AuthBy

Information

Enumerated Ports & Services

Findings

Port 242

HTTP webserver was found and basic authentication was prompted:

Let's note it down and maybe it will be useful later on?

Port 21 - Anonymous Logon

FTP allowed anonymous access but nothing was available to see or download. Tried default credentials on host and got in with admin:admin.

After logging in, there were 3 files available:

The .htpasswd file contained a apache password hash with a username. This .htpasswd might be used for the website hosted in port 242. Let's proceed to crack it!!

Let's check which mode to use for the hash:

Now let's proceed with trying to crack the password:

After a few mins, the password is cracked:

Now let's try and access the website on port 242...

Told you I'd be back, 242

Excellent, we were able to do basic authentication! Now can we write to the FTP server with our anonymous logon?

FTP Misconfiguration vulnerability

Now if I were to upload a PHP file through FTP with anonymous creds, what should I-- let's try good ol' phpinfo :)

Now let's upload a PHP web shell, check who we are and try to get first flag:

Excellent! We got our first flag ! Next... Let's download the nc.exe binary to the host to get a reverse shell:

...and we got it!

Let's check our privs!

Looks like we have SeImpersonatePrivilege. Let's enumerate system and see what OS version we are sitting on :)

Privilege Escalation

After enumerating the version of Windows, I found that it is vulnerable to a local privilege escalation exploit, MS11-046 :

So let's search for and download the exploit binary and execute!

After getting SYSTEM access, I proceeded to get my trophy, proof.txt:

# Final Notes

References

Page not found - HackTricksbook.hacktricks.xyz

Microsoft Security Bulletin MS11-046 - ImportantMicrosoftLearn

WindowsExploits/MS11-046 at master · abatchy17/WindowsExploitsGitHub