Craft2
Think like a red teamer, not a CTF player. π΅οΈββοΈ
Summary
Found a web app with
.odtfile upload functionality on port 80.Crafted a malicious
.odtpayload to capture NTLM hashes using Responder.Cracked the captured hash to get valid credentials:
thecybergeek : winniethepooh.Gained shell access by uploading a PHP reverse shell via SMB.
Used RunasCs to pivot between users and maintain access.
Couldnβt escalate privileges directly, so leveraged SQLβs
LOAD_FILE()to exfiltrateproof.txt.
π§΅Let's Unpack
πͺ Enumeration
πΉ Nmap Full Scan
πΉ Targeted Port Scan
Web app running on port 80
RPC and SMB (135, 445) open
Unknown service on 49666
Discovered domain
craft.offsecand useradmin@craft.offsec
π Web Application Enumeration (Port 80)
Found upload functionality that accepted
.odtfiles.Used
odt_badodtpayload via Metasploit to trigger NTLM auth leak.Captured hash using
responder:Cracked using
johnβwinniethepooh
π¦ SMB Access
Verified credentials via CrackMapExec:
Discovered readable share: WebApp
Uploaded PHP reverse shell, caught with netcat.
π Initial Foothold
Uploaded reverse shell payload using SMB share access.
Executed payload through browser to catch shell.
Upgraded access with
RunasCs.exeusing captured creds:
π Privilege Escalation (Creative Alternative)
Couldnβt escalate via WinPEAS or service misconfigs.
Switched to clever SQL abuse using
LOAD_FILE():
Retrieved proof without SYSTEM access π―
π‘ Hints
Initial Foothold: Try uploading a
.odtfile embedded with an external resource to capture NTLM hashes via Responder.Privilege Escalation: If you hit a wall, explore creative data exfiltration. Sometimes reading the
proof.txtwithout SYSTEM is all it takes.
Last updated
Was this helpful?