Difficulty: Easy
The Lookback company has just started the integration with Active Directory. Due to the coming deadline, the system integrator had to rush the deployment of the environment. Can you spot any vulnerabilities?
Scan (cleaned) #
# Nmap 7.98 scan initiated Sun Jan 25 14:48:17 2026 as: /usr/lib/nmap/nmap --privileged -vvv -p 80,443,3389 -4 -sC -sV -A -oN scan.txt 10.81.169.126
Nmap scan report for 10.81.169.126
Host is up, received syn-ack ttl 126 (0.097s latency).
Scanned at 2026-01-25 14:48:18 EST for 53s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 126 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
443/tcp open https? syn-ack ttl 126
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: WIN-12OUO7A66M7
| DNS_Domain_Name: thm.local
| DNS_Computer_Name: WIN-12OUO7A66M7.thm.local
| DNS_Tree_Name: thm.local
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (92%)
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 25 14:49:11 2026 -- 1 IP address (1 host up) scanned in 54.49 secondsFrom the scan results, the exposed attack surface is limited to:
- An IIS web server (ports 80/443)
- Remote Desktop Protocol (3389)
Since a domain name (thm.local) was identified, it was added to /etc/hosts to ensure proper name resolution during testing.
Web server analysis #
Port 80 (HTTP) #
navigating to port 80 we have a 403 forbidden error
Port 443 (HTTPS) #
Navigating to port 443 redirected to an Outlook Web Access (OWA) login portal:
At this point, the TryHackMe machine unexpectedly terminated. After restarting the room, the target IP changed to:
10.80.139.33once I got back on the machine I tried to login with some default credentials, admin:admin
Information Disclosure via OWA #
Upon returning to the target, I attempted authentication using default credentials (admin:admin). While authentication failed, the application redirected to a verbose error page that disclosed the exact version of the Outlook Web App.
a quick google search for this version shows promising results with references to multiple cve’s
after some research, we see reference to proxyshell rce which chains multiple exchange cves to fully compromise the system hosting OWA, we can see the versions it effects highlighted below.
Exploitation #
We start a metasploit session and select the correct module. We then configure the exploit by setting our target and listener.
The exploit confirmed that the target was vulnerable; however, the initial attempt failed due to the absence of a user with the required Exchange management role.
Although ProxyShell does not require authentication, it does require a valid email address associated with a privileged Exchange user.
I tested several common email formats:
admin@thm.local— unsuccessfuladministrator@thm.local— successful
This confirmed the presence of an administrator account with the necessary permissions.
Exploitation was successful.
Post-Exploitation & Flags #
At this stage, the machine was fully compromised. The remaining task was to retrieve the required flags.
Root flag #
User flag #
Service Flag #
Despite having SYSTEM access, the service user flag was difficult to locate. After extensive manual searching, I discovered (via external reference) that the flag was hosted on a /test endpoint on the HTTPS web server.
This endpoint was missed due to a lack of directory brute-forcing earlier in the engagement. My exploitation path focused primarily on:
Version disclosure → vulnerability research → exploit executionConclusion #
This room was straightforward and beginner friendly, serving as a good demonstration of how information disclosure combined with unpatched services can rapidly lead to full system compromise. While the exploitation path I found was simple, it also reinforced the importance of comprehensive enumeration, including directory fuzzing, even when an obvious exploit path is available.