windows\)\r\nConnection:\x20Close\r\nCon
SF:tent-Type:\x20text/html\r\nCache-Control:\x20no-store,\x20no-cache,\x20
SF:must-revalidate,\x20max-age=0\r\n\r\n<html><body><h1>400\x20Bad\x20Requ
SF:est</h1>Can't\x20parse\x20request<p>BarracudaServer\.com\x20\(Windows\)
SF:</p></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port33033-TCP:V=7.95%I=7%D=7/6%Time=6A4BBD04%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(GetReques
SF:t,C76,"HTTP/1\.0\x20403\x20Forbidden\r\nContent-Type:\x20text/html;\x20
SF:charset=UTF-8\r\nContent-Length:\x203102\r\n\r\n<!DOCTYPE\x20html>\n<ht
SF:ml\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\
SF:x20\x20<title>Action\x20Controller:\x20Exception\x20caught</title>\n\x2
SF:0\x20<style>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20backgr
SF:ound-color:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\
SF:x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x
SF:20body,\x20p,\x20ol,\x20ul,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-fa
SF:mily:\x20helvetica,\x20verdana,\x20arial,\x20sans-serif;\n\x20\x20\x20\
SF:x20\x20\x20font-size:\x20\x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-he
SF:ight:\x2018px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20
SF:\x20\x20\x20\x20font-size:\x2011px;\n\x20\x20\x20\x20\x20\x20white-spac
SF:e:\x20pre-wrap;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x
SF:20\x20\x20\x20\x20\x20border:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x2
SF:0\x20\x20padding:\x2010px;\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x
SF:20\x20\x20\x20\x20\x20width:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x
SF:20\x20header\x20{\n\x20\x20\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20
SF:\x20\x20\x20\x20background:\x20#C52F24;\n\x20\x20\x20\x20\x20\x20paddin
SF:g:\x200\.5em\x201\.5em;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20h1\x20{\n
SF:\x20\x20\x20\x20\x20\x20margin:\x200\.2em\x200;\n\x20\x20\x20\x20\x20\x
SF:20line-height:\x201\.1em;\n\x20\x20\x20\x20\x20\x20font-size:\x202em;\n
SF:\x20\x20\x20\x20}\n\n\x20\x20\x20\x20h2\x20{\n\x20\x20\x20\x20\x20\x20c
SF:olor:\x20#C52F24;\n\x20\x20\x20\x20\x20\x20line-height:\x2025px;\n\x20\
SF:x20\x20\x20}\n\n\x20\x20\x20\x20\.details\x20{\n\x20\x20\x20\x20\x20\x2
SF:0bord")%r(HTTPOptions,C76,"HTTP/1\.0\x20403\x20Forbidden\r\nContent-Typ
SF:e:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x203102\r\n\r\n<!D
SF:OCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20charse
SF:t=\"utf-8\"\x20/>\n\x20\x20<title>Action\x20Controller:\x20Exception\x2
SF:0caught</title>\n\x20\x20<style>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x
SF:20\x20\x20\x20background-color:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20co
SF:lor:\x20#333;\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x2
SF:0}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul,\x20td\x20{\n\x20\x20\x2
SF:0\x20\x20\x20font-family:\x20helvetica,\x20verdana,\x20arial,\x20sans-s
SF:erif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\x20\x2013px;\n\x20\x20\x2
SF:0\x20\x20\x20line-height:\x2018px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x
SF:20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size:\x2011px;\n\x20\x20\x20\x
SF:20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\
SF:x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20border:\x201px\x20solid\x20#E
SF:EE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px;\n\x20\x20\x20\x20\x20\x2
SF:0margin:\x200px;\n\x20\x20\x20\x20\x20\x20width:\x20958px;\n\x20\x20\x2
SF:0\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x20\x20\x20\x20\x20color:\x
SF:20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background:\x20#C52F24;\n\x20\x20\x
SF:20\x20\x20\x20padding:\x200\.5em\x201\.5em;\n\x20\x20\x20\x20}\n\n\x20\
SF:x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20margin:\x200\.2em\x200;\n\x
SF:20\x20\x20\x20\x20\x20line-height:\x201\.1em;\n\x20\x20\x20\x20\x20\x20
SF:font-size:\x202em;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20h2\x20{\n\x20\
SF:x20\x20\x20\x20\x20color:\x20#C52F24;\n\x20\x20\x20\x20\x20\x20line-hei
SF:ght:\x2025px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20\.details\x20{\n\x2
SF:0\x20\x20\x20\x20\x20bord");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=7/6%OT=135%CT=1%CU=36753%PV=Y%DS=4%DC=I%G=Y%TM=6A4BBDC
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=I%CI=I%TS=U)SEQ(SP=1
OS:02%GCD=1%ISR=107%TI=I%CI=I%TS=U)SEQ(SP=105%GCD=1%ISR=105%TI=I%CI=I%TS=U)
OS:SEQ(SP=105%GCD=1%ISR=10A%TI=I%CI=I%TS=U)SEQ(SP=107%GCD=1%ISR=107%TI=I%CI
OS:=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M578NW8%O4=M578NW8NNS%O5=M578
OS:NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)EC
OS:N(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%
OS:F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
OS:%RUCK=G%RUD=G)IE(R=N)
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-07-06T14:37:29
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.54 seconds
nmap -sU -O -oA nmap/udp 192.168.180.127 -T4
┌──(root㉿Mr-KaaLi)-[~/Desktop/PG_Practice/Windows_Boxes/Medjed]
└─# nmap -sU -O -oA nmap/udp 192.168.180.127 -T4
Starting Nmap 7.95 ( https://nmap.org ) at 2026-07-06 20:30 IST
Warning: 192.168.180.127 giving up on port because retransmission cap hit (6).
Stats: 0:12:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 74.87% done; ETC: 20:48 (0:04:19 remaining)
Nmap scan report for 192.168.180.127
Host is up (0.044s latency).
Not shown: 981 closed udp ports (port-unreach)
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
1032/udp open|filtered iad3
1900/udp open|filtered upnp
2048/udp open|filtered dls-monitor
3457/udp open|filtered vat-control
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
18134/udp open|filtered unknown
19141/udp open|filtered unknown
19283/udp open|filtered keysrvr
28641/udp open|filtered unknown
43094/udp open|filtered unknown
49173/udp open|filtered unknown
49968/udp open|filtered unknown
Device type: general purpose
Running: Microsoft Windows 2008|2012|7|8.1|Vista, Novell NetWare 6.X
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:novell:netware:6
Too many fingerprints match this host to give specific OS details
Network Distance: 4 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1075.19 seconds
I discovered these ports are open:
- 135/tcp Microsoft Windows RPC (MSRPC)
- 139/tcp NetBIOS Session Service (SMB)
- 445/tcp Microsoft Directory Services (SMB), service unauthenticated/unidentified
- 3306/tcp MariaDB 10.3.24 or later (unauthorized access)
- 5040/tcp Unknown service exposed
- 8000/tcp HTTP service running BarracudaServer.com (WebDAV enabled, PROPFIND/PUT/DELETE/MOVE/MKCOL allowed)
- 30021/tcp FTP service running FileZilla ftpd 0.9.41 beta (anonymous login allowed, FTP bounce vulnerable)
- 33033/tcp Unknown service running a Ruby on Rails app (Action Controller exception page, 403 Forbidden responses)
- 44330/tcp SSL/unknown service (self-signed cert “server demo,” Real Time Logic, expired since 2019)
- 45332/tcp HTTP service running Apache httpd 2.4.46 (Win64, OpenSSL/1.1.1g, PHP/7.3.23), “Quiz App”
- 45443/tcp HTTP service running Apache httpd 2.4.46 (Win64, OpenSSL/1.1.1g, PHP/7.3.23), “Quiz App”
- 49664–49669/tcp Microsoft Windows RPC (MSRPC), 6 dynamic RPC ports
- 123/udp, 137/udp, 138/udp, 500/udp, 1032/udp, 1900/udp, 2048/udp, 3457/udp, 4500/udp, 5050/udp, 5353/udp, 5355/udp, 18134/udp, 19141/udp, 19283/udp, 28641/udp, 43094/udp, 49173/udp, 49968/udp open|filtered (ntp, netbios ns/dgm, isakmp, upnp, nat t ike, mmcc, zeroconf, llmnr, and several unidentified)
- OS: Microsoft Windows (best guess match spans Windows Server 2008 R2 / Windows Server 2012 / Windows 7 / Windows 8.1 / Vista family, nmap could not narrow to one exact version due to fingerprint ambiguity)
Then I went ahead and checked the FTP service running:

I found some files:

A quick gobuster scan shows some files:

After that browsing to port 8000 shows a configuration wizard:

I quickly set up the admin account:



After logging in top the CMS I found options to configure the CMS:

In the Web File Server I found the /fs/ link:

After visiting to the link I found C and D Drives:

From here I can see the various folders:

I found the local.txt:

I also discovered the proof.txt:


Exploitation
I created a shell file in PHP format as the app was using PHP and the utility I used was msfvenom:

On th eport 45332 I found a start button and phpinfo page:



I uploaded the shell file to the port 45332 and started the netcat listener and I got the initial access however the shell was quite unstable so I created a .exe reverse shell and executed it from the initial shell in order to stabilize the shell:


Upload the 64.exe file created in the previous step using the Barracuda Web File Server Manager:

I executed the previous shell call shell.php:

I recieved the shell and I can see the rev.exe the other shell is available on the target:

Executed the another file rev.exe and started the listener and I obtained the stable shell access:


I found the local.txt flag
Privilege Escalation
Now it was a time for escalating the privileges.
The presence of the C:\bd\ directory is unusual, as it is not part of a standard Windows installation. This indicates that the Barracuda application is likely hosted from this location. Within the C:\bd\ directory, we identified a readme.txt file:

After checking the contents of the files I found the version was 6.5:

A quick search on exploit db mentioned about insecure folder permissions:
BarracudaDrive v6.5 – Insecure Folder Permissions – Windows local Exploit

I created a reverse shell payload with name bd.exe and hosted it using python server:

I renamed the originalk bd.exe file with bd.exe.bak and downloaded the bd.exe which I created and hosted.
The C:\tmp\bd.exe file is executed by the automatically starting bd service. Since the service launches this executable during system startup, we can replace the legitimate bd.exe with our own malicious payload—a reverse shell renamed to bd.exe. After rebooting the system, the bd service will automatically execute our payload instead of the original executable, causing the target machine to establish a reverse shell connection back to our attacker machine.
Once the callback is received, we gain a shell with SYSTEM-level privileges, successfully completing the privilege escalation attack.

The listener was started:

I was the admin user:

The above image shows proof.txt was discovered.
Key Takeaways
- Thorough enumeration is the key to success. Identifying multiple exposed services and understanding how they interact helped uncover the complete attack path rather than focusing on a single entry point.
- Misconfigured administrative setup pages can lead to full system compromise. Allowing an attacker to create an administrator account during an incomplete application setup exposes the entire environment.
- File management interfaces should never expose unrestricted filesystem access. Read/write access to the underlying operating system significantly increases the impact of any compromise.
- Knowing the web server’s document root is critical for achieving Remote Code Execution (RCE). Understanding where uploaded files are served from makes it possible to execute malicious payloads successfully.
- Stable shells improve post-exploitation efficiency. Replacing an unstable PHP shell with a native Windows executable provides a far more reliable environment for enumeration and privilege escalation.
- Privilege escalation often relies on insecure file permissions rather than software vulnerabilities. Writable service binaries remain one of the most effective ways to obtain SYSTEM privileges on Windows.
- Always inspect Windows services during post-exploitation. Service executables, startup paths, and file permissions frequently reveal privilege escalation opportunities that automated tools may overlook.
- Chaining multiple low-severity misconfigurations can result in complete system compromise. Individually, each issue appears minor, but together they provide a straightforward path from initial access to NT AUTHORITY\SYSTEM.
- Manual enumeration complements automated tooling. Carefully reviewing directories, services, and configuration files uncovered the privilege escalation vector that could easily be missed during a tool-only assessment.
- Defense-in-depth is essential. Properly securing administrative interfaces, restricting filesystem permissions, validating file uploads, and hardening Windows service permissions would have broken the attack chain at multiple stages.
If you enjoyed this post, share it with your friends and colleagues!