AuthBy Walkthrough (Practice)+ TJNull

Keywords: FTP shell, compile priv-esc for windows from Linux

We start enumeration, we found FTP with anonymous access and web server

I logged-in to the ftp and found a number of folders. It seemed that we do not have permissions to open any of the files. I found a folder called Accounts, in there we found a number of usernames (Offsec, anonymous and admin).

Since, the anonymous account does not have permissions, I decided to see if any of the discovered accounts will have access rights on the ftp. To do this, I will need to bruteforce the passwords. I created a users list and used hydra

I log-in to the server with admin:admin. I found a number of files

The index.php seems to be the index page for the http. I visited the server, it asked for username and password. I tried the discovered admin:admin, but it did not work

The other files include the htaccess and htpasswd which included hashed password

I tried to crack the hash with john and got the creds for offsec

I used these creds to login to the webpage. The index page is indeed what we found on the FTP

There was only one attack vector which is through the FTP. I created a reverse php shell and uploaded to ftp and tried to access form the web, but it did not work.

I decided to use a cmd shell and uploaded it to the FTP

I visited the script and got a cmd

I uploaded nc.exe to the FTP server

Now, I run reverse shell using nc

I got a shell!.

I Checked the systeminfo and found out the system’s details

Checking online, i found an exploit

I downloaded MS11–046 from searchsploit and compiled it

I uploaded the exploit through FTP

I run the exploit and got a root