OCSP Practice: Weak Credentials

Stewart Beam

7 Oct, 2022

OCSP Practice: Weak Credentials

OCSP Practice: Weak Credentials

Summary

When we began our review of this server it was identified that the server was running FTP. The FTP server allowed anonymous access, and leaked 3 user accounts. Using these user accounts and hydra, we were able to find weak credentials on the admin account. The admin account on the FTP server provided access to a web root directory. Testing showed, we could upload files to the web server, but could not access them yet.

Initially, the web server was protected with basic HTTP authentication, but again we were able to use the known user account names and hydra to find additional credentials. Once we had credentials to get through the HTTP authentication, we were able to access files we uploaded to the systems FTP server.

The server ran PHP, so we were able to upload a PHP webshell to get RCE. To make interactions easier with the webshell, we used BURP to create payload in the repeater tab. Upon finding a working payload, we were able to get a callback to a nc listener.

Privilege Escalation on the box was done with a known exploit, when we say that it was a 32 bit 2008 Windows system, and we had the SeImpersonatePrivilege set.

Recommendations

First, if the anonymous FTP access isn’t required, it should be removed. The credentials also need to be changed for the FTP admin account. Complex passwords, that won’t be brute forced with common word lists, need to be used.

The Credentials for the Offsec user on the web server .htpasswd file also need to be complex, to prevent access to the web server if it is not wished.

Lastly, only systems with some form of vendor support should be used. The server should be upgraded to a modern operating system with vendor support and security updates.

Initial Access

NMAP Scans

In the initial scan, we can see the anonymous FTP access with an accounts folder.

We also found port 242 open, so we needed to scan this and find out what the port was used for.

Our detailed scan of the uncommon ports showed, port 242 was a web server.

We located these user accounts in the ftp server accounts directory.

Running hydra with a default credentials list also found the admin account credentials were weak / default.

Accessing the FTP server with the new credentials allows for more access to a web directory.

Testing showed that we were able to place a text file on the remote web server.

Initially, we were not able to access the web directory due to HTTP basic authentication.

Hydra was used to find credentials here with a longer word list and the known user account names.

With access to the web server achieved, we uploaded a webshell to get RCE with PHP.

Once the shell was uploaded, we verified RCE with Burp Repeater.

In order to get a reverse shell, we uploaded a nc binary to the FTP server.

With the nc binary on the remote system, we were able to use a URL encoded payload to get a callback.

Privilege Escalation

Looking at our user privileges, we say that we had the SeImpersonatePrivilege set.

Again, we made use of the FTP server and uploaded a JuicyPotato exploit to the system.

We used this command to execute our callback with JP.

With that, we had system level access, and access to proof files on the box.