Posts TryHackMe Ra Walkthrough

TryHackMe Ra Walkthrough

Ra is an awesome box from TryHackMe by @4nqr34z and @theart42.

Port Scanning and Basic Enumeration

As always, will start with full port scan. Will do the other enumeration alongside till the nmap completes.

All open ports:

Nmap scan report for
Host is up (0.17s latency).
Not shown: 65500 filtered ports
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2179/tcp  open  vmrdp
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5222/tcp  open  xmpp-client
5223/tcp  open  hpvirtgrp
5229/tcp  open  jaxflow
5262/tcp  open  unknown
5263/tcp  open  unknown
5269/tcp  open  xmpp-server
5270/tcp  open  xmp
5275/tcp  open  unknown
5276/tcp  open  unknown
5985/tcp  open  wsman
7070/tcp  open  realserver
7443/tcp  open  oracleas-https
7777/tcp  open  cbt
9090/tcp  open  zeus-admin
9091/tcp  open  xmltec-xmlmail
9389/tcp  open  adws
49670/tcp open  unknown
49672/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49694/tcp open  unknown

Ufff, that’s a lot of ports. I did version scanning in the background. Meanwhile let’s start our enumeration with port 80.

There’s nothing special on the website, all the tabs and links points to the same home page except for i found few emails.


Used curl to extract all those emails from the page.


Stored them in a text file, hopefully it would be useful later.

In the source code, found a domain name, let’s put it inside our hosts file. image4


Reset Password of Lily

Now let’s visit that reset.asp page mentioned in the source code.


mmmm, looks like some reset password page, come’on dazzy, your readers are not fool.

So, let’s play around with the page, maybe the emails we collected could come useful here. Meanwhile, i am also going to run gobuster in the background for directory bruteforcing, as ippsec says “there should always be something running in the background for enumeration”

gobuster dir -u http://fire.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x asp

By the way, my nmap is still running :P

Anyways, let’s continue. So, let me tell you what all i did in that reset page:

  • First I tried all the usernames we had collected from the page and tried to bruteforce common names for the cars and common pet names using burpsuite intruder. It didn’t work as planned.
  • Tried SQL Injection but didn’t work as well.

So after getting tired, i went to meet my girlfriend which obviously doesn’t exist :pepeface: , wait why am i telling this to you :P

Anyways, so after that what i did was went little backwards and continued my web enumeration. I had completely forgotten that the webpage also consisted of employee names and images. employeeimage

I first cross checked their names in the email list and it was not existing there, so i did the above steps again with these usernames now but it again didn’t work out.

Let me tell you, i like puppies and pussies (obviously cat :P) . That puppy in the picture caugth my attention, i thought i could get some meta data from that image but it was easier, i got the name of the lady and her pet from the image name. ladywithpuppy

So, we could finally reset the password with it. resetpass

I have redacted the pass because i want you to follow with me you lazy hacker

SMB enumeration and First Flag

So, now we have the password, let’s think what we could do with it, let’s go way back to our enumeration phase and see what ports/services could be helpful here since i can’t or maybe couldn’t find any CMS login or admin or any type of login.

We have had SMB port open.

445/tcp   open  microsoft-ds

Let’s use crackmapexec to see if the pass we found is valid. We are using cme tool here because if the username lily doesn’t work for the password we found, we can load the usernames from the email list we had previously grabbed.

As can be seen, that credentials was valid for the smb. Now, let’s see if we have any interesting files.

We got our first flag. There’s some program residing in that directory. Google tells us it’s some kind of Instant Messaging Software.

Spark IM enumeration and exploitation

Let’s go back to our port scan info and see if there’s any matching service for it.

So, yeap, there’s an Jabber service running at port 5222. Let’s install the exact version of spark IM on our machine.

Let’s login with the creds we have.

I got some certificate error.

I then went to the advanced settings and disabled these options.

And then i was able to login. During the enumeration phase, i had come across the below website which mentions about the vulnerability in this specific version of spark IM.

Vulnerability Summary

An issue exists in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an malicious user to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)

After googling for more, I came across an article by the official authors of this box. @4nqr34z and @theart42


It very well explains on how to leverage the vulnerability. Bottom line is we are sending an external url pointing to our machine which when clicked will send the user’s NetNTLM hash to our responder listening for requests in the background.

Let’s do it.

After waiting for a while, we got buse user’s hash.

We cracked the hash with the john.

User Shell and Second Flag

Wheeeeee, we have winrm access now and we got a user level shell.

There were nothing inside those folders and files except for few images.

To be honest, i have full faith on my friend @4nqr34z and i am damn sure he won’t make CTF style boxes. So, i didn’t bother downloading and looking into those images, haha.

So, wandering through the file directories I found an interesting directory. Hmmm, hmmm!!!

hmmmmmmm So, there seems to a script which runs every minute. What caught my eyes from the script are the below lines in it.

In a nutshell, it reads from the hosts.txt file and each line runs through Invoke-Express

The `Invoke-Expression` cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without `Invoke-Expression`, a string submitted at the command line is returned (echoed) unchanged.

Source: Microsoft docs

So, now we need to write our commands somehow into hosts.txt file residing in brittanycr’s folder where we don’t have permissions ofcourse wink. Those commands will get executed as administrator.

After little enumeration, I found that we belong to the Account Operators group.

The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Source: Microsoft Docs

Let’s now change the password for brittanycr

I was successfull in changing the password but she didn’t have winrm access to the box. So, i tried to login to smb using the creds we just updated.

And then went to her home directory.

I updated the contents of the hosts.txt file with the commands to create a new user dazzy and added him to Administrators group.

Let’s overwrite the original file with this file.

Admin shell and Third Flag

We were able to login as the admin user we created.

This post is licensed under CC BY 4.0 by the author.