AuthBy Proving Grounds Write-Up
SUMMARY
This write-up covers the AuthBy machine from Offsec’s Proving Grounds, a Windows machine where anonymous FTP access provided the initial foothold.
The FTP server allowed anonymous login, and browsing the accounts directory revealed usernames along with an admin account. Logging in as admin exposed a .htpasswd file containing a hashed password for the user offsec. The hash was cracked with hashcat, and the credentials were used to authenticate to the web application. Since the FTP share mapped to the web root, a PHP webshell was uploaded via FTP and accessed through the browser to achieve remote command execution, followed by a reverse shell.
The compromised user had SeImpersonatePrivilege, but the system was x86 architecture, making standard PrintSpoofer ineffective. A 32-bit build of JuicyPotato-x86 was used instead to escalate to NT AUTHORITY\SYSTEM.
An alternative path existed via a kernel exploit: the system was running an old Windows 6 kernel vulnerable to MS11-046, and a pre-compiled exploit delivered SYSTEM-level access.
PATH TO FOLLOW
Primary Path:
- Reconnaissance & Anonymous FTP Enumeration
- User Discovery & Admin Credential Reuse
- Hash Extraction from
.htpasswd& Cracking - PHP Webshell Upload via FTP-Mapped Webroot
- Reverse Shell via Web Execution
- Privilege Escalation via JuicyPotato-x86 (SeImpersonatePrivilege on x86)
- Shell as NT AUTHORITY\SYSTEM
Alternative Path:
- Kernel Version Fingerprinting
- MS11-046 Kernel Exploit Identification & Execution
- Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.