AuthBy
Enumeration and pillaging like bandits in the old country.
Information
Difficulty
Intermediate
Community Rating
Hard
Enumerated Ports & Services
21
zFTP v 6.0
TCP(6)
242
HTTP
TCP(6)
3145
zFTP Admin
TCP(6)
3389
MS RDP
TCP(6)
Findings
Port 242
HTTP webserver was found and basic authentication was prompted:
Let's note it down and maybe it will be useful later on?
Port 21 - Anonymous Logon
FTP allowed anonymous access but nothing was available to see or download. Tried default credentials on host and got in with admin:admin.
After logging in, there were 3 files available:
The .htpasswd file contained a apache password hash with a username. This .htpasswd might be used for the website hosted in port 242. Let's proceed to crack it!!
Let's check which mode to use for the hash:
Now let's proceed with trying to crack the password:
After a few mins, the password is cracked:
Now let's try and access the website on port 242...
Told you I'd be back, 242
Excellent, we were able to do basic authentication! Now can we write to the FTP server with our anonymous logon?
FTP Misconfiguration vulnerability
Now if I were to upload a PHP file through FTP with anonymous creds, what should I-- let's try good ol' phpinfo :)
Now let's upload a PHP web shell, check who we are and try to get first flag:
Excellent! We got our first flag ! Next... Let's download the nc.exe binary to the host to get a reverse shell:
...and we got it!
Let's check our privs!
Looks like we have SeImpersonatePrivilege. Let's enumerate system and see what OS version we are sitting on :)
Privilege Escalation
After enumerating the version of Windows, I found that it is vulnerable to a local privilege escalation exploit, MS11-046 :
So let's search for and download the exploit binary and execute!
After getting SYSTEM access, I proceeded to get my trophy, proof.txt:
# Final Notes
References
Last updated