#tryhackme #medium #windows ![[Pasted image 20250713142911.png]] --- # Information Gathering - Nmap I started off with scanning all TCP ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:28 CDT Nmap scan report for 10.10.102.97 Host is up (0.13s latency). Not shown: 65377 closed tcp ports (reset), 143 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5985/tcp open wsman 8888/tcp open sun-answerbook 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 49672/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 23.43 seconds ``` Then I did another TCP scan against the open ports for more detailed information. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 22,135,139,445,3389,5985,8888,47001,49664,49665,49667-49672 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:33 CDT Nmap scan report for 10.10.102.97 Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA) | 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA) |_ 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DEV-DATASCI-JUP | Not valid before: 2025-07-12T16:26:49 |_Not valid after: 2026-01-11T16:26:49 | rdp-ntlm-info: | Target_Name: DEV-DATASCI-JUP | NetBIOS_Domain_Name: DEV-DATASCI-JUP | NetBIOS_Computer_Name: DEV-DATASCI-JUP | DNS_Domain_Name: DEV-DATASCI-JUP | DNS_Computer_Name: DEV-DATASCI-JUP | Product_Version: 10.0.17763 |_ System_Time: 2025-07-13T16:34:50+00:00 |_ssl-date: 2025-07-13T16:34:59+00:00; -1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8888/tcp open http Tornado httpd 6.0.3 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: TornadoServer/6.0.3 | http-title: Jupyter Notebook |_Requested resource was /login?next=%2Ftree%3F 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp closed unknown 49672/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-07-13T16:34:51 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.76 seconds ``` Lastly, a UDP scan was done against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 11:39 CDT Nmap scan report for 10.10.102.97 Host is up (0.13s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds ``` --- # Enumeration ##### Port139 445 - SMB I was able to enumerate shares and the share `datasci-team` stood out because it's not a default share. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share datasci-team Disk IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.102.97 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` It contained a few directories and files, it would be very inconvenient for me to download each file one by one, so I'll just download everything to my local Kali and look through them there ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N //$IP/datasci-team Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Aug 25 10:27:02 2022 .. D 0 Thu Aug 25 10:27:02 2022 .ipynb_checkpoints DA 0 Thu Aug 25 10:26:47 2022 Long-Tailed_Weasel_Range_-_CWHR_M157_[ds1940].csv A 146 Thu Aug 25 10:26:46 2022 misc DA 0 Thu Aug 25 10:26:47 2022 MPE63-3_745-757.pdf A 414804 Thu Aug 25 10:26:46 2022 papers DA 0 Thu Aug 25 10:26:47 2022 pics DA 0 Thu Aug 25 10:26:47 2022 requirements.txt A 12 Thu Aug 25 10:26:46 2022 weasel.ipynb A 4308 Thu Aug 25 10:26:46 2022 weasel.txt A 51 Thu Aug 25 10:26:46 2022 15587583 blocks of size 4096. 8949754 blocks available smb: \> ``` I used the `prompt off` command to prevent the share from asking me whether to download each file. Then, I used `recurse on` to enable recursive downloading of subdirectories, and finally, `mget *` to download everything. ![[Pasted image 20250713114957.png]] ##### HTTP - Port 8888 The page on port 8888 is asking for password or token to log in. ![[Pasted image 20250713115745.png]] I found a file named `jupyter-token.txt` under `misc` directory which was in the SMB share. ![[Pasted image 20250713120425.png]] Successfully logged in with the token but everything here is basically what I downloaded from the SMB share. ![[Pasted image 20250713120614.png]] I felt like there's more going on behind what I see here on Port 8080, so I ran `gobuster` to enumerate directories. It revealed a few directories for me to explore and I visited each. ![[Pasted image 20250713122854.png]] # Exploitation - Initial Access Among the directories found, the `/lab` directory is the most interesting because it has a built-in terminal where we can execute commands. ![[Pasted image 20250713124115.png]] Looking around the system, I found a file named `dev-datasci-lowpriv_id_ed25519`. The `file` command revealed it's an OpenSSH private key. ![[Pasted image 20250713123825.png]] ![[Pasted image 20250713122723.png]] Using the private key, I was able to log into the remote Windows system as `dev-datasci-lowpriv` user. ![[Pasted image 20250713123926.png]] ![[Pasted image 20250713123910.png]] Found `user.txt` in `C:\Users\dev-datasci-lowpriv\Desktop` ![[Pasted image 20250713124235.png]] # Privilege Escalation I spent a fair amount of time looking around the system for privilege escalation hints but I couldn't find any. I still have a lot of rooms to improve especially when it comes to Windows machines. I transferred `winpeas` from my local Kali to this remote windows machine. `Winpeas` revealed the password for the current user. Let's take a note of this ![[Pasted image 20250713141708.png]] `Winpeas` revealed that the system is vulnerable to `AlwaysInstallElevated` exploit. - This is a Windows vulnerability where the system allows any user to install MSI (Windows Installer) packages with **`SYSTEM privileges`** if certain registry settings are enabled. - When both the user and machine registry keys for `AlwaysInstallElevated` are set to `1`, a low-privileged user can run malicious MSI files and gain full system control. As you can see from the screenshot below, the `AlwaysInstallElevated` field of both `HKCU` and `HKLM` are set to `1` indicating that we can exploit this system and gain full system control. ![[Pasted image 20250713140400.png]] First, we need to generate a reverse shell payload as an `.msi` file in my local Kali. ![[Pasted image 20250713140542.png]] Transfer the reverse shell payload from the local Kali to the remote Windows system using `certutil` ![[Pasted image 20250713140709.png]] I ran the following command multiple times but nothing happened. `msiexec /quiet /qn /i C:\Users\dev-datasci-lowpriv\Desktop\Temp\revshell.msi` Then I added `runas /u:dev-datasci-lowpriv` in the front, it was executed and asked for the password of the current user. ![[Pasted image 20250713142718.png]] After it was executed, when visited back to my local Kali, I saw my net cat listener was connected to a reverse shell as `nt authority\system` ![[Pasted image 20250713142734.png]] Found `root.txt` ![[Pasted image 20250713142814.png]]