VulnNet: Roasted
https://tryhackme.com/room/vulnnetroasted
Nmap
sudo nmap 10.10.217.198 -p- -sS -sV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-03 09:12:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windowsRid Brute Force
Starting off we find we have guest access to SMB and are able to enumerate users through rid brute forcing with crackmapexec.
ASREP-Roasting
With a small list of users we run the discovered usernames against GetNPUsers.py to identify accounts with "No Pre-authentication required" (ASREP Roasting).enabled in Active Directory.
Cracking the Hash
We discover that the user t-skid is ASREP roastable. Using hashcat we are soon able to crack the password hash using the rockyou.txt wordlist.
SMB enumeration
With the new found credentials for the use t-skid we turn back to further SMB enumeration against the target Domain Controller.
We find we are able to read within the "Scripts" share and identify the file ResetPassword.vbs as a file of interest.
Plain Text Credentials
Using smbmap the .vbs file is downloaded. Upon reading the code we are able to identify alternative user credentials in plain text.
Privilege Checking
Checking the user access level with crackmapexec we identify the user as being the Domain Administrator.
User flag and WinRM
With administrative capabilties we are able to login over WinRM with Evil-WinRm.
After logging in we successfully obtain the user.txt flag. However, the system.txt flag is off limits.
Disabling Anti-Virus
In order to obtain a SYSTEM shell we will need to ideally run psexec.py. Firstly, we need to disable the anti-virus on the target host as otherwise psexec.py will not be able to execute.
Run the following command within the Evil-WinRM session.
Root Flag and System shell
After disabling Microsoft Defender we are then able to externally run psexec.py to obtain a SYSTEM shell.
Last updated