Craft Proving Grounds Write-Up
SUMMARY
This write-up covers the Craft machine from Offsec’s Proving Grounds, a multi-stage Windows machine requiring user pivoting, creative file exfiltration, and port forwarding to achieve a stable Administrator shell.
The only exposed port (80) hosted a file upload portal restricted to ODT documents. A malicious ODT file was crafted in LibreOffice using the Windows macro structure (Dim Str As String / CreateObject("Wscript.Shell").Run Str) with a powercat-based reverse shell payload, assigned to the OpenDocument event. When uploaded and opened server-side, the macro executed and a reverse shell was received as user thecybergeek.
thecybergeek had write access to C:\xampp\htdocs, owned by the apache user. A PHP webshell was uploaded and accessed from the browser to execute commands as apache, followed by an msfvenom reverse shell binary dropped to the htdocs path. As apache, SeImpersonatePrivilege was present and GodPotato was used to escalate — but the shell was unstable. SAM and SYSTEM hives were saved and moved to C:\xampp\htdocs, permissions granted to apache, and the files were downloaded directly from the web server. secretsdump extracted the Administrator hash.
Since SMB was not directly reachable externally, a chisel SOCKS tunnel was established to forward the internal SMB port. proxychains psexec with the Administrator hash then delivered a stable shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & ODT Upload Portal Discovery
- Malicious LibreOffice Macro with powercat (Windows Structure)
- Reverse Shell as
thecybergeek - PHP Webshell Upload via Writable htdocs & Pivot to
apache - SeImpersonatePrivilege & GodPotato Escalation
- SAM/SYSTEM Dump via Web-Accessible htdocs Path
- chisel SOCKS Tunnel for Internal SMB Access
- Shell as NT AUTHORITY\SYSTEM via proxychains psexec
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.