Lookback Walkthrough — TryHackMe Room


Enumeration
Nmap
Let’s identify which ports are open, determine the service versions, apply default script scans on these open ports, and save the results to a text file.
nmap -Pn -n -p 80,443,3389 -sV -sC -oN nmap/enum.txt 10.10.114.82
Nmap scan report for 10.10.114.82
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
443/tcp open ssl/https
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Not valid before: 2023-01-25T21:34:02
|_Not valid after: 2028-01-25T21:34:02
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Not valid before: 2025-07-25T13:44:29
|_Not valid after: 2026-01-24T13:44:29
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 26 09:50:46 2025 -- 1 IP address (1 host up) scanned in 54.56 seconds
Port 80 (Microsoft-IIS/10.0)
Navigating to 10.10.114.82:80
shows a blank page. Let's start finding subdirectories using the Gobuster tool.
Visiting https://10.10.114.82
displays a login page. Using the admin:admin
credentials doesn't work here. So, let's navigate to the /test
directory, which presents another login page.
This time, the admin:admin
credentials work, leading us to an interface where we can execute commands. We use a PowerShell Base64-encoded reverse shell from rev.website.com
to gain a reverse shell.
By inserting the character 'a'
, which is passed into the Get-Content
function, we need to escape out of it using: ' ); command #
Initial Access
Crafting our reverse shell using revshells.com by filtering for Windows and selecting PowerShell #3 (Base64 version). Replace the whoami
command with our reverse shell payload and wait for the connection.
Privilege Escalation
In the dev\Desktop
folder, an interesting file named TODO.txt
is present. From this file, we can gather usernames like joe, carol, along with their email IDs and notes from the dev.
We already know that a Microsoft Exchange Server is running on this machine. Let’s identify the version of Exchange Server using the command below.
Once we retrieve the version, we can search online to determine which Exchange Server it is.
In this case, it’s Exchange Server 2019 CU9, which is known to be vulnerable to an RCE (Remote Code Execution) exploit. This can be exploited using Metasploit under the exchange_proxyshell_rce
module.
Running the exploit successfully gives us a shell as NT AUTHORITY\SYSTEM.
Tools/Reference for this room
Gobuster
Metasploit
nmap
https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/
Subscribe to my newsletter
Read articles from SR_Shiravanthan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
