Post

Proving Grounds - Butch (Windows)

Proving Grounds Butch Windows walkthrough covering reconnaissance and initial access via default web application credentials.

Posted
By Paul
2 min read
Proving Grounds - Butch (Windows)

Overview

Field Value
OS Windows
Difficulty Not specified
Attack Surface IIS web application (port 450) and SMTP
Primary Entry Vector Default credentials (butch:awesomedude)
Privilege Escalation Path Under investigation

Credentials

Username Password Source
butch awesomedude Default / guessed credentials for web app

Reconnaissance

💡 Why this works This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.

1

rustscan -a $ip -r 1-65535 --ulimit 5000

1
2
3
4
5
6
7

Open 192.168.178.63:21
Open 192.168.178.63:25
Open 192.168.178.63:135
Open 192.168.178.63:139
Open 192.168.178.63:445
Open 192.168.178.63:450
Open 192.168.178.63:5985

1
2
3
4
5
6
7
8
9

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
25/tcp   open  smtp          Microsoft ESMTP 10.0.17763.1
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
450/tcp  open  http          Microsoft IIS httpd 10.0
|_http-title: Butch
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

SMTP banner confirmed the hostname as butch:

1

echo -e "EHLO test\r\nQUIT" | nc $ip 25

1
2
3
4

220 butch Microsoft ESMTP MAIL Service, Version: 10.0.17763.1 ready
250-butch Hello [192.168.45.166]
250-TURN
250-SIZE 2097152

Initial Foothold

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

SMB and FTP anonymous access were both denied:

1
2
3
4
5

smbclient -L //$ip -N
# session setup failed: NT_STATUS_ACCESS_DENIED

ftp $ip
# anonymous login failed: 530 User cannot log in.

The web application on port 450 accepted default credentials butch:awesomedude:

1
2

http://$ip:450/
# Login: butch / awesomedude

💡 Why this works The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.

Privilege Escalation

Under investigation.

💡 Why this works Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.

Lessons Learned / Key Takeaways

  • Never deploy web applications with default or obvious credentials matching the machine hostname.
  • Disable anonymous access to FTP and SMB unless explicitly required.
  • WinRM (port 5985) exposure should be restricted to management networks only.

References

  • RustScan: https://github.com/RustScan/RustScan
  • Nmap: https://nmap.org/
Proving Grounds, Windows
iis smtp ftp weak-credentials
This post is licensed under CC BY 4.0 by the author.