📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. Proving Grounds - Practice

AuthBy

PreviousProving Grounds - PracticeNextJacko

Last updated 3 years ago

Was this helpful?

nmap

mkdir nmap
sudo rustscan -a 192.168.118.46 --ulimit 5000 -- -A -oA nmap/all-ports-service-scan

Open ports on 21 and 242

Enumeration

Visiting the HTTP Server on port 242 requires Basic Authentication

On FTP, logging in as anonymous seems to work.

I tried downloading the files but it seems I don't have read permission.

Looking at the directories, there's a folder called accounts

If I have to guess, these files are the usernames allowed to access this server.

Let's try to log in using admin as the username and password. And looks like there are 3 interesting files in this user account.

First, let's download all of these files on our local machine.

wget -r ftp://admin:admin@target-ip-address/

One of the files in there is called .htpasswd and it contains a username and the password hashed.

offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

Let's cracked this using john

We can also upload to the FTP server. I'm guessing, this means the FTP directory is where the website is hosted in. We can leverage this by uploading a PHP reverse shell via FTP and triggering it by vising the page using the credential we have cracked using john.

Exploitation

Create a PHP reverse shell. But on this demo, I will use this one. Copy the source code and put that in your machine. I named it to php-rev.php

Edit the IP Address and the port at the bottom of the script. Set the port to 242.

Set up a reverse shell listener on port 242

sudo nc -lvnp 242

Upload the shell via FTP

Open your browser, and trigger the exploit. Log in using the credentials we have found above.

http://targett-ip:242/php-rev.php

After that, you should receive your shell right away.

Privilege Escalation

Since winPEAS is not working somehow. I tried to search for privilege escalation exploits using WES-NG.

First, copy the output of systeminfo to our local machine.

Then execute the following to get the possible privilege escalation exploits.

sudo python3 wes.py systeminfo.txt -i "Elevation of Privilege"

After some time, I found this looking good exploit.

I have found a pre-compiled executable of this exploit here. Download a copy to your local machine.

Open an SMB Server to your machine.

sudo python /opt/impacket/examples/smbserver.py kali . -smb2support

Transfer the privilege escalation exploit.

After running the exploit, you should instantly get a SYSTEM shell.

Thanks and enjoy the rest of your day!