Access Proving Grounds Write-Up
SUMMARY
This write-up covers the Access machine from Offsec’s Proving Grounds, an Active Directory environment where standard domain enumeration surfaces little useful information.
A web server running on port 80 hosted a PHP application with a file upload feature. Standard PHP extensions were filtered, but a file upload bypass using an alternate extension was found via Burp Suite interception. The upload directory had directory listing enabled, confirming the file was accessible, and a reverse shell was established as the Apache service account.
With limited results from BloodHound and standard enumeration, the presence of a MSSQL service account on the domain prompted a local Kerberoasting attack performed directly from the compromised host. The extracted TGS hash was cracked offline, and lateral movement to svc_mssql was completed using RunasCs.
As svc_mssql, the uncommon SeManageVolumePrivilege was identified. By exploiting this privilege, full write access to the C: volume was obtained. A malicious DLL was crafted, dropped into the Windows print driver path, and triggered via a COM object resulting in a shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & Active Directory Enumeration
- Web Enumeration on Port 80
- Malicious File Upload via Extension Bypass
- Shell as
svc_apache - Local Kerberoasting Attack & Hash Cracking
- User Pivoting to
svc_mssql - Abusing SeManageVolumePrivilege
- Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions. I know, boring stuff