Relevant
This is a write-up for the room on TryHackMe located at: https://tryhackme.com/room/relevant
Nmap Scan:
I ran nmap -T4 -A 10.10.161.100 -oN nmap_output, however this did not get me anywhere. It seemed to me that the host was blocking ping probes. I then ran nmap -Pn 10.10.161.100:
I later ran sudo nmap -p- -Pn -sS -A 10.10.161.100 -oN fullscan.txt which got me way more information**:**
Foothold:
I needed to find a way into the system, or a foothold. I browsed to the IP address:
I wanted to see if SMB is being ran on this page, I then used metasploit to find out what version of SMB was running:
I then ran a nmap script just for smb "nmap --script smb-os-discovery 10.10.161.100":
I believed that smb is my way in. I then ran smbclient:
I then noticed a unique Sharename nt4wrksv. I wanted to see what's in here. So I ran smbclient to have access to the share:
I then saw a passwords.txt file.
I then wanted to download it:
I was able to then read the password file on my local system:
The passwords were encoded, and it seemed to be base64 to me. Using https://www.base64decode.org/ I was able to decode the text:
To me, this seemed like a login for an smb user. Viewing this writeup, I noticed that the decoded had made me miss another password. I then had 2 logins:
I did not know what tool to use next to get further. I then used the same write-up and noticed that I would have to use psexec which is located in /usr/share/doc/python3-impacket/examples. I was then able to run it on the SMB:
The user for Bill did not work:
Now I wanted to move back and see another way inside. Both port 80 and 49663 both are running the same website:
I then ran dirsearch on the port 49663:
At this point we have access to a website which has the same contents as the smb server:
Exploitation:
In order to exploit this system, I will have to create a payload to then submit to the samba share. I will have to use msfvenom in order to create this. I uploaded a .exe and it did not work. I had to find another format to upload the file to. I then looked at the same aforementioned writeup to see what format they used. They used .aspx. I also did not know that Windows Server 2016 is a x64 architecture. With those in mind, I then made a payload:
I then had to upload this to the smb server:
I then have to go to the web version on the payload so that way it can be initiated. Before I do that, I have to have a netcat listener open on another terminal. The payload worked:
Browsing around the file system I found the user flag:
This was my first Windows machine, so I had to refer to the write-up to know where to go next. I then learned that I would have to upload an exe called PrintSpoofer which impersonates privileges. I then downloaded it:
I then had to upload it. I did this using the same method as I did for the payload:
I then ran:
which led me to this:
I then went to the Desktop of the Administrator and got the flag:
What I Learned:
I learned a lot from this machine. It was my first Windows machine so there was a little learning curve for me while attempting this machine. I learned about whoami /priv which was not something I had known about previously. Overall, a great Windows machine, however NOT recommended for Windows machine beginners.
Last updated