# Sideload | Pentest Report ## Internal Network Red Team Engagement | Field | Value | | --------------- | ---------------------------- | | Client | Sideload Corp | | Assessment Type | Internal Red Team Engagement | | Testing Model | Black Box | | Environment | HackSmarter Labs | | Assessor | Dragkob | | Date | April 2026 | *** {% hint style="danger" %} Disclaimer During this engagement, operational security (OPSEC) considerations were not fully optimized, as the primary objective was to [**QA**](#user-content-fn-1)[^1] exploitability and achieve the defined goals within the assessment timeframe. While the techniques employed were effective in evading antivirus controls and achieving full compromise, further refinements could have been implemented to minimize forensic artifacts and reduce the overall detection footprint. With additional tuning, such as reducing disk-based indicators and improving execution tradecraft, the attack could have been conducted with a significantly higher level of stealth. {% endhint %} *** ### Table of Contents 1. Executive Summary 2. Scope of Engagement 3. Business Impact 4. Methodology 5. Risk Rating Methodology 6. Attack Path Overview 7. Summary of Findings * F-01 – SMB Guest Access Enabled * F-02 – Sensitive Information Disclosure via SMB Share * F-03 – Username Enumeration via RID Brute * F-04 – Weak Password / Guessable Credentials * F-05 – SMB Signing Disabled * F-06 – Writable SMB Share (IT) * F-07 – DLL Search Order Hijacking (RDCMan.exe) * F-08 – NTLM Credential Capture via Forced Authentication * F-09 – Antivirus Evasion via Staged Payload Delivery * F-10 – In-Memory Shellcode Execution * F-11 – UAC Bypass via SSPI Datagram Context * F-12 – Privilege Escalation to NT AUTHORITY\SYSTEM * F-13 – PowerShell History Credential Exposure (Unintended Path) 8. Tools Used 9. Conclusion *** ### Executive Summary An internal red team engagement was conducted against the Sideload Corp environment to evaluate the organization’s resilience against post-compromise attacker techniques. The assessment demonstrated that a threat actor with initial network access could achieve full SYSTEM-level compromise of a Windows host through a chained attack involving: * Weak password practices * Writable SMB share abuse * DLL search order hijacking * NTLM credential capture * Antivirus evasion through staged payload delivery * In-memory shellcode execution * UAC bypass using SSPI token forgery The attack resulted in complete compromise of the host, including execution as: ```zsh NT AUTHORITY\SYSTEM ``` Failure to remediate these weaknesses could allow attackers to: * Deploy malware undetected * Establish persistent command-and-control access * Escalate privileges to SYSTEM * Extract sensitive data * Pivot further within the network Immediate remediation is strongly recommended. *** ### Scope of Engagement | Asset | Role | IP | Domain | | --------------- | ------------ | ------------ | --------- | | EC2AMAZ-KQH42LS | Windows Host | 10.1.211.125 | WORKGROUP | {% hint style="info" %} No denial-of-service or destructive techniques were used. {% endhint %} *** ### Business Impact The vulnerabilities identified allow an attacker to move from unauthenticated access to full SYSTEM compromise. Successful exploitation enables: * Full control of the compromised host * Execution of arbitrary code * Credential harvesting and lateral movement * Deployment of ransomware or persistence mechanisms * Evasion of endpoint detection solutions Because SYSTEM-level access represents the highest privilege on Windows systems, compromise results in complete loss of confidentiality, integrity, and availability. *** ### Methodology Testing followed industry standards: * PTES * NIST SP 800-115 * Red Team adversary simulation methodology | Phase | Description | | -------------------- | ---------------------------------- | | Reconnaissance | Host discovery and SMB enumeration | | Credential Access | Password spraying and guessing | | Exploitation | DLL hijacking and execution | | Defense Evasion | Staged payloads and encryption | | Command Execution | Reverse shell establishment | | Privilege Escalation | UAC bypass and token impersonation | | Post Exploitation | SYSTEM access validation | *** ### Risk Rating Methodology | Severity | CVSS Score | | -------- | ---------- | | Critical | 9.0 – 10.0 | | High | 7.0 – 8.9 | | Medium | 4.0 – 6.9 | | Low | 0.1 – 3.9 | *** ### Attack Path Overview

Initial Access Path

Initial Access to NT AUTHORITY\SYSTEM Path

```zsh F-01 SMB Guest Access Enabled ↓ Unauthenticated SMB enumeration ↓ Discovery of sensitive files (Pentest report, notes) ↓ F-02 Information Disclosure via SMB (Credentials Strategy) ↓ Identification of password patterns (Seasons, Names, Defaults) ↓ F-03 Username Enumeration via RID Brute ↓ Valid user list obtained ↓ F-04 Weak Password / Password Spraying ↓ Compromise of jade.moreno account ↓ F-05 SMB Signing Disabled ↓ F-06 Writable SMB Share (IT - READ/WRITE) ↓ Upload + interaction with RDCMan.exe ↓ F-07 DLL Search Order Hijacking (VERSION.dll) ↓ Execution as lewis.hopkins (Local Admin) ↓ F-08 NTLM Credential Capture (Forced Auth) ↓ F-09 Staged Payload (DLL → Loader → Shellcode) ↓ F-10 In-Memory Execution (AV Evasion) ↓ F-11 UAC Bypass (SSPI) ↓ F-12 NT AUTHORITY\SYSTEM ``` *** ### Summary of Findings
IDVulnerabilitySeverityCVSS
F-01SMB Guest Access EnabledHigh8.0
F-02Sensitive Information Disclosure via SMB ShareHigh8.0
F-03Username Enumeration via RID BruteMedium6.0
F-04Weak Password / Guessable CredentialsHigh8.0
F-05SMB Signing DisabledHigh8.2
F-06Writable SMB Share (IT)Medium6.5
F-07DLL Search Order Hijacking (RDCMan.exe)Critical9.8
F-08NTLM Credential Capture via Forced AuthenticationHigh8.5
F-09Antivirus Evasion via Staged Payload DeliveryCritical9.5
F-10In-Memory Shellcode ExecutionCritical9.8
F-11UAC Bypass via SSPI Datagram ContextCritical9.8
F-12Privilege Escalation to NT AUTHORITY\SYSTEMCritical9.8
F-13PowerShell History Credential ExposureHigh8.1
*** ### F-01 – SMB Guest Access Enabled **Severity:** High\ **CVSS:** 8.0\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N #### Description The target system allows unauthenticated (Guest) access to SMB shares. This permits attackers to enumerate network resources and access files without valid credentials. #### Technical Evidence
#### Impact * Unauthenticated access to internal resources * Exposure of sensitive files * Enables reconnaissance and further attacks #### Remediation * Disable SMB guest access * Require authentication for all shares * Audit and restrict share permissions *** ### F-02 – Sensitive Information Disclosure via SMB Share **Severity:** High\ **CVSS:** 8.0\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N #### Description Sensitive internal documentation was accessible via SMB without authentication. The exposed files contained password patterns and operational insights. #### Technical Evidence
Password patterns identified: * Seasons + Year * Default words * Usernames #### Impact * Reduces attack complexity * Enables targeted password attacks * Directly led to credential compromise #### Remediation * Restrict access to sensitive documentation * Remove credential-related information from files * Apply least privilege access controls *** ### F-03 – Username Enumeration via RID Brute **Severity:** Medium\ **CVSS:** 6.0\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N #### Description Usernames were enumerated through RID brute forcing over SMB. #### Technical Evidence
#### Impact * Enables targeted password attacks * Reduces attacker effort #### Remediation * Restrict anonymous SID/RID enumeration * Monitor enumeration activity *** ### F-04 – Weak Password / Guessable Credentials **Severity:** High\ **CVSS:** 8.0\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N #### Description User accounts were protected by weak, predictable passwords following common patterns. #### Technical Evidence
Compromised account: ``` jade.moreno ``` #### Impact * Unauthorized authentication * Initial foothold in environment #### Remediation * Enforce strong password policy (≥14 characters) * Implement account lockout controls * Deploy MFA *** ### F-05 – SMB Signing Disabled **Severity:** High\ **CVSS:** 8.2\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N #### Description SMB signing is not enforced, allowing attackers to intercept or relay authentication traffic. #### Technical Evidence ```zsh signing:False ``` #### Impact * NTLM relay attacks possible * Credential interception * Session hijacking #### Remediation * Enforce SMB signing via Group Policy * Disable NTLM where possible *** ### F-06 – Writable SMB Share (IT) **Severity:** Medium\ **CVSS:** 6.5\ **Vector:** AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N #### Description The `IT` share allowed authenticated users to upload files. #### Technical Evidence
#### Impact * Upload of malicious files * Enables code execution attacks #### Remediation * Remove write access for non-admin users * Monitor file uploads *** ### F-07 – DLL Search Order Hijacking (RDCMan.exe) **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H #### Description The application `RDCMan.exe` loads DLLs from its working directory. A malicious `VERSION.dll` was placed in the share and executed. #### Technical Evidence
Execution result: ``` lewis.hopkins ``` #### Impact * Arbitrary code execution * Execution as local administrator #### Remediation * Use secure DLL loading practices * Restrict write access to application directories * Implement application whitelisting *** ### F-08 – NTLM Credential Capture via Forced Authentication **Severity:** High\ **CVSS:** 8.5\ **Vector:** AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N #### Description Malicious files triggered outbound authentication, allowing NTLM hash capture.
Extra note regarding Payloads * `ShellExecute(NULL, "open", "C:\\IT\\pld.htm", NULL, NULL, SW_SHOW);` did not work. * `WinExec("explorer C:\\IT\\pld.htm", SW_HIDE);` did not work. * `WinExec("cmd.exe /c start \"\" /b C:\\IT\\pld.htm", SW_HIDE);` did not work reliably. * `WinExec("mshta.exe C:\\IT\\pld.htm",SW_HIDE);` was 100% reliable.
#### Technical Evidence
#### Impact * Credential theft * Enables relay attacks #### Remediation * Disable LLMNR and NetBIOS * Enforce SMB signing *** ### F-09 – Antivirus Evasion via Staged Payload Delivery **Severity:** Critical\ **CVSS:** 9.5\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H #### Description Payload execution used a staged approach: * DLL → Loader → Encrypted Shellcode This bypassed antivirus detection.
DLL Code Example
{% hint style="warning" icon="circle-info" %} The loader code will not be disclosed for obvious reasons. {% endhint %}
#### Impact * Undetected malware execution #### Remediation * Deploy EDR solutions * Monitor outbound connections *** ### F-10 – In-Memory Shellcode Execution **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H #### Description Shellcode executed entirely in memory, avoiding disk-based detection.
#### Impact * Fileless malware * Evasion of traditional defenses #### Remediation * Enable memory-based detection * Monitor process injection *** ### F-11 – UAC Bypass via SSPI Datagram Context **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H #### Description A UAC bypass using SSPI token forgery allowed privilege escalation.
SSPI Token Forgery PoC {% embed url="" %}
#### Technical Evidence
#### Impact * Elevation to high integrity #### Remediation * Apply OS updates * Monitor token manipulation *** ### F-12 – Privilege Escalation to NT AUTHORITY\SYSTEM **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H #### Description Final payload execution resulted in SYSTEM privileges. #### Technical Evidence
Shellcode-chaining breakdown 1. Initial Access: Exploited VERSION.DLL side-loading to execute Loader1, which executed Shellcode1 in memory, granting a reverse shell as user lewis. 2. Staging: Deposited Loader2 and Loader3 onto the target via the initial lewis shell. 3. Privilege Escalation Trigger: 1. Executed Loader2 from the lewis shell. 2. Loader2 fetched and executed Shellcode2 (the encrypted SSPI UAC bypass) in-memory. Compiled from `https://github.com/antonioCoco/SspiUacBypass` 4. The Bypass: 1. Shellcode2 was generated via Donut using the `-p` flag to target `C:\IT\loader3.exe` upon execution. This means that the UAC Bypass binary would bypass UAC for `loader3.exe`, running it in high integrity. 1. `donut -i sys_update.exe -p "C:\IT\loader3.exe" -o sspi.bin` 2. Upon execution, the SSPI bypass forged a SYSTEM token and launched Loader3 as a high-integrity process. 5. Final Elevation: Loader3 executed Shellcode3, resulting in an elevated reverse shell as `nt authority\system`.
#### Impact * Full system compromise #### Remediation * Restrict privilege escalation paths * Monitor service creation *** ### F-13 – PowerShell History Credential Exposure (Unintended) **Severity:** High\ **CVSS:** 8.1\ **Vector:** AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N #### Description Credentials were found in PowerShell history files.
#### Impact * Direct credential exposure #### Remediation * Avoid plaintext credentials * Use secure credential storage *** ### Tools Used | Tool | Purpose | | ------------------ | ----------------------------------------------------------------- | | NetExec (nxc) | SMB enumeration / password spraying | | smbclient | File upload/download | | GCC (mingw) | DLL compilation | | Responder | NTLM capture | | NTLMTheft | Forced authentication | | msfvenom | Shellcode generation | | Donut | Shellcode packaging | | Python HTTP Server | Payload hosting | | My Brain | Loader development | | Nmap | Identification of open ports, services, and system fingerprinting | | Netcat | Reverse shell listener for remote connections | *** ### Conclusion This assessment demonstrated that an attacker can progress from low-privileged access to full SYSTEM compromise using only misconfigurations and weak security practices - without exploiting any software vulnerabilities. The attack leveraged predictable credentials, writable SMB shares, and DLL sideloading to execute code, evade antivirus, and bypass UAC protections. These techniques are commonly used by real-world threat actors and are difficult to detect without proper monitoring. As a result, an attacker could gain full control of affected systems, deploy ransomware, access sensitive data, and maintain persistence within the environment. To reduce risk, Sideload Corp should prioritize strengthening credential policies, restricting access permissions, hardening application behavior, and deploying modern endpoint detection capabilities. ***

Copyright © 2026 Dragkob. All Rights Reserved.

[^1]: Quality Assurance (QA) is the process of testing and validating systems to ensure they function as intended and meet defined requirements.\ \ In this context, it involves verifying that a lab or environment is accurate, reliable, and behaves correctly for training or assessment purposes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dragkob.com/hacksmarter/sideload.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.