CTF Walkthroughs, TryHackMe

TryHackMe – Relevant Walkthrough

May 24, 2021 | by Stefano Lanaro

Introduction

This was an easy Windows machine that involved exploiting the Microsoft Eternal Blue exploit to gain immediate system-level access or alternatively an open SMB share to gain initial access and token impersonation to escalate privileges to system.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed a few open ports: port 80 (HTTP), 135 (MSRPC), 139/445 (NetBIOS/SMB) and 3389 (RDP), so the next logical step is to start enumerating HTTP and SMB.

Enumerating HTTP

The web server seemed to just have the default Microsoft IIS Server home page, so running an initial Nikto scan to gather more information about it:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

Unfortunately the Nikto scans have not identified anything useful, so it’s best to start enumerating SMB and set HTTP aside for the time being.

Enumerating SMB

Using the SMBClient utility to list open SMB shares on the machine:

It appears the machine has a non-standard “nt4wrksv” share enabled.

The next step is to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service. Command used: 

nmap -p 139,445 -Pn –script smb-enum* 10.10.10.40

Then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.

From the output of the scan, it appears that the machine is vulnerable to MS17-010, which is a remote code execution vulnerability in SMBv1.

Connecting to the nt4wrksv share and downloading the “passwords.txt” file stored in it:

The file appears to contain two base64-encoded credentials:

decoding the base64 text reveals credentials for a Bob and a Bill users:

Exploiting SMB

The handy AutoBlue-MS17-010 script can be used to exploit the MS17-010 Eternal Blue vulnerability:

According to the instructions on the GitHub repository, all that is required is to specify the target IP address, SMB port and valid credentials to authenticate if required, and a SYSTEM shell will be returned.

Cloning the Git Repository locally:

Executing the exploit using the following flags

  • -target-ip to specify the IP address of the vulnerable Windows machine
  • -port to specify the SMB port in use
  • the credentials to connect as, in order to execute the exploit, in this case using the Bob user’s credentials

This has granted a shell as the SYSTEM user, so through this exploitation path no privilege escalation is required.

Exploiting HTTP on Port 49663 & SMB Open Share

As shown below by accessing the passwords.txt file through a browser, it appears that the nt4wrksv SMB share has the same root folder as the web server on port 49663:

This can be exploited by uploading a ASP/ASPX shell onto the SMB share and executing it from within the browser.

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows TCP Reverse Shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, ASPX

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Accessing the “nt4wrksv” SMB share enabled and uploading the ASPX reverse shell:

When accessing the shell.aspx file through a browser, the reverse shell is executed

A callback is received on the Netcat listener, granting a shell as the “iis pppool” user.

Privilege Escalation

Running the “whoami /priv” command to check the current user’s privileges in the system:

It appears the current user has the SeImpersonatePrivilege token enabled, which means token impersonation could be used to escalate privileges.

Although Juicy Potato is normally used to exploit token impersonation, this only works if DCOM is enabled on the server. A great alternative is the PrintSpoofer exploit. Downloading the exploit from the Git repository and placing it on the nt4wrksv SMB share so it can be easily transferred to the target machine:

Executing the exploit, providing -i to Interact with the new process in the current command prompt and -c to specify to run CMD upon execution:

The exploit has successfully exploited the token impersonation vulnerability, therefore executing CMD as SYSTEM and providing an administrative-level shell on the box.

Conclusion

Although this box was quite simple overall, I liked the fact that there were multiple paths to achieve code execution and eventually system-level access to the machine.