search
Read BlogpostsLet's Connect

windowsAuthby

Privilege escalation using Kernel level exploit

hashtag
Summary.

  • Enumeration of the FTP server with Anonymous access enabled revealed potential usernames

    • Bruteforcing gave away the credentials for the admin user.

  • Logging into FTP as Admin provided access to a .htpasswd file containing web server credentials.

  • With write access to FTP, a reverse shell was uploaded to gain an initial foothold on the machine.

  • Finally, the MS11-046arrow-up-right vulnerability was leveraged to elevate access to the Administrator user.

hashtag
🧵Let's Unpack

hashtag
Enumeration

#nmap
sudo nmap -sC -sN -A -oN nmapFull -p- -A 192.168.161.46

>
 
PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 Jun 29 19:09 log
| ----------   1 root     root         2275 Aug 08  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Mar 23 13:28 accounts
242/tcp  open  http               Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
| http-auth: 
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-title: 401 Authorization Required
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
3145/tcp open  zftp-admin         zFTPServer admin
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2024-06-29T12:17:15+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2024-03-22T06:28:30
|_Not valid after:  2024-09-21T06:28:30
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2024-06-29T12:17:10+00:00

Enumerating FTP

Discovered Credential

hashtag
Initial Foothold

hashtag
Getting a shell on the server

  • We have admin credentials for FTP that hold the file for the webserver.

  • We know the credentials of the HTTP server.

  • We can simply upload a web shell using an FTP server and open it on the http server

hashtag
Privilege Escalation/Lateral Movement

Using windows-exploit-suggestor to find priv escalation vector

LogoGitHub - strozfriedberg/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHubchevron-right

Found a priv Escalation vector -> MS11-046

https://www.exploit-db.com/exploits/40564arrow-up-right

PreviousJackoNextAccess

Last updated