# TryHackMe-Relevant ## NMAP ``` Nmap scan report for 10.10.179.43 Host is up (0.15s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2020-11-12T01:17:03+00:00 | ssl-cert: Subject: commonName=Relevant | Not valid before: 2020-07-24T23:16:08 |_Not valid after: 2021-01-23T23:16:08 |_ssl-date: 2020-11-12T01:17:42+00:00; 0s from scanner time. Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows 49663/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows ``` ## PORT 80

## PORT 139/445 (SMB) ``` root@kali:~/TryHackMe/Medium/Relevant# smbclient -L \\\\10.10.179.43\\ Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk SMB1 disabled -- no workgroup available root@kali:~/TryHackMe/Medium/Relevant# smbclient \\\\10.10.179.43\\nt4wrksv Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls -al NT_STATUS_NO_SUCH_FILE listing \-al smb: \> dir . D 0 Sun Jul 26 02:46:04 2020 .. D 0 Sun Jul 26 02:46:04 2020 passwords.txt A 98 Sat Jul 25 20:15:33 2020 7735807 blocks of size 4096. 4937572 blocks available smb: \> get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \> ``` We saved the text file on our local machine ``` [User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ``` Then these look like base64 so we decoded them through cyberchef and found some credentials ``` Bob - !P@$$W0rD!123 Bill - Juw4nnaM4n420696969!$$$ ``` Let's try if they are credentials for smbshares

Through these users we can read `IPC$` share but I failed to do anything on it ## PORT 49663 Now this may seem similar to PORT 80 but it's not here that `nt4wrksv` share is linked which means that it's writable too and we can upload a reverse shell on it.

We can put a `aspx` payload in that share

Running `getprivs` will tell how we can escalate our privileges.

Here `SeImpersonatePrivilege` is enabled so any process holding this privilege can impersonate(but not create) any token for which it is able to gethandle. You can get a privileged tokenfrom a Windows service making it perform an NTLM authentication against the exploit, then execute a process as SYSTEM.

But still we are not `NT\AUTHORITY `

Download print spoofer.exe (64 bit version)

Upload where we have write permissions