#tryhackme #windows #medium # Information Gathering - Nmap A TCP scan against all ports revealed four open ports. We got some interesting ports right from the start. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP --min-rate 2000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 21:07 CDT Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 29.21% done; ETC: 21:08 (0:00:48 remaining) Nmap scan report for 10.10.232.21 Host is up (0.18s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 1311/tcp open rxmon 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 66.20 seconds ``` Another TCP scan but only against those open ports for more detailed information ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 21,22,80,1311,3389 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 21:09 CDT Nmap scan report for 10.10.232.21 Host is up (0.25s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt |_06-28-23 03:00PM 1022126 stolen-passport.png | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA) | 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA) |_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519) 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: HackSmarterSec 1311/tcp open ssl/rxmon? | ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US | Not valid before: 2023-06-30T19:03:17 |_Not valid after: 2025-06-29T19:03:17 | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | Strict-Transport-Security: max-age=0 | X-Frame-Options: SAMEORIGIN | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | vary: accept-encoding | Content-Type: text/html;charset=UTF-8 | Date: Wed, 16 Jul 2025 02:09:34 GMT | Connection: close | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> | <html> | <head> | <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> | <title>OpenManage&trade;</title> | <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css"> | <style type="text/css"></style> | <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript"> | HTTPOptions: | HTTP/1.1 200 | Strict-Transport-Security: max-age=0 | X-Frame-Options: SAMEORIGIN | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | vary: accept-encoding | Content-Type: text/html;charset=UTF-8 | Date: Wed, 16 Jul 2025 02:09:41 GMT | Connection: close | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> | <html> | <head> | <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> | <title>OpenManage&trade;</title> | <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css"> | <style type="text/css"></style> |_ <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript"> 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-07-16T02:10:11+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: HACKSMARTERSEC | NetBIOS_Domain_Name: HACKSMARTERSEC | NetBIOS_Computer_Name: HACKSMARTERSEC | DNS_Domain_Name: hacksmartersec | DNS_Computer_Name: hacksmartersec | Product_Version: 10.0.17763 |_ System_Time: 2025-07-16T02:10:05+00:00 | ssl-cert: Subject: commonName=hacksmartersec | Not valid before: 2025-07-15T01:20:07 |_Not valid after: 2026-01-14T01:20:07 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1311-TCP:V=7.95%T=SSL%I=7%D=7/15%Time=687709DF%P=aarch64-unknown-li <SNIP> Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 52.54 seconds ``` And lastly a UDP scan was performed against top 10 ports. Of course, UDP scan results cannot be considered conclusive. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 20:29 CDT Nmap scan report for 10.10.232.21 Host is up (0.20s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.48 seconds ``` --- # Enumeration ##### Port 21 - FTP As I already saw in the Nmap results, FTP indeed allowed anonymous login. ```bash ──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ftp $IP Connected to 10.10.232.21. 220 Microsoft FTP Service Name (10.10.232.21:parallels): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ``` There are two files available in the server. I'll just download both ```bash ftp> dir 229 Entering Extended Passive Mode (|||49741|) 125 Data connection already open; Transfer starting. 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt 06-28-23 03:00PM 1022126 stolen-passport.png 226 Transfer complete. ``` The contents of `Credit-Cards-We-Pwned.txt` file lived up to its name. It appeared to contain people's credit card information. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat Credit-Cards-We-Pwned.txt VISA, 4929012623542946, 8/2027, 273 VISA, 4556638818403096, 8/2024, 166 VISA, 4024007166395359, 12/2027, 209 VISA, 4485714082654957, 12/2028, 834 VISA, 4716405563341310, 12/2023, 235 VISA, 4556430097066053, 7/2030, 493 VISA, 4916389512648686, 10/2026, 269 VISA, 4532953400107172, 8/2026, 862 VISA, 4485122260041080, 11/2024, 446 VISA, 4485650070135122, 5/2027, 411 VISA, 4916828190458462, 4/2029, 859 VISA, 4532452179409778, 7/2028, 450 VISA, 4532676678238045, 11/2030, 521 VISA, 4539865157272244, 8/2029, 452 VISA, 4916271858910955, 9/2026, 671 <SNIP> ``` I tried to open the other file I found, `stolen-passport.png`, but it appeared to be broken. `exiftool` and `file` commands didn't tell me much but I don't think it's an image file. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ exiftool stolen-passport.png ExifTool Version Number : 13.25 File Name : stolen-passport.png Directory : . File Size : 193 kB File Modification Date/Time : 2025:07:15 20:35:22-05:00 File Access Date/Time : 2025:07:15 20:35:23-05:00 File Inode Change Date/Time : 2025:07:15 20:35:22-05:00 File Permissions : -rw-rw-r-- Error : File format error ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ file stolen-passport.png stolen-passport.png: data ``` ##### Port 22 - SSH We haven't found any credentials so I'll just skip port 22 for now, but Nmap revealed it's using `OpenSSH for Windows 7.7` ```bash 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) ``` ##### Port 80 - HTTP I opened up my browser and just typed in the target IP address and it displayed the website below. Couldn't enumerate much from the website, yet. ![[Pasted image 20250715205020.png]] ##### Port 1311 - ssl/rxmon? Moved onto port 1311 and it revealed that it's running Dell OpenManage and asking for hostname along with username and password. ![[Pasted image 20250715211829.png]] At the bottom, I clicked `About` and this pop-up showed me the version ![[Pasted image 20250715212622.png]] # Exploitation - Initial Access `searchsploit` database tells me the version is vulnerable to Arbitrary File Read. (CVE-2020-5377) ![[Pasted image 20250715213810.png]] ![[Pasted image 20250715214134.png]] The exploit I downloaded directly from `searchsploit` was not stable, so I downloaded the latest poc from github [here](https://raw.githubusercontent.com/RhinoSecurityLabs/CVEs/refs/heads/master/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py) and it successfully read `/etc/hosts` ![[Pasted image 20250715220912.png]] Not gonna lie, reading files takes a lot trials and errors but I was able to get the directory name right. ![[Pasted image 20250715221617.png]] Reading `C:\inetpub\wwwroot\hacksmartersec\web.config` revealed a set of credentials. ![[Pasted image 20250715221849.png]] tyler:IAmA1337h4x0randIkn0wit! With the found credentials, I was able to login via SSH! ![[Pasted image 20250715222130.png]] # Privilege Escalation (Out of scope of OSCP) I spent looking around the system but I couldn't enumerate much. Most of the commands I entered returned "Access Denied". Then I searched up for walkthroughs and found out we are very limited in enumeration and also Windows Defender is in place, so we would have to find a way to evade it. One thing I read from a blog for privesc was to manually read the registry and enumerate services. `sc query` is not allowed. ![[Pasted image 20250715223858.png]] However, manually reading services through registry works. ![[Pasted image 20250715224225.png]] ![[Pasted image 20250715224652.png]] ![[Pasted image 20250715225029.png]] Service named `spoofer-scheduler` stood out because it's not a default service. Checking the service revealed `LocalSystem` starts the service and it's stoppable. Additionally, `icacls` shows that `BUILTIN\Users` have full control over the service. ![[Pasted image 20250715225743.png]] ![[Pasted image 20250715225941.png]]