Slort Proving Grounds Write-Up
SUMMARY
This write-up covers the Slort machine from Offsec’s Proving Grounds, a Windows machine where a vulnerable PHP web application led to remote code execution and a simple privilege escalation through a scheduled binary.
Port 8080 served a default XAMPP page. Directory fuzzing revealed a /site subdirectory, and further fuzzing inside it uncovered additional PHP files. Examining the URL of the site revealed a file inclusion parameter testing it confirmed both LFI and RFI. A malicious rev.php was hosted on the attacker’s HTTP server and included via the RFI parameter, which executed the PHP code on the victim machine. This was used to download nc.exe and send a reverse shell as user rupert.
Inside the machine, a C:\Backup directory contained a binary (TFPT.exe) and a note stating the binary was executed every five minutes. Listing permissions with icacls showed the current user had full control over the file. The binary was replaced with a msfvenom payload, and after a few minutes a shell as Administrator was received.
PATH TO FOLLOW
- Reconnaissance & XAMPP Discovery on Port 8080
- Directory Fuzzing & File Inclusion Parameter Discovery
- LFI/RFI Confirmation & Remote PHP Execution
- Reverse Shell as
rupert - Scheduled Binary Discovery in
C:\Backup - Writable Binary Replacement with msfvenom Payload
- Shell as Administrator
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.