We covered TryHackMe Stealth machine where we went over the typical stages of enumerating open ports and services with Nmap and we found an upload form that plays the role of Powershell script analyzer. We uploaded a reverse shell Powershell script to gain the first foothold but we made sure to delete all log files to keep the connection alive and prevent attracting the attention of the blue team. Then we used PrivescCheck script to enumerate for available privilege escalation vectors and we found that the current user has complete control over the web server process so we uploaded a webshell and executed the EfsPotato exploit to have SYSTEM access.
Use your evasion skills to pwn a Windows target with an updated defence mechanism.
Make sure to delete the log.txt file after you gain the first foothold shell. Doing so will prevent any problems with your shell connectivity.
Upload the webshell to C:\xampp\htdocs
When escalating the privileges, compile efspotato using the command below
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe efs.cs -nowarn:1691,618
Then add a new user using the below command
.\efs.exe “cmd.exe /c net user pawn p0P12345 /add && net localgroup administrators user /add“
Then you can use Remmina to login as the above user and retrieve the administrator flag.
Efs Potato Exploit Link
Powershell Reverse shell Link
Windows Privilege Escalation Script PrivescCheck.ps1
P0wny Webshell shell.php
What is the content of the root level flag?