Django

Nmap Scan

Port 21 is open which means FTP is running, we do not have a credential yet so we might as well try "anonymous" as seem in the nmap scan.

Perusal through the XAMPP-control.log file shows password is stored at C:\xampp\passwords.txt

The web service on port 80 is just the usual XAMPP (including the PHPMyAdmin Page)  dashboard same as port 443 so a closer look at the FTP and we found the service "Home Ftp Server" is vulnerable.

https://www.exploit-db.com/exploits/34050

Running the python script and we got the MYSQL(phpMyAdmin) password and user name

We create a new DB and put a php shell code in the SQL tab

Used revshells.com to create a powershell payload to give us reverse shell

Privilege Escalation

used msfvemon to create a meterpreter payload so I can use msfvemon for privilege escalation.

Use exploit Suggester for Metasploit to scan the system and find a possible exploit that would grant us Admin.

The pictures are self explanatory I hope 😉