Proving Ground - Windows

Vault

Initial ⇒ SMB enum , SMB Malicious file upload , Phishing Privesc ⇒ GPO abuse using sharpGPOabuse.exe

1. We have write access on SMB , we can create a malacious file and upload it on SMB , on responder we get hash of user anirudh , crack it gives secureHM

2. After getting shell , Bloodhound enumeration gives we have edit permission on GPO/OU Default Domain Policy , we can use sharpGPOabuse.exe to abuse it

3. Abusing it adds our user to local group administrator .

Nara

Initial ⇒ SMB file upload , Stealing NTLM hash , Write DACL on Group Privesc Level 1 ⇒ Decoding DPAPI file Privesc Level 2 ⇒ ADCS enumeration , exploiting ESC1

1. SMB server is writeable

   1. we can use ntlm_theft.py to generate malacious files

   2. Upload it on SMB server and directories inside it

   3. On Responder we got hash for Tracy.White , crack it give zqwj041FGX

2. Creds not work for evil-winrm , but do work for RPC adn we can enumerate users

3. Bloodhound (py) enum gives we have Generic-All rights on group REMOTE ACCESS , using net rpc group addmem to add ourself , then get session

4. In /Documents there is automation.txt file , which DPAPI encrypted file , decoding it gives password which on password spray attack gives user jodie.summer

5. Jodie.summer is member of Certificate Service group , Enumeration ADCS

6. ADCS gives domain is vulnerable to ESC1 , exploiting it gives hash for Administrator.

Hutch

Initial ⇒ Ldap Enumeration (user) , Password in Description , CLI - cadaver Privesc ⇒ SeImpersonatePrivilege , PrintSpoofer64.exe

1. Ldap enumeration gives usernames , in which we find password in description of user freedy

2. Using these creds we can access WebDEV , running on 80 :- ```cadaver http://$ip```

3. we can upload webshell & reverse shell , and via web we can trigger our rev-shell

4. whoami /priv gives SeImpersonatePrivileg , can be abuse by Printspoofer.exe