Skip to content

CyberSecLabs Boats Write-Up

Boats is a free beginner box on that leverages an open phpmyadmin dashboard to gain a root shell on the box. Let’s get started.

Table of Contents


We’ll start off by firing up autoenum (found here) and supplying it with the IP of the box (

Once we’ve supplied autoenum with an IP, a menu will open up allowing us to choose a scan profile (I tend to opt for aggr) and let it run.

80/tcp    open  http               Apache httpd 2.2.11 ((Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9)                                                                                                                 
| http-cookie-flags:                                                                                                                                                                                                                         
|   /:                                                                                                                                                                                                                                        
|     PHPSESSID:                                                                                                                                                                                                                              
|_      httponly flag not set                                                                                                                                                                                                                 
|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289                                                                                                                                                                         
|_http-generator: WordPress 4.0.1                                                                                                                                                                                                             
| http-methods:                                                                                                                                                                                                                               
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                                                                                                  
|_http-title: Boats | Boats                                                                                                                                                                                                                   
135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                                                                                                      
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                                                                                                              
443/tcp   open  ssl/https?                                                                                                                                                                                                                    
|_ssl-date: 2020-08-30T18:35:30+00:00; -4s from scanner time.                                                                                                                                                                                 
| sslv2:                                                                                                                                                                                                                                      
|   SSLv2 supported                                                                                                                                                                                                                           
|   ciphers:                                                                                                                                                                                                                                  
|     SSL2_DES_64_CBC_WITH_MD5                                                                                                                                                                                                                
|     SSL2_DES_192_EDE3_CBC_WITH_MD5                                                                                                                                                                                                          
|     SSL2_RC4_128_WITH_MD5                                                                                                                                                                                                                  
|     SSL2_RC2_128_CBC_WITH_MD5                                                                                                                                                                                                               
|     SSL2_RC4_128_EXPORT40_WITH_MD5                                                                                                                                                                                                          
|     SSL2_IDEA_128_CBC_WITH_MD5                                                                                                                                                                                                              
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5                                                                                                                                                                                                      
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                                                                                                                       
3306/tcp  open  mysql              MySQL (unauthorized)                                                                                                                                                                                       
3389/tcp  open  ssl/ms-wbt-server?                                                                                                                                                                                                            
| rdp-ntlm-info:                                                                                                                                                                                                                              
|   Target_Name: BOATS                                                                                                                                                                                                                        
|   NetBIOS_Domain_Name: BOATS                                                                                                                                                                                                                
|   NetBIOS_Computer_Name: BOATS                                                                                                                                                                                                              
|   DNS_Domain_Name: Boats                                                                                                                                                                                                                    
|   DNS_Computer_Name: Boats                                                                                                                                                                                                                  
|   Product_Version: 6.3.9600                                                                                                                                                                                                                 
|_  System_Time: 2020-08-30T18:35:01+00:00                                                                                                                                                                                                    
| ssl-cert: Subject: commonName=Boats                                                                                                                                                                                                         
| Issuer: commonName=Boats                                                                                                                                                                                                                    
| Public Key type: rsa                                                                                                                                                                                                                        
| Public Key bits: 2048                                                                                                                                                                                                                       
| Signature Algorithm: sha256WithRSAEncryption                                                                                                                                                                                                
| Not valid before: 2020-04-21T19:39:55                                                                                                                                                                                                       
| Not valid after:  2020-10-21T19:39:55                                                                                                                                                                                                       
| MD5:   6b62 b19c 0b8a bbd5 f5cf 8d45 0bc2 7c28
|_SHA-1: fa58 dc19 bcb2 b42a 0288 acad 7203 2a3d b357 360d
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49162/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
49164/tcp open  msrpc              Microsoft Windows RPC

We have quite a few ports open, but not too many strike me as interesting. msrpc usually has nothing and 5985 + 47001 are for winRM, which is post exploitation so this won’t be a way in. 3306 and 3389 don’t seem like anything unless there is nothing we can do on the ports that do pique our interest at a glance. Ports 139 and 445 are samba and might have something, let’s see if we can do anything here.

Doesn’t look like we’ll be able to do anything without creds so this is a no go. This leaves us with 80.

Enumerating HTTP

Taking a look at the directories autoenum picked up, we see that a certain directory sticks out like a sore thumb.

We have quite a few wp dirs so we know whatever is on 80 is hosted on wordpress but that’s not it. Looking towards the end of the list we see phpmyadmin. That certainly is an great find. Maybe we’ll get lucky and be able to get in using some default creds.

Turns out we don’t even need creds, it’s an open admin dashboard! After a bit of googling, I found this. Looks like we can execute SQL code to get php code exec by creating a new database.


We can create a new database by using the Create new database option at the bottom of the Databases tab and clicking on the create button.

I created a new database called letsgetashell, feel free to name yours whatever you’d like. Now that we have a db created, go to the sql tab where you’ll find a console we can use to run SQL queries.

We’ll use the code above to get us a webshell we can use to run commands on the machine. Hit run and navigate to You should see a page that looks like this.

This is good, this means the php code executed successfully. Now that we’ve verified this, we’ll start passing commands using this webshell and upgrade to a reverse shell. Let’s generate a reverse shell using msfvenom and get a shell that way.

We have a shell so now all that’s left to do is host it using py http server and fetching it using certutil.

Let’s verify the file was indeed fetched from the server.

As we can see, the file was fetched and is on the machine, now we’ll open up a listener on the port we set and run the shell.

Now that we ran the shell uploaded, let’s head back to our terminal and check our listener.

And we have a root shell!

Published inCyberSecLabsWindows