12/2020

Description:

Target IP: 10.10.10.158.

A Windows machine hosts a project management web application. Foothold gained from a deserialization vulnerability on the authentication API. Getting a reverse shell connection by calling system via the *Bearer* header that is submitted to */api/Account/*. Utilizing winPEAS to enumerate potential escalation vector. In this challenge, it’s Sync2Ftp - a custom FTP server. The encrypted credential of Admin for FTP service was found in the its config file. Decompiling Sync2Ftp binary reveals the decrypting function and use it to get superadmin credential which has access to FTP service. Root flag is exposed on FTP because the shared folder is set to the entire user directory of superadmin.

Difficulty:

medium

Flags:

User: 34459a01f50050dc410db09bfb9f52bb

Root: 3cc85d1bed2ee84af4074101b991d441

Enumeration

Nmap port scan result.

Nmap service scan result.

! Discover services:

• FTP (21): FireZilla.
• HTTP (80): Microsoft IIS server.
• RPC (135): Windows RPC.
• Service Network (139).
• SMB (445): SMB2.

Examining SMB share with guest access.

! Unable to examine SMB share with guest access.