PG AuthBy
First, I login to FTP using anonymous/anonymous. I see a uac folder with account names. I'll brute-force these accounts via FTP while I work on other things.
Login as admin/admin in FTP. There is an .htpasswd file with creds "offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0"
Go to port 242 via browser and login as offsec/elite. The Windows PHP Reverse shell doesn't work. I'll have to use the PHP[cmd]. I use msfvenom to make a shell.exe, transfer the file via FTP, and then trigger it by cmd=shell2.exe. The first one I made didn't work, but the second one did. I checked and both were 32-bit.
WinPEASx86.exe doesn't work. I use winPEAS.bat instead. As the results run, I see SEImpersonatePrivilege is enabled. The box is from 2008. There could be a JuicyPotato vuln here. The potato priv esc is my favorite Windows privilege escalation. I stop enumerating and give it a go.
Lessons Learned
- Rediscovered hash-identifier
- Remember to use binary when transferring FTP files
- If a shell.exe doesn't work, generate it again.
- If something is missing, run nmap again. Port 242 showed up in second nmap scan.
- wget -m ftp://anonymous:anonymous@192.168.65.46 is a cool command. First time I used it, I usually just get FILE 20 times.
Comments
Post a Comment