#tryhackme #windows #medium
# Information Gathering - Nmap
A TCP scan against all ports revealed four open ports. We got some interesting ports right from the start.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP --min-rate 2000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 21:07 CDT
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 29.21% done; ETC: 21:08 (0:00:48 remaining)
Nmap scan report for 10.10.232.21
Host is up (0.18s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
1311/tcp open rxmon
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 66.20 seconds
```
Another TCP scan but only against those open ports for more detailed information
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV $IP -p 21,22,80,1311,3389
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 21:09 CDT
Nmap scan report for 10.10.232.21
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
|_06-28-23 03:00PM 1022126 stolen-passport.png
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA)
| 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA)
|_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HackSmarterSec
1311/tcp open ssl/rxmon?
| ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Not valid before: 2023-06-30T19:03:17
|_Not valid after: 2025-06-29T19:03:17
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Wed, 16 Jul 2025 02:09:34 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
| <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
| HTTPOptions:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Wed, 16 Jul 2025 02:09:41 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
|_ <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-16T02:10:11+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: HACKSMARTERSEC
| NetBIOS_Domain_Name: HACKSMARTERSEC
| NetBIOS_Computer_Name: HACKSMARTERSEC
| DNS_Domain_Name: hacksmartersec
| DNS_Computer_Name: hacksmartersec
| Product_Version: 10.0.17763
|_ System_Time: 2025-07-16T02:10:05+00:00
| ssl-cert: Subject: commonName=hacksmartersec
| Not valid before: 2025-07-15T01:20:07
|_Not valid after: 2026-01-14T01:20:07
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1311-TCP:V=7.95%T=SSL%I=7%D=7/15%Time=687709DF%P=aarch64-unknown-li
<SNIP>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.54 seconds
```
And lastly a UDP scan was performed against top 10 ports. Of course, UDP scan results cannot be considered conclusive.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --min-rate 3000 --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 20:29 CDT
Nmap scan report for 10.10.232.21
Host is up (0.20s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 2.48 seconds
```
---
# Enumeration
##### Port 21 - FTP
As I already saw in the Nmap results, FTP indeed allowed anonymous login.
```bash
──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ ftp $IP
Connected to 10.10.232.21.
220 Microsoft FTP Service
Name (10.10.232.21:parallels): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
```
There are two files available in the server. I'll just download both
```bash
ftp> dir
229 Entering Extended Passive Mode (|||49741|)
125 Data connection already open; Transfer starting.
06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
06-28-23 03:00PM 1022126 stolen-passport.png
226 Transfer complete.
```
The contents of `Credit-Cards-We-Pwned.txt` file lived up to its name. It appeared to contain people's credit card information.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat Credit-Cards-We-Pwned.txt
VISA, 4929012623542946, 8/2027, 273
VISA, 4556638818403096, 8/2024, 166
VISA, 4024007166395359, 12/2027, 209
VISA, 4485714082654957, 12/2028, 834
VISA, 4716405563341310, 12/2023, 235
VISA, 4556430097066053, 7/2030, 493
VISA, 4916389512648686, 10/2026, 269
VISA, 4532953400107172, 8/2026, 862
VISA, 4485122260041080, 11/2024, 446
VISA, 4485650070135122, 5/2027, 411
VISA, 4916828190458462, 4/2029, 859
VISA, 4532452179409778, 7/2028, 450
VISA, 4532676678238045, 11/2030, 521
VISA, 4539865157272244, 8/2029, 452
VISA, 4916271858910955, 9/2026, 671
<SNIP>
```
I tried to open the other file I found, `stolen-passport.png`, but it appeared to be broken. `exiftool` and `file` commands didn't tell me much but I don't think it's an image file.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ exiftool stolen-passport.png
ExifTool Version Number : 13.25
File Name : stolen-passport.png
Directory : .
File Size : 193 kB
File Modification Date/Time : 2025:07:15 20:35:22-05:00
File Access Date/Time : 2025:07:15 20:35:23-05:00
File Inode Change Date/Time : 2025:07:15 20:35:22-05:00
File Permissions : -rw-rw-r--
Error : File format error
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ file stolen-passport.png
stolen-passport.png: data
```
##### Port 22 - SSH
We haven't found any credentials so I'll just skip port 22 for now, but Nmap revealed it's using `OpenSSH for Windows 7.7`
```bash
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
```
##### Port 80 - HTTP
I opened up my browser and just typed in the target IP address and it displayed the website below. Couldn't enumerate much from the website, yet.
![[Pasted image 20250715205020.png]]
##### Port 1311 - ssl/rxmon?
Moved onto port 1311 and it revealed that it's running Dell OpenManage and asking for hostname along with username and password.
![[Pasted image 20250715211829.png]]
At the bottom, I clicked `About` and this pop-up showed me the version
![[Pasted image 20250715212622.png]]
# Exploitation - Initial Access
`searchsploit` database tells me the version is vulnerable to Arbitrary File Read. (CVE-2020-5377)
![[Pasted image 20250715213810.png]]
![[Pasted image 20250715214134.png]]
The exploit I downloaded directly from `searchsploit` was not stable, so I downloaded the latest poc from github [here](https://raw.githubusercontent.com/RhinoSecurityLabs/CVEs/refs/heads/master/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py) and it successfully read `/etc/hosts`
![[Pasted image 20250715220912.png]]
Not gonna lie, reading files takes a lot trials and errors but I was able to get the directory name right.
![[Pasted image 20250715221617.png]]
Reading `C:\inetpub\wwwroot\hacksmartersec\web.config` revealed a set of credentials.
![[Pasted image 20250715221849.png]]
tyler:IAmA1337h4x0randIkn0wit!
With the found credentials, I was able to login via SSH!
![[Pasted image 20250715222130.png]]
# Privilege Escalation (Out of scope of OSCP)
I spent looking around the system but I couldn't enumerate much. Most of the commands I entered returned "Access Denied". Then I searched up for walkthroughs and found out we are very limited in enumeration and also Windows Defender is in place, so we would have to find a way to evade it.
One thing I read from a blog for privesc was to manually read the registry and enumerate services.
`sc query` is not allowed.
![[Pasted image 20250715223858.png]]
However, manually reading services through registry works.
![[Pasted image 20250715224225.png]]
![[Pasted image 20250715224652.png]]
![[Pasted image 20250715225029.png]]
Service named `spoofer-scheduler` stood out because it's not a default service. Checking the service revealed `LocalSystem` starts the service and it's stoppable. Additionally, `icacls` shows that `BUILTIN\Users` have full control over the service.
![[Pasted image 20250715225743.png]]
![[Pasted image 20250715225941.png]]