AuthBy - Proving Grounds Practice
Enumeration
Nmap
Initial Nmap scan revealed uncommon ports and an FTP port were open.
FTP Enumearation
FTP has anonymous session available but user had no read or write permissions.
However, I found uac files which revealed ftp usernames.
Then brute forced with ftp wordlist and found out admin:admin is also a valid credential.
Exploitation
.htpasswd cracking
Logged in as admin and found that 3 files were readable (‘index.php’, ‘.htpasswd’, ‘.htaccess’). Then I did some research and found out .htaccess file is used to restrict website by setting basic auth and .httpasswd file is used to store username and hashed password.
Then I simply cracked the hash using hashcat.
WEB Login
Then logged in to the website running on port 242 which only showed index.php file.
I then tested ftp to put files and it worked. I simply uploaded reverse php shell via ftp put and got a reverse shell.
User Flag
Then obtained user flag.
Privilege Escalation
SeImpersonatePrivilege
The SeImpersonatePrivilege was enabled for apache user.
I tried to exploit it with many methods and it did not work. I later found out that on older Windows versions (such as Windows 7 or Server 2008 R2), the combase.dll library does not exist and vulnerability occurs because of that dll. So below are vulnerable:
- Windows Server 2012 - Windows Server 2022
- Windows8 - Windows 11
But, current machine is not vulnerable because it is Windows Server 2008.
MS11-046
Then I checked system version. Found out that the version has kernel-level privilege escalation vulnerability.
While searching to find exploit I found windows-kernel-exploits repo which included many executable exploit files for kernel exploits.
So I simply uplaoded it and ran it and got the SYSTEM shell.
Then read the root flag.