Relevant - TryHackMe Write-Up

Description: Relevant is a medium-difficulty challenge on TryHackMe designed to simulate a realistic penetration testing scenario. While there are multiple ways to complete this machine, in this write-up, I’ll demonstrate how to exploit it using a known vulnerability related to Samba servers.

This challenge is focused on Windows privilege escalation, specifically through SMB misconfigurations and SeImpersonatePrivilege abuse, leveraging token impersonation techniques to escalate privileges and gain full system access.

STEP 1: Enumeration

To begin the assessment, we start by executing an nmap scan to identify open ports on the target system.

Both port 49663 and port 80 are running the same Microsoft IIS instance, so there's no difference between them so far.

The next step was to explore the SMB service. I used the smbclient tool to list the available shares and directories. By attempting to connect without providing any credentials, I discovered that the service was vulnerable to null session access, allowing unauthenticated users to list shares.

Command:

Result:

We discovered an unusually named share called nt4wrksv. Upon inspecting its contents, I found a file named password.txt.

Command:

Result:

Next, I downloaded the file to my machine using the get command in smbclient for further analysis.

Command:

Result:

Inside the file, I found a message indicating that the users' passwords were encoded, specifically using Base64 encoding. To decode the hashes, I used an online Base64 decoder tool for quick and easy extraction of the plaintext passwords.

Site Used: Base64 Decode and Encode - Online

Using this method, we successfully retrieved the passwords for the users Bob and Bill.

In parallel, I used Feroxbuster to enumerate the web server directories, which also discovered the nt4wrksv folder.

Command:

Inside that directory, Feroxbuster also identified a file named passwords.txt.

STEP 2: Remote Access

The SAMBA (SMB) service, similar to FTP, can sometimes be exposed as a directory accessible through a website, allowing direct access to files. In this case, we were able to access the nt4wrksv directory by connecting to the server on port 49663.

After confirming that the SMB share nt4wrksv was accessible through the web server on port 49663, the next logical step was to gain remote access to the system. To achieve this, I uploaded a shell.aspx file to the SMB share using the put command in smbclient.

Since the share was mapped directly to a web-accessible directory, the shell became accessible through the browser, allowing me to execute commands remotely on the target system.

Reverse Shell in ASPX: raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx

Then, by accessing the shell through the browser, I was able to trigger the payload and receive a reverse shell connection on my machine using Netcat.

STEP 3: Internal Recon

With access to the machine, we were able to retrieve the first flag, , located on Bob’s desktop.

The next step was to escalate privileges. To begin, I used the command

This allowed me to check the privileges assigned to the current user. One of the enabled privileges was SeImpersonatePrivilege, which is commonly exploitable for privilege escalation on Windows systems.

STEP 4: Privilege Escalation

To take advantage of this, I used an exploit called PrintSpoofer, which abuses this specific privilege, SeImpersonatePrivilege, to escalate to SYSTEM.

Exploit: Releases · itm4n/PrintSpoofer

I used the systeminfo command to gather detailed information about the target machine’s Windows version and configuration. This helped ensure that I selected the correct exploit payload compatible with the system.

We uploaded the exploit executable the same way we did with the shell.aspx file, using the put command in smbclient.

We navigated to inetpub/wwwroot/nt4wrksv, where we found the exploit.

By executing the exploit, we were able to run commands with "NT AUTHORITY\SYSTEM" privileges.

With this, we were able to read the final flag located in the Administrator’s desktop directory.