🔬 Windows: Workflow Platform

Nmap scan

Observations:

the OS is Windows Server between 2008 R2 and 2012
a web server is running, using PHP
MySQL server but we can't access it (unauthorized): this suggests that either no authentication credentials were provided during the scan or the scan was not able to authenticate successfully with the MySQL service.
RDP is running but ew don't know any credentials

Start from the web server, which seems more promising, and simply open the browser to see what you find (a web app called Process Maker).

Looking at the source (Ctrl+U) and at the bottom doesn't reveal any version we could use to check for exploits.

💡 Search for default credentials online --> user: admin | password: admin

Once you logged, under ADMIN > Settings you can find the app version. You can also understand why we got a MySQL db running.

Since the lab doesn't have internet access, we need to use searchsploit:

searchsploit processmaker

We have credentials, so copy locally that exploit to check its code.

searchsploit -m 29325

The description tell us what it does. To exit from the vim editor just press ESC and then :q!.

Since it's a metasploit module, open the MSFconsole and create a new workspace.

search ProcessMaker

The exploit we were looking for is exploit/multi/http/processmaker_exec.

Set RHOST and then run the exploit.

Last updated 1 year ago