Authby
OSCP Proving Grounds Authby Writeup (windows)
Recon (Enumeration)
Nmap
nmap 192.168.212.46 -sV -sC --min-rate 3000 -p- -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-25 00:22 EST
Nmap scan report for 192.168.212.46
Host is up (0.042s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
| ---------- 1 root root 25 Feb 10 2011 UninstallService.bat
| ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
| ---------- 1 root root 17 Aug 13 2011 StopService.bat
| ---------- 1 root root 18 Aug 13 2011 StartService.bat
| ---------- 1 root root 8736 Nov 09 2011 Settings.ini
| dr-xr-xr-x 1 root root 512 Nov 25 11:43 log
| ---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
| ---------- 1 root root 23 Feb 10 2011 InstallService.bat
| dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
| dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
|_dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts
242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-title: 401 Authorization Required
3145/tcp open zftp-admin zFTPServer admin
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2023-01-22T09:37:27
|_Not valid after: 2023-07-24T09:37:27
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2023-11-25T05:23:53+00:00
|_ssl-date: 2023-11-25T05:23:58+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FTP
Found an open FTP server Anonymous creds seem to work.
I've also found some interesting users.
So now we know there is prob admin offsec and anonymous users available.
Lets try admin:admin to log into ftp!
Well What do we have here! We're able to login and were able to use some credentials.
I was able to run john on this has and found the password elite
Alrighty! Lets move onto Initial access!
Initial Access
You Might have noticed there is a Webserver running at port 242
Lets try our new found credentials here!
Alrighty.
Remember our FTP server?
This is interesting, I know that this webserver is running Apache + php
Maybe we can upload a web shell?
Yes We can!
Look How pretty this web shell is!
I was able to retrieve the user flag by navigation to the user account and reading the proof.txt
I upgraded my webshell to a reverse shell and started probing the mcahine.
I spent wayyy too much time here but this is a Windows Server 2008 R1 with 0 patches applied.
Privilege Escalation
I delved into various potato exploits.
Seems like Juicy Potato (x86) was the one that was going to help us escalate privileges.
I attempted MS13-053 but to no avail.
JuicyPotato
I figured i'd give this a try.
Fail. Lets try another CSID
The following doc has a lot of handy CSID's.
So we find a suitable CSID and test!
In the middle I check for nc. Machine didn't have it so I had to upload it and then modify my payload to call for a reverse shell.
We catch the shell and we are now nt authority/system!
GG!
Helpful Links
Last updated
Was this helpful?