#tryhackme #windows #medium ![[Pasted image 20250713233955.png]] --- # Information Gathering As always I began with a TCP scan against all 65,535 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 20:51 CDT Nmap scan report for 10.10.56.46 Host is up (0.14s latency). Not shown: 45562 closed tcp ports (reset), 19958 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5900/tcp open vnc 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49670/tcp open unknown 49677/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 33.46 seconds ``` Then I run one more TCP scan but this time against only those open ports found for more information about them. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 21,80,135,139,443,445,3389,5900,49664-49677 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 20:55 CDT Nmap scan report for 10.10.56.46 Host is up (0.16s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_11-14-20 04:26PM 173 notice.txt | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Simple Slide Show 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 | tls-alpn: |_ http/1.1 |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: DESKTOP-997GG7D | NetBIOS_Domain_Name: DESKTOP-997GG7D | NetBIOS_Computer_Name: DESKTOP-997GG7D | DNS_Domain_Name: DESKTOP-997GG7D | DNS_Computer_Name: DESKTOP-997GG7D | Product_Version: 10.0.18362 |_ System_Time: 2025-07-14T01:56:09+00:00 | ssl-cert: Subject: commonName=DESKTOP-997GG7D | Not valid before: 2025-07-13T01:50:41 |_Not valid after: 2026-01-12T01:50:41 |_ssl-date: 2025-07-14T01:56:16+00:00; 0s from scanner time. 5900/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: | Ultra (17) |_ VNC Authentication (2) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp closed unknown 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp closed unknown 49672/tcp closed unknown 49673/tcp closed unknown 49674/tcp closed unknown 49675/tcp closed unknown 49676/tcp closed unknown 49677/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-14T01:56:09 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.95 seconds ``` and lastly a UDP scan against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 20:57 CDT Nmap scan report for 10.10.56.46 Host is up (0.17s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.00 seconds ``` --- # Enumeration ##### Port 21 - FTP We learned from the `Nmap` result that the FTP service on port 21 allows `anonymous login`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ftp $IP Connected to 10.10.56.46. 220 Microsoft FTP Service Name (10.10.56.46:parallels): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||49748|) 150 Opening ASCII mode data connection. 11-14-20 04:26PM 173 notice.txt 226 Transfer complete. ftp> ``` There's only one file `notice.txt` and I downloaded it to my system. It's a notice from the dev team telling people they moved `images` to a hidden Windows file share. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat notice.txt NOTICE ====== Due to customer complaints about using FTP we have now moved 'images' to a hidden windows file share for upload and management of images. - Dev Team ``` ##### Port 445 - SMB Using `smbclient` I was able to list the available shares in the SMB server. The share `images` stood out to me. That share might be the one the Dev team was referring to from `notice.txt` file. Also the hidden shares in Windows end with `
symbol. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share images$ Disk Installs$ Disk IPC$ IPC Remote IPC Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.56.46 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` I was able to connect to `images
share using `null authentication`. ![[Pasted image 20250713210507.png]] ![[Pasted image 20250713210813.png]] The downloaded images didn't appear to contain any useful information for us at this phase. ![[Pasted image 20250713211130.png]] ##### Port 80 - HTTP The landing page of port 80 displays the images that I have seen in the `images
share. The page seems to import all files in the share and load it on the page one image at a time. ![[Pasted image 20250713212041.png]] ![[Pasted image 20250713212256.png]] # Exploitation - Initial Access Then I thought, if we could access the filed stored in the `images
share directly from the browser, we could try uploading a reverse shell payload to the share, set up a listener, and execute the payload through the browser. `Gobuster` discovered `/images` share ![[Pasted image 20250713212937.png]] Uploaded `php-reverse shell` from Pentest Monkey to the SMB `images
share ![[Pasted image 20250713215110.png]] In `/images` on the browser, I was able to see my reverse shell payload but `php-reverse-shell.php` didn't get me a shell. What got me a reverse shell was this php web shell I got from `revshell.com` ![[Pasted image 20250713215505.png]] ![[Pasted image 20250713215440.png]] Found `user.txt` in `C:\Users\sign\Desktop` ![[Pasted image 20250713221757.png]] # Privilege Escalation `net share` command reveals the familiar shares we already saw using the `smbclient` ![[Pasted image 20250713222219.png]] As I already mentioned earlier, the `
symbol indicates they are hidden directories and `Install
is not a default hidden directory meaning someone must have created it. ![[Pasted image 20250713223653.png]] `Install_www_and_deploy.bat` file in the share reveals the password of `administrator` user. ![[Pasted image 20250713223752.png]] I tried logging in as `administrator` with the found password but the connect was never made. ![[Pasted image 20250713230503.png]] `whoami /priv` reveals the current user has `SeImpersonatePrivilege` enabled. ![[Pasted image 20250713230824.png]] We can exploit this insecure privilege with `PrintSpoofer.exe`which I'm going to transfer it to the remote Windows system via the smb `images
share. ![[Pasted image 20250713230005.png]] The binary has been successfully transferred. ![[Pasted image 20250713230723.png]] Then I executed the binary with the following options and opened powershell as `nt authority\system` user. ![[Pasted image 20250713233707.png]] Found `admin_flag.txt` in `C:\Users\Administrator\Desktop` ![[Pasted image 20250713233847.png]]