Enumeration

Nmap

Initial Nmap scan revealed port 8080, SMB and some common Active Directory ports were open.

00 - nmap

Exploitation

SSRF to NTLMv2 Theft

The website on port 8008 was a simple proxy website. However, it was vulnerable to SSRF. So I started responder and obtained user’s NTLMv2 hash via SSRF.

01 - web

02 - ntlmv2

Then I simply cracked it.

03 - cracked

And I simply logged in as the enox user and obtained the user flag.

05 - user flag

Lateral Movement

Read GMSA Password

Then I ran bloodhound-python command below:

bloodhound-python -u 'enox' -p '<PASS>' -dc DC01.heist.offsec -c all -ns 192.168.158.165 -d heist.offsec --zip

06 - bloodhound python

It revealed that the user had ReadGMSAPassword privilege over svc_apache$ account.

07 - readgmsa

So I downloaded Invoke-GMSAPasswordReader and read the svc_apache$ user’s password hash.

08 - gmsa

Then logged in as svc_apache$ user and found out that the user had SeRestore enabled.

09 - logged in

Privilege Escalation

SeRestore Privilege

The user had SeRestore enabled. So I did some research and found a way to exploit it. (Explanations: https://github.com/swisskyrepo/InternalAllTheThings/blob/main/docs/redteam/escalation/windows-privilege-escalation.md)

We should simply follow below steps:

  1. Rename utilman.exe (C:\Windows\System32\utilman.exe) to utilman.old
  2. Rename cmd.exe to utilman.exe
  3. Open Remote Desktop. On the lock screen press Win+U

10 - exploitation

So at first I renamed utilman.exe and cmd.exe as seen below.

11 - exploited

Then I opened rdesktop .

image

Then on the lock screen I clicked Win+U on my keyboard which gave me SYSTEM shell.

12 -Admin flag

<
Previous Post
Jacko - Proving Grounds Practice
>
Next Post
Kevin - Proving Grounds Practice