Craft
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
I started with the usual autorecon and found that only port HTTP(80) was open, definitely interesting considering how these machines usually have lots of useless ports open.
The website featured a basic CV upload function.
When trying to upload a file with a random extension, the site returned the error: "File is not valid. Please submit ODT file". Instead of bypassing this check, I decided to work with it and inject a macro into an ODT file.
My first attempt was to inject a macro that downloaded a payload using iwr:
This didn’t work, likely because I was using a 32-bit payload on a 64-bit system and encountered an IE configuration error ("Explorer engine is not available…") The error shows when the first-launch configuration message of IE is not done. I switched gears and went with a more basic approach using Powercat.
I set the macro to trigger when the document was opened, saved the file, and uploaded it. After starting my listener and waiting about 10 seconds, I got a shell.
Once inside, I ran winpeas.exe and discovered another user was logged in: apache. From the name, it looked like this account had service-level permissions (SeImpersonatePrivilege) that could be leveraged for escalation.
I looked around and found that the HTTP site was hosted on XAMPP. In the htdocs folder, I saw the index.php and upload.php files we’d been interacting with. I started with the uploads directory but I couldn't upload to it. However, I was able to upload a shell to the root directory of XAMPP. After trying out pentestmonkey’s payload without success (I checked the pentestmonkey shell to know why it keeps failing, it's made to be run on Linux systems and not Windows that's why, now we know), I switched to Ivan Sincek’s PHP shell and that worked. I then used this shell to access the system as Apache.
Checking privileges confirmed the presence of SeImpersonatePrivilege.
Since the target was running Windows Server 2019 (which rules out Juicy Potato as it works only until Windows Server 2016). There is an alternative for escalation that works with newer versions, GodPotato. For this exploit we need to know the .NET Framework first. I checked the .NET Framework version by running:
After confirming the version, I uploaded GodPotato. Finally, I ran:
This command gave me a shell as SYSTEM. (Side note: when I ran whoami, it didn’t output as expected, I don't know why, but I was SYSTEM and had the flag.)
ODT Uploads: Instead of fighting the file type validation, using an ODT file with an injected macro was an easier way to trigger code execution.
Payload Compatibility: Make sure the payload matches the system architecture; a mismatch can cause failures.
Pivoting Through Web Roots: Leveraging the web server’s document root (XAMPP in this case) to gain a different user context is effective.
Privilege Escalation Alternatives: When Juicy Potato isn’t an option (like on Windows Server 2019), GodPotato can be a reliable alternative.