In this machine, we gain initial access by coercing authentication from a machine with an ico file. Then, we find that the version of Windows running is vulnerable to PrintNightmare. We can immediately escalate privileges as SYSTEM.
First, we discover an open NFS share. The share contains .sdf files which contains the password hahses. We can crack on of them and log into the Umbraco webssite. This version of Umbraco is vulnerable to an authenticated RCE, which we leverage to get a shell. Once in, we can use Print Spoofer to escalate privileges to SYSTEM.
We leverage CVE-2022-0739 to retrieve password hashes from the database. Once in the admin panel, we utilize CVE-2021-29447 to do a local file disclosure. We disclose the configuration file of WordPress and retrieve the password for the FTP service. From the FTP service, we are able to receive creds to log into the machine.There is a passpie binary whose master password we crack. Finally, we retrieve credentials for the root user.
First, retrieve files in the FTP server. From these files, we retrieve valid credentials to access telnet. On the machine, we realise that there are stored credentials. We execute a reverse shell from these credentials and achive a SYSTEM shell.
In this box, we use RPC and LDAP to collect valid AD usernames. This allows us to perform ASREPRoasting, which yields a TGS that can be cracked. With these credentials, we can winRM into the machine. From the output of BloodHound, we learn that we can run ourselves into Exchange Windows Permissions, which has WriteDACL over the domain object. We grant ourselves full control over the domain and perform DCSync on the machine. Like this, we get an admin shell.
