TryHackMe Relevant
@ Animesh Roy | Wednesday, Aug 4, 2021 | 4 minutes read | Update at Wednesday, Aug 4, 2021


Room [Subscription Required]Relevant

task 01: Pre-Engagement Briefing

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt
  • Root.txt

Additionally, the client has provided the following scope allowances:

  • Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
  • Locate and note all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope
  • Find and report ALL vulnerabilities (yes, there is more than one path to root)

Let’s start hacking


  • Nmap Scan

    sudo nmap -sC -sV -oN nmap/init MACHINE_IP
    Starting Nmap 7.91 ( ) at 2021-08-04 08:44 IST
    Nmap scan report for MACHINE_IP
    Host is up (0.16s latency).
    Not shown: 995 filtered ports
    80/tcp   open  http          Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: IIS Windows Server
    135/tcp  open  msrpc         Microsoft Windows RPC
    139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
    3389/tcp open  ms-wbt-server Microsoft Terminal Services
    | rdp-ntlm-info: 
    |   Target_Name: RELEVANT
    |   NetBIOS_Domain_Name: RELEVANT
    |   NetBIOS_Computer_Name: RELEVANT
    |   DNS_Domain_Name: Relevant
    |   DNS_Computer_Name: Relevant
    |   Product_Version: 10.0.14393
    |_  System_Time: 2021-08-04T03:14:36+00:00
    | ssl-cert: Subject: commonName=Relevant
    | Not valid before: 2021-08-03T03:12:35
    |_Not valid after:  2022-02-02T03:12:35
    |_ssl-date: 2021-08-04T03:15:16+00:00; +1s from scanner time.
    Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
    Host script results:
    |_clock-skew: mean: 1h24m01s, deviation: 3h07m51s, median: 0s
    | smb-os-discovery: 
    |   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
    |   Computer name: Relevant
    |   NetBIOS computer name: RELEVANT\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2021-08-03T20:14:40-07:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2021-08-04T03:14:39
    |_  start_date: 2021-08-04T03:12:54
    Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 63.93 seconds

Intesting Ports

  • 80 : HTTP

  • 445 : SMB

  • all port scan just to be safe:

    sudo nmap -p-  -oN nmap/all-ports MACHINE_IP
    80/tcp    open  http
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    445/tcp   open  microsoft-ds
    3389/tcp  open  ms-wbt-server
    49663/tcp open  unknown
    49667/tcp open  unknown
    49669/tcp open  unknown
  • nmap scan on: 49663,49667,49669

    sudo nmap -sC -sV -oN nmap/custom-port MACHINE_IP -p 49663,49667,49669
    Starting Nmap 7.91 ( ) at 2021-08-04 09:03 IST
    Nmap scan report for MACHINE_IP
    Host is up (0.18s latency).
    49663/tcp open  http    Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: IIS Windows Server
    49667/tcp open  msrpc   Microsoft Windows RPC
    49669/tcp open  msrpc   Microsoft Windows RPC
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:window

HTTP Recon

  • port 80


  • port 49663


both returns default IIS webpage. gobuster time!!!

SMB enumeration

  • smbclient

    smbclient -L                                               
    Enter WORKGROUP\anir0y's password: 
         Sharename       Type      Comment
         ---------       ----      -------
         ADMIN$          Disk      Remote Admin
         C$              Disk      Default share
         IPC$            IPC       Remote IPC
         nt4wrksv        Disk      
    SMB1 disabled -- no workgroup available
  • list nt4wrksv and download the file.

    smbclient  \\\\\\nt4wrksv                                      
    Enter WORKGROUP\anir0y's password: 
    Try "help" to get a list of possible commands.
    smb: \> dir
    .                                   D        0  Sun Jul 26 03:16:04 2020
    ..                                  D        0  Sun Jul 26 03:16:04 2020
    passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
                   7735807 blocks of size 4096. 4946971 blocks available
    smb: \> get passwords.txt
    getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
    smb: \> 
  • read the file

    cat passwords.txt                                                         
    [User Passwords - Encoded]
  • received 2 creds, let’s save them and try with psexec

    • bob


    • bill


  • psexec didnot worked out, let’s see if we can access the smb share directory nt4wrksv via web-servers!


we can read the content of smb share via web-server running on 49663 port.

exploit SMB

  • upload a aspx shell via smb share and gain access. once access is graanted, I’ll be using metasploit ! you can use nc or any other payload to continue.

  • file generated with msfvenom


  • uploaded via SMBclient


  • now we have shell, we can read user.txt


Priv Esc

  • whoami /priv reveals intresting thing


  • I’ll be using PrintSpoofer exploit : GitHub

  • upload the file:

    smbclient  \\\\\\nt4wrksv
    Enter WORKGROUP\anir0y's password: [blank]
    smb: \> put PrintSpoofer64.exe
    putting file PrintSpoofer64.exe as \PrintSpoofer64.exe (42.9 kb/s) (average 422.0 kb/s)
  • execute via msf-shell


  • read the flag


© 2010 - 2024 Classroom

Reading Stuffs

Social Links