Vault Proving Grounds Write-Up
SUMMARY
This write-up covers the Vault machine from Offsec’s Proving Grounds, an Active Directory environment under the vault.offsec domain where initial enumeration returned no obvious entry points.
A RID Cycling attack against the SMB service revealed a valid domain user: anirudh. Standard enumeration of shares showed a writable share with a descriptive name suggesting file uploads are periodically reviewed. A malicious LNK file was crafted with PowerShell and uploaded to the share. When the share was browsed on the victim side, the LNK triggered an automatic authentication request to the attacker’s SMB server, leaking anirudh’s NTLM hash. The hash was cracked offline and the credentials were validated, granting WinRM access.
Once inside, SharpHound was uploaded and the collected data was analyzed in BloodHound, revealing that anirudh held GenericAll over the Default Domain Policy GPO. Using SharpGPOAbuse, anirudh was added as a local administrator through the GPO. After forcing a policy update with gpupdate /force, the user joined the Administrators group, and psexec was used to obtain a shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & RID Cycling for User Discovery
- Writable SMB Share Enumeration
- Malicious LNK File Creation & NTLM Hash Capture
- Offline Hash Cracking & WinRM Access as
anirudh - BloodHound Analysis — GenericAll over Default Domain Policy GPO
- GPO Abuse with SharpGPOAbuse
- Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.