Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber

Accumulate

CTF

PreviousElfcryptionNextUnknown Storage

Last updated 5 years ago

Was this helpful?

The thing we need to do is to perform an nmap scan to enumerate all ports open and the services operating on those ports.

The nmap scan shows that two ports are open: port 80 running Microsoft IIS httpd 10.0 and port 3389 ms-wbt-server.

Opening the webpage on the browser shows us a normal windows server webpage.

Also, searching on google for the ms-wbt-server tells us that this is a protocol used by Windows Remote Desktop. This may indicate that we can connect remotely do the target machine if we get the right credentials.

To solve the first question we need to look for hidden directories. In day 2 we used diresearch to do that. This time I will use gobuster.

With gobuster we managed to find the answer to the first question.

Our next task is to get access to the target machine.

Navigating to the hidden directory takes us to a retro fanatic page run by someone called Wade, which is basically a forum about games.

If we click on "Wade" it takes us the his user page. After examining the content, much of it is useless for us, except a simple post:

By clicking on "Ready Player One" and scrolling down on the comments we have what it seems to be the password of his account.

On the bottom right corner we have a login button that takes us to a wordpress login page. So we can try to login using wade as the username and the supposed password we just found.

We successfully logged in to the wordpress page, which confirms that it was indeed that password that we found. After some time wasted here to realized it was a rabbit hole, it was time to look again at the ms-wbt-server that we found earlier.

So we know that we can have remote desktop access through this protocol on port 3389, and we have credentials to do so. After googling for a good app to connect remotely I came accross remmina.

We now managed to get access the target machine remotely and read the contents of user.txt

To elevate our privileges and read the contents of root.txt, DarkStar left us an hint.

Seeing google chrome in the desktop and reading this hint just makes it obvious that we need to search on wade's browser history, although that wasn't even needed.

Opening google chrome shows us that wade had saved a page about the CVE-2019-1388.

Some google search and we can find out that this is a windows privilege escalation technique through UAC, using the 'HTML Help Activex Control' exe file to escalate privileges. We can find this file in the recycle bin.

There are loads of youtube video tutorials on how to recreate this post-exploitation attack.

By opening the file as administrator, we are prompted for the administrator password (that we don't have), so we click on Show more details.

We then click the link to show information about the publisher's certificate.

Next we choose to open it with Internet Explorer.

Once the page open (we dont have internet so it wont display any content) we click save as a save the file as C:\Windows\System32\*.*.

Once there we select cmd.exe and choose open.

And we are now authority\system and can get the root.txt.txt flag as show below.