AuthBy Walkthrough (Practice)+ TJNull
Keywords: FTP shell, compile priv-esc for windows from Linux
We start enumeration, we found FTP with anonymous access and web server
I logged-in to the ftp and found a number of folders. It seemed that we do not have permissions to open any of the files. I found a folder called Accounts, in there we found a number of usernames (Offsec, anonymous and admin).
Since, the anonymous account does not have permissions, I decided to see if any of the discovered accounts will have access rights on the ftp. To do this, I will need to bruteforce the passwords. I created a users list and used hydra
I log-in to the server with admin:admin. I found a number of files
The index.php seems to be the index page for the http. I visited the server, it asked for username and password. I tried the discovered admin:admin, but it did not work
The other files include the htaccess and htpasswd which included hashed password
I tried to crack the hash with john and got the creds for offsec
I used these creds to login to the webpage. The index page is indeed what we found on the FTP
There was only one attack vector which is through the FTP. I created a reverse php shell and uploaded to ftp and tried to access form the web, but it did not work.
I decided to use a cmd shell and uploaded it to the FTP
I visited the script and got a cmd
I uploaded nc.exe to the FTP server
Now, I run reverse shell using nc
I got a shell!.
I Checked the systeminfo and found out the system’s details
Checking online, i found an exploit
I downloaded MS11–046 from searchsploit and compiled it
I uploaded the exploit through FTP
I run the exploit and got a root