Monster Proving Grounds Write-Up
SUMMARY
This write-up covers the Monster machine from Offsec’s Proving Grounds, a Windows machine requiring creative hash cracking to pivot from a web CMS to the underlying system user.
Port 80 ran Monstra CMS 3.0.4. Directory enumeration revealed an admin panel. A custom wordlist was generated from the site content using cewl (lowercased), and a brute-force attack identified the admin password. Once authenticated, the standard RCE exploits for this version failed, but the CMS offered a backup feature that produced a downloadable archive of the application directory. Inside, users.table.xml contained MD5 hashes with an unknown iteration count.
Standard hashcat runs against rockyou.txt failed. Research revealed Monstra CMS uses a default SALT that is often never changed during installation. Using mdxfind with the known admin hash and password to discover the iteration count, and then applying the same settings to crack the mike user’s hash, yielded his plaintext password. RDP access was established as mike. Privilege escalation was achieved by locating an installed XAMPP instance vulnerable to arbitrary code execution: replacing the Editor path in xampp-control.ini with a msfvenom binary path caused the XAMPP control panel (running as SYSTEM) to execute the payload, returning a shell as Administrator.
PATH TO FOLLOW
- Reconnaissance & Monstra CMS Discovery on Port 80
- Password Guessing with cewl Wordlist via Admin Panel
- CMS Backup Extraction & Hash Discovery
- Default SALT Identification & mdxfind Hash Cracking
- RDP Access as
mike - XAMPP Version Identification
- xampp-control.ini Editor Path Replacement (LPE)
- Shell as Administrator
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.