We covered TryHackMe Stealth machine where we went over the typical stages of enumerating open ports and services with Nmap and we found an upload form that plays the role of Powershell script analyzer. We uploaded a reverse shell Powershell script to gain the first foothold but we made sure to delete all log files to keep the connection alive and prevent attracting the attention of the blue team. Then we used PrivescCheck script to enumerate for available privilege escalation vectors and we found that the current user has complete control over the web server process so we uploaded a webshell and executed the EfsPotato exploit to have SYSTEM access.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

Use your evasion skills to pwn a Windows target with an updated defence mechanism.

Video Highlights

Make sure to delete the log.txt file after you gain the first foothold shell. Doing so will prevent any problems with your shell connectivity.

Upload the webshell to C:\xampp\htdocs

When escalating the privileges, compile efspotato using the command below

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe efs.cs -nowarn:1691,618

Then add a new user using the below command

.\efs.exe “cmd.exe /c net user pawn p0P12345¬†/add && net localgroup administrators user /add

Then you can use Remmina to login as the above user and retrieve the administrator flag.

Efs Potato Exploit Link 

Powershell Reverse shell Link

Windows Privilege Escalation Script PrivescCheck.ps1

P0wny Webshell shell.php

Room Answers

What is the content of the user level flag?

What is the content of the root level flag?

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles