Machine Synopsis

Sekhmet is an insane difficulty Windows machine that focuses on web exploitation, pivoting and bypassing Windows restrictions such as PowerShell Constrained Language Mode and AppLocker policies. Initial access is gained through an insecure deserialization vulnerability in a public facing NodeJS web application, which is hosted on a Linux virtual machine running on top of the target Windows system. In order to trigger RCE, the payload has to be adjusted to bypass a Web Application Firewall, which can be accomplished with the use of unicode characters. Once an interactive shell is obtained on the system, a ZipCrypto encrypted archive is found in the user's home directory; encryption can be broken by mounting a known plaintext attack, allowing to retrieve Kerberos credentials from an SSSD cache file contained in the Zip archive and ultimately resulting in `root` access to the Linux machine. To pivot from the VM to the host, a command injection vulnerability is discovered in a scheduled script that processes data from LDAP attributes; this allows to sniff NTLM hashes and obtain a password that grants access to the Windows machine as a low-privileged user. Constrained Language Mode is enforced on the user together with strict AppLocker policies, but it can be bypassed with the aid of `InstallUtil.exe`. Once a Full Language Mode session is gained, Microsoft Edge stored passwords, including those of an administrative user that are also valid for Kerberos authentication, can be retrieved by running `Invoke-Mimikatz`.