# 5 box enum ``` C:\xampp>more passwords.txt ### XAMPP Default Passwords ### 1) MySQL (phpMyAdmin): User: root Password: (means no password!) 2) FileZilla FTP: [ You have to create a new user on the FileZilla Interface ] 3) Mercury (not in the USB & lite version): Postmaster: Postmaster (postmaster@localhost) Administrator: Admin (admin@localhost) User: newuser Password: wampp 4) WEBDAV: User: xampp-dav-unsecure Password: ppmax2011 Attention: WEBDAV is not active since XAMPP Version 1.7.4. For activation please comment out the httpd-dav.conf and following modules in the httpd.conf LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so Please do not forget to refresh the WEBDAV authentification (users and passwords). PS C:\Users\rupert\Documents> systeminfo Host Name: SLORT OS Name: Microsoft Windows 10 Pro OS Version: 10.0.18363 N/A Build 18363 System Type: x64-based PC Hotfix(s): 9 Hotfix(s) Installed. ``` #### PEAS ``` [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 1909 (18363) [*] Enumerating installed KBs... [!] CVE-2020-1013 : VULNERABLE [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/ [!] CVE-2020-0796 : VULNERABLE [>] https://github.com/danigargu/CVE-2020-0796 (smbghost) [*] Finished. Found 2 potential vulnerabilities. httpd(5312)[c:\xampp\apache\bin\httpd.exe] -- POwn: rupert Permissions: Everyone [AllAccess], Users [AllAccess], Authenticated Users [WriteData/CreateFiles] Possible DLL Hijacking folder: c:\xampp\apache\bin (Everyone [AllAccess], Users [AllAccess], Authenticated Users [WriteData/CreateFiles]) Command Line: c:\xampp\apache\bin\httpd.exe FileZillaServer(5328)[c:\xampp\filezillaftp\filezillaserver.exe] -- POwn: rupert Permissions: Everyone [AllAccess], Users [AllAccess], Authenticated Users [WriteData/CreateFiles] Possible DLL Hijacking folder: c:\xampp\filezillaftp (Everyone [AllAccess], Users [AllAccess], Authenticated Users [WriteData/CreateFiles]) Command Line: c:\xampp\filezillaftp\filezillaserver.exe -compat -start TCP 127.0.0.1 14147 0.0.0.0 0 Listening 5328 c:\xampp\filezillaftp\filezillaserver.exe TCP 127.0.0.1 14147 0.0.0.0 0 Listening 5328 c:\xampp\filezillaftp\filezillaserver.exe Enumerating Security Packages Credentials Version: NetNTLMv2 Hash: rupert::SLORT:1122334455667788:38997ec0857cb5743121b2b7ab99739a:01010000000000001e1d682f9d90d70138b1764880d8a948000000000800300030000000000000000000000000200000f663d18cd73aea6296971421a8504d726b5c18d0dc870fe323f91ba57f1c75bb0a00100000000000000000000000000000000000090000000000000000000000 ProcessName : FileZillaServer ProcessId : 5328 CompanyName : FileZilla Project Description : FileZilla Server Version : 0, 9, 41, 0 Path : c:\xampp\filezillaftp\filezillaserver.exe CommandLine : c:\xampp\filezillaftp\filezillaserver.exe -compat -start IsDotNet : False ``` #### Windows-exploit-suggester ``` $ python windows-exploit-suggester.py -d 2021-08-13-mssb.xls -i sys.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 9 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits [*] there are now 160 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 10 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical [*] https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution [*] https://github.com/theori-io/chakra-2016-11 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC [*] [E] MS16-056: Security Update for Windows Journal (3156761) - Critical [*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056) [*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#) [*] [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC [*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC [*] [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) [*] [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC [*] [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC [*] [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/slort/5-box-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.