In this lab, the RemoteMouse 3.008 exploit will be used on port 1978 for remote code execution, capturing a reverse shell with Netcat. After decoding the FileZilla password, we will log in via Remote Desktop and open a Command Prompt as an administrator. This lab focuses on exploiting service vulnerabilities and privilege escalation methods.
This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.
In this lab, we will exploit the target through an authenticated file upload bypass vulnerability in Subrion CMS that leads to remote code execution. We will then exploit a root cron job via a script running exiftool every minute.
This lab demonstrates exploiting a pre-auth remote code execution vulnerability in SaltStack Master (CVE-2020-11651). Learners will leverage the SaltStack API to execute arbitrary commands, resulting in a root shell on the target. This lab highlights the risks of unpatched critical vulnerabilities in infrastructure management tools.
CozyHosting is an easy-difficulty Linux machine that features a Spring Boot application. The application has the Actuator endpoint enabled. Enumerating the endpoint leads to the discovery of a user’s session cookie, leading to authenticated access to the main dashboard. The application is vulnerable to command injection, which is leveraged to gain a reverse shell on the remote machine. Enumerating the application’s JAR file, hardcoded credentials are discovered and used to log into the local database. The database contains a hashed password, which once cracked is used to log into the machine as the user josh. The user is allowed to run ssh as root, which is leveraged to fully escalate privileges.
Cicada is an easy-difficult Windows machine that focuses on beginner Active Directory enumeration and exploitation. In this machine, players will enumerate the domain, identify users, navigate shares, uncover plaintext passwords stored in files, execute a password spray, and use the SeBackupPrivilege to achieve full system compromise.
Editor is an easy Linux box.
Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket’s psexec.py in order to gain a shell on the box as NT_AUTHORITY\SYSTEM.
Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.