Authby – Proving Grounds Walkthrough


AuthBy is rated “Hard” by the OffSec community. This box provided some unique experience’s and you will go away from this box with some new skills.
Start our nmap
sudo nmap -sV -sC -p- 192.168.73.46 -oN nmap/authbyfull -v


Let’s start by checking for anonymous login on port 21.


We have basic PERMS. We can see there are 3 accounts. We are already on this ftp as ‘anonymous’ however we can see there is two more possible accounts, ‘Offsec’ and ‘admin’


We try to login anonymously on FTP port 3145 but it doesn’t work.


Check searchsploit for zftp – Nothing really of interest as the Directory Traversal is for removing directories. We definitely don’t want to do that.


Let’s probe at port 242. It required authentication.


As of right now, the best information we have is the username we were able to read from the anonymous FTP login. Let’s try and start brute-forcing the password for the admin and offsec FTP accounts.
hydra -L users.txt -P /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt 192.168.79.46 ftp –V -f
We quickly fine one. We probably could of just guessed that but brute forcing is funner.


Log back into ftp as the admin user.


Let’s get local copies of these files.


When we cat the index.php, it has same welcome message as the HTTP site on port 242. Let’s cat the .htpasswd file.


Let’s use hashcat to try and crack this hash. To quickly check what mode to use, run the following, and then search through the results for the corresponding hash type. Apr1 is a hash function that uses MD5.
hashcat --example-hashes


And start hashcat with the –user flag.
hashcat -m 1600 .htpasswd /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --user
We quickly get the password of “elite”


Let’s login into the website. Pretty boring.


We have access to this webserver via the FTP right? So let’s create a .php file with a reverse shell in it. For Windows-based machines, I have a lot of success with this one.


Upload it via FTP and start our Netcat listener.
put shell.php


Navigate to the shell.php in our web browser. We get an error straight away.


We need to change the tmp directory in our php file to c:\wamp\www and re-run it.


And we get our first shell back.


Grab the first flag from the apache users Desktop.


Systeminfo reveals this is a Server 2008 box with no patches installed.


Let’s move straight to CVE-2018-8120, which I have had a lot of success with.
Create a new reverse listener;


Upload the CVE binary and the listener to the victim.
You can even run it straight away with a command;


Let’s use it to run our reverse shell.


Which now comes back as SYSTEM.


If you come across a box that is vulnerable to this CVE, always consider it!