Vault
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
Started with autorecon as usual and, again, many open ports, but this time there were no HTTP ports, a surprise. We had to find a different initial foothold than the regulars.
I began by checking SMB. While enum4linux-ng showed nothing, smbclient exposed a non-default share named DocumentsShare. Although it was empty, we had write access.
Having write access to the share meant we could create a shared link and use Responder to capture the authenticated access attempt when someone clicks the item.
I used the tool Hashgrab, which automatically creates the necessary files. I then moved them to the share that we have write access over, started Responder, and waited for the hashes:
After that, I got the hash. I then tried hashcat, but it was too slow, so I switched to John the Ripper:
This revealed the password: anirudh:SecureHM
Now that I had the credentials, I attempted to use them. RDP was open, but testing it didn’t work, and I personally prefer a terminal (I feel like a proper hacker). So I used evil-winrm to get a shell:
Once inside, I checked privileges and discovered a couple of interesting ones: SeBackupPrivilege & SeRestorePrivilegeBoth could be used to escalate privileges.
I started with SeBackupPrivilege. With it, we can dump the SAM and SYSTEM hives and extract hashes from them. I ran:
Then I moved them to Linux and I executed:
I tried to perform Pass-the-Hash (PtH) and log in as Administrator, but that failed. For example:
PtH has a few prerequisites, it requires an SMB connection through the firewall (commonly port 445) and that the Windows File and Printer Sharing feature is enabled. It also requires the admin share (ADMIN$) to be available, so maybe one of these weren’t fulfilled.
I moved on to the next privilege. SeRestorePrivilege. I used an executable from my toolkit called SeRestoreAbuse.exe. I created a shell, uploaded it to the target, and then executed:
This granted me a shell as SYSTEM.
I like to review writeups when I finish (or when I get stuck and need hints). I discovered another option for privilege escalation using BloodHound. I first collected data from the Windows host using:
I then downloaded the data to my Kali machine and started BloodHound. With it, I discovered that our current user had GenericWrite over the GPO named "Default Domain Policy".
Even though BloodHound automatically checked for privileges, I could have done it manually with:
I then used an executable called SharpGPOAbuse.exe to add our user to the administrators group:
After running that, I ended the session and started a new one and that was it, I got admin.
Write access to non-default SMB shares can be exploited to capture hashes via tools like Hashgrab and Responder.
In AD environments, lateral movement often requires combining multiple techniques, using evil-winrm to gain a shell, then kerberoasting or privilege escalation through SeBackup/SeRestore.
PtH depends on specific network and service configurations; if those aren’t met, alternative escalation paths must be explored.
When one escalation method fails (like SeBackup with PtH), having another option such as SeRestoreAbuse can be the key to getting SYSTEM.
Using BloodHound can help identify misconfigurations in GPO permissions that allow local admin access.
