📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • SMB (Port 139/445)
  • Exploit
  • Privesc

Was this helpful?

  1. Active Directory
  2. PG Practice

Vault

Writeup for Vault from offsec Proving Grounds

PreviousHutchNextHeist

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo nmapAutomator.sh 192.168.131.172 all

Service Enumeration

SMB (Port 139/445)

Seems like we have anonymous access to shares. But there doesn't seem to be any useful files in the share.

Let's use of impacket's lookupsid which performs brute-forcing of Windows SID’s to identify users/groups on the remote target.

lookupsid.py Anonymous@192.168.131.172

Using some vim magic, we extract the users only.

Next, we can try kerberoasting with the usernames we have. However, we get nothing.

So I actually missed out on the fact that DocumentsShare is writeable.

Exploit

As we are attacking a windows machine, we can upload a file through the SMB Share as a Windows shortcut to specify an icon that points to our attacking machine. Whenever the user accesses this file, it will try to load the icon and cause a request to be sent to our attacking machine to look f e with the user account's username. This request will contain the NTLM hash of the account.

Let's start a responder to listen for the request.

sudo responder -I tun0 -v

We can then copy the hash into a file and crack it using john.

Then we are able to get anirudh credentials.

evil-winrm -i 192.168.131.172 -u anirudh -p SecureHM

Privesc

We see that there is already a KillExplorer.ps1 file, however, this just seems like a script to access the writeable SMB share earlier

Tried using winPEAS however, I was unable to find anything useful.

We can use the Get-NetGPO command from Powerview to get all the policies with details.

We then use the Get-GPPermission command to get the permission level for the security principals on the GPO.

Next, we can use SharpGPOAbuse.exe and specify to add anirudh account into the local admin group.

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"

Then we update the local group policy.

gpudate /force

Let's see if this worked.

net localgroup Administrators

We use psexec.py from Impacket to gain access.

LogoSMB Share – SCF File AttacksPenetration Testing Lab
LogoPowerViewHackTricks